At a glance
- Hoarding client data increases cyber-attack risks and can violate legal requirements.
- Large data sets are bigger targets, leading to costly breaches and regulatory fines.
- Develop a robust data retention and destruction policy to reduce risk and ensure compliance.
Accountants have always been custodians of large volumes of highly sensitive client data, from tax details to financial histories. In the digital age, the amount of data they manage and hold has grown even faster.
Record-keeping is a core compliance function. But hoarding this data indefinitely is a significant and often overlooked risk, increasing exposure in case of a cyber-attack and potentially violating legal requirements.
What needs to be kept, and when should accountants throw it all away?
More data increases cyber threat
Cyber theft is a growing problem. The UK finance sector reported more than 2000 General Data Protection Regulation (GDPR) breaches to the ICO between 2023 and the first quarter of 2025, and IBM reports that the finance industry saw average breach costs of more than £6.05 million in 2024.
These breach costs are not just expensive; they also have a major impact on a business’s reputation.
Holding large client data sets creates a bigger security breach target, which can result in regulatory breaches, says Jonathan Day, a partner at accountancy firm Streets. “Legacy systems and outdated formats add further complications,” he says.
George Tziahanas, Archive360’s vice-president of compliance, adds that data that should have been deleted can be compromised in a breach. Historically the Financial Conduct Authority (FCA) has fined firms after such breaches revealed failure to ensure that data records were deleted. Equifax, for example, was fined more than £11 million after a breach exposed retained customer records.
Firms can be held back by technical debt
Beyond compliance, says Tziahanas, accountants face the risk of technical debt – or of taking shortcuts with technology adoption now that create problems in the future.
Keeping old data often means maintaining costly legacy systems longer than necessary.
Day notes, however, that deleting information too soon can create problems of its own. Legal and professional issues can arise, if a query, claim or tax investigation arises and supporting evidence is no longer available.
Accountants must walk a careful line, keeping hold of pertinent data, whilst disposing of everything unnecessary. To keep on top of all this, they will often need a data retention and destruction policy.
Compliance expectations are widespread
No single statutory rule covers all of an accounting firm’s records, but several regulatory and legal frameworks apply. The FCA, for example, requires firms to keep suitability assessments for the client relationship and anti-money laundering (AML) records for at least five years. After that it demands they be disposed of securely.
The UK’s most comprehensive regulation is the EU-created General Data Protection Regulation, or GDPR. That requires that personal data be stored securely, kept only as long as necessary, and limited to what is needed for its intended purpose.
Beyond client information, accountants must retain records for legal, tax and business reasons. Companies Act requirements and HMRC both typically require accounting and tax records to be held for at least six years after the end of the relevant period.
Payroll records, contracts and statutory registers often need similar or longer retention as well, and professional bodies and insurers may also impose minimum periods for engagement files.
Put in place a robust policy
Developing a data retention and destruction policy that outlines how a firm manages data throughout its lifecycle can reduce client risk, ensure compliance and help accountants maintain a more secure and efficient practice.
When it comes to the risk they hold, not all records are equal. Some contain sensitive information or have higher privacy and security implications, and need to be treated accordingly when planning a policy.
For Tziahanas, the key is to keep it simple: “The more complicated your data retention rules are, the harder they are to follow and enforce.”
Dispose of data securely
A structured approach helps firms meet legal duties, minimise risk and maintain trust with clients. Day lays out five key steps to take when developing a sound policy:
- Identify all record types and mapping relevant legal requirements.
- Define clear retention periods and the point at which they begin.
- Set out secure destruction procedures for both digital and paper records.
- Ensure compliance with GDPR through robust procedures, documented schedules, regular review and proper access controls.
- Include staff training, oversight roles and a process for exceptions such as litigation holds.
If large-scale deletion is new for an organisation, it’s worth starting small with discrete data sets to confirm everything works as intended.
“The more complicated your data retention rules are, the harder they are to follow and enforce.”
George Tziahanas, Vice-president of compliance, Archive360
Tziahanas adds that businesses can choose between an affirmative deletion process, where someone actively pushes a button, or automated deletion once retention expires. “Here, there’s no right or wrong answer,” he says. The approach depends on the data type, risk profile, and governance practices.
From there, someone needs to be clearly responsible for managing how data is deleted, while legal safeguards must be in place to keep any information that’s needed for lawsuits or regulatory checks.
Tziahanas recommends keeping record of the criteria and policies used, along with what was deleted and why. “Some organisations use a manifest or certificate of destruction to capture this metadata,” he says.
Finally, it’s essential to ensure that data is fully deleted from all locations, including search indexes, databases, and any AI systems that process it, especially in regulated industries.
Learn more about IFA’s Global Certificate in Public Accounting here.
