GDPR, Client Data, and the Accounting Firm Compliance Gap in Europe

Every accounting firm in the European Union processes personal data — tax returns, payroll records, financial statements, identity documents — as a core part of its business. Every such firm is therefore a data controller under Regulation (EU) 2016/679, the General Data Protection Regulation, which has been enforceable since 25 May 2018. This is not a new obligation. What is changing in 2026 is the enforcement environment: the European Data Protection Board's coordinated enforcement actions, record fines from national supervisory authorities, and the broadening of what constitutes a reportable breach are all moving in one direction. If your firm is still managing client financial data primarily through email, WhatsApp, and uncontrolled shared drives, the gap between your current practice and your legal obligations is wider than it was two years ago.

The GDPR framework for data controllers has six key principles that apply to every aspect of how accounting firms handle client data.

Lawfulness, fairness, and transparency. Your clients must understand what data you collect, why, and how you use it. For accounting firms, this requires a clear, accessible privacy notice and explicit consent (or another lawful basis) for each category of processing.

Purpose limitation. Data collected for one purpose — preparing a tax return — cannot be used for another purpose — marketing a different service — without a separate lawful basis. This is frequently overlooked in firms that hold comprehensive client data and use it opportunistically.

Data minimisation. You should only hold data that is necessary for the purpose. Firms that routinely collect identity documents beyond their AML/KYC purpose, or retain client financial data indefinitely beyond the retention period, are failing this principle.

Accuracy. Personal data must be kept accurate and up to date. For accounting firms, this means having a process to update client records when circumstances change, not just when a new engagement begins.

Storage limitation. Data should not be held longer than necessary. For accounting records, EU member state tax laws typically require retention for five to ten years depending on the jurisdiction. Having a defined, enforced retention schedule — and actually deleting or anonymising data at the end of the retention period — is a legal requirement, not optional best practice.

Integrity and confidentiality. Data must be protected against unauthorised access, loss, or destruction through appropriate technical and organisational measures. This is the principle most visibly violated by firms using personal email and WhatsApp for client data exchange.

The Specific Compliance Gaps Most European Accounting Firms Have

Based on how accounting firms typically operate, three compliance gaps are most common and most consequential.

Uncontrolled data channels. Email sent from a personal account, WhatsApp messages containing client financial details, documents shared via a personal Dropbox link — these are data flows that occur outside the firm's control environment. They cannot be audited, they cannot be subject to consistent retention policies, and they cannot be retrieved if a Subject Access Request requires the firm to identify all data held about a client. The requirement under GDPR Article 30 to maintain records of processing activities cannot be met for data that exists in uncontrolled channels.

No meaningful retention enforcement. Most accounting firms have a retention policy document. Fewer apply it. Client data from engagements that ended five years ago continues to exist in email archives and shared drives because no one has applied the retention schedule. GDPR requires not just that you have a retention policy, but that you enforce it.

Inadequate access controls. Under GDPR's integrity and confidentiality principle, access to personal data should be limited to staff members with a legitimate reason to access it. In many accounting firms, every staff member can access every client file, every inbox is shared, and there is no log of who has accessed what. This is not an appropriate technical and organisational measure for a firm that handles sensitive personal financial data.

A Framework for Getting This Right

Conduct a data mapping exercise. Map every category of personal data your firm processes: client identity data, financial data, employee data. For each category, identify: where it is stored, how it entered the firm, who has access to it, what the retention period is, and what the process is for deletion at the end of that period. This exercise typically takes a half-day for a firm that is organised and an uncomfortable week for a firm that is not.

Implement a controlled data channel policy. Define a policy that prohibits client data exchange through personal email accounts and consumer messaging apps, and implement a firm-controlled alternative. Communicate this policy to clients as a data protection measure that protects their information. Most clients will welcome it.

Build a retention schedule and apply it mechanically. Define the retention period for each category of client data, based on the applicable national tax law minimum retention requirement and any professional standards requirements. Implement a process — even a manual annual review — that identifies and removes data that has passed its retention period.

Apply role-based access controls to client data. Each client file should be accessible only to the staff members working on that engagement. This is not a complex IT project — it is a configuration decision that most document management and practice management platforms support out of the box.

What This Looks Like Inside a Purpose-Built Platform

Evoke LedgerBridge handles all client data exchange through a controlled, access-managed portal. Every document uploaded by a client, every message sent, and every approval given is captured in a structured record with a timestamp, linked to the engagement it relates to, and accessible only to the staff members assigned to that client. Retention controls are configurable. The full engagement record is exportable, supporting the firm's ability to respond to Subject Access Requests.

The platform does not use client data for purposes beyond operating the firm's workflow — it does not sell data, and it does not use client financial information to train AI models. This is a data minimisation commitment that aligns with GDPR's purpose limitation principle.

Common Mistakes European Firms Make When Addressing This

The first mistake is treating GDPR compliance as a legal department problem. For most accounting firms, there is no legal department — there is a partner who signed the privacy policy and a staff member who received a GDPR briefing three years ago. GDPR compliance in an accounting firm is an operational discipline, not a legal document exercise.

The second mistake is assuming that cloud platform certification (ISO 27001, SOC 2) means the firm's data handling is compliant. Cloud platform security certifications cover the provider's infrastructure. They do not cover how the firm configures access controls, how it manages retention, or what it does with data in channels the cloud provider does not control.

The third mistake is not communicating data protection as a client benefit. Firms that tell their clients they have moved to a controlled, encrypted portal because it protects their personal financial data are positioning a compliance necessity as a service quality improvement. That is the right framing — clients whose data is better protected are better served.

If your firm is ready to close the GDPR compliance gap in your client data workflow, Evoke LedgerBridge was built for exactly this.

Book a demo or chat on WhatsApp to see how it fits your delivery model.