AI Compliance for Accountants
2026 Readiness Checklist
The Data (Use and Access) Act 2026 is in force. GDPR still applies. The EU AI Act high-risk provisions arrive in August 2026. Use this guide to assess your practice, identify which tools expose you, and copy a ready-made policy statement.
Why this matters now
Most accountancy practices have adopted at least one AI tool — ChatGPT, Copilot, or an AI feature inside their existing software. Under UK GDPR, the Data (Use and Access) Act 2026, and (from August 2026) the EU AI Act's high-risk provisions, using those tools without proper controls is a compliance failure. ICO enforcement action is increasing. The maximum GDPR fine is £17.5 million or 4% of global turnover — whichever is higher.
10-Point Compliance Checklist
Tick each item your practice has addressed. Your progress updates automatically.
AI Tool Risk Assessment
Common tools used in accountancy practices — rated by compliance risk under UK GDPR and the Data (Use and Access) Act 2026.
| Tool | Risk Level | Key Concern | Minimum Requirement |
|---|---|---|---|
| ChatGPT (free/Plus) | HIGH | Data sent to US servers; no DPA for free/Plus tier; OpenAI may use inputs for training by default. | Never input client PII. Use Enterprise tier only if required, with DPA signed. |
| Voice-to-text tools (Otter.ai, Whisper) | HIGH | Audio recordings of client meetings contain highly sensitive data. Most consumer transcription tools have no DPA. | Obtain explicit client consent before recording. Only use tools with signed DPAs and EU/UK data residency. |
| Microsoft Copilot for M365 | MEDIUM | DPA via M365 agreement — but data residency depends on your tenant configuration. Verify your region settings. | Confirm EU/UK data residency in M365 admin. Update your privacy notice to reference Copilot processing. |
| Xero AI features | MEDIUM | Xero holds a DPA (GDPR Article 28 compliant), but AI features process financial data in the cloud. Review Xero's current DPA for AI-specific provisions. | Confirm your Xero DPA covers AI features. Add Xero to your data processing register. |
| QuickBooks AI / Intuit Assist | MEDIUM | Intuit DPA available; US-based processing. Under Schrems II / UK IDTA, international transfer mechanism must be in place. | Verify Intuit's UK IDTA or adequacy decision applies. Document the transfer in your data register. |
| Google Workspace AI (Gemini) | MEDIUM | DPA via Google Workspace agreement. AI features need to be explicitly configured — review admin settings for data usage options. | Disable AI training on your data in admin console. Confirm EU data residency configuration. |
| IRIS Elements / CCH Central | LOWER | Purpose-built for UK accountancy, UK-based data centres, existing DPAs. AI features being rolled out — review each release's data handling notes. | Review DPA when new AI features are enabled. Keep your data register entry current. |
| Grammarly | LOWER | Low risk for general drafting. Risk increases if staff use it to draft client-facing communications containing PII. | Staff policy: do not paste client names, financial figures, or reference numbers into Grammarly. Business plan DPA available. |
Copyable Policy Statement
Copy this into your employee handbook or client engagement letters. Customise the bracketed fields. This is a starting point — not legal advice.
[Practice Name] AI Use Policy — Effective [Date] [Practice Name] operates an AI Use Policy in accordance with UK GDPR, the Data (Use and Access) Act 2026, and ICAEW professional obligations. APPROVED TOOLS: Only the following AI tools may be used in client-related work: [list approved tools]. Use of any other AI tool for client work requires prior written approval from [Practice Manager / Partner]. DATA RESTRICTIONS: No client personal data — including names, addresses, UTRs, National Insurance numbers, financial records, or correspondence — may be entered into a third-party AI tool that does not have a signed Data Processing Agreement with this practice. DISCLOSURE: Where AI tools have materially assisted in preparing advice, reports, or correspondence for a client, this will be disclosed in writing to that client. VALIDATION: All AI-generated output must be reviewed and approved by a qualified [accountant / ACA / ACCA] before it is shared with a client, submitted to HMRC, or filed with any regulatory body. BREACH: Any suspected breach of this policy, including accidental input of client PII into an unapproved tool, must be reported to [DPO / Practice Manager] within 24 hours. Policy reviewed: [Date] | Next review: [Date + 12 months]
Penalty Reference
UK GDPR / Data Act 2026
£17.5m
Or 4% of global annual turnover — whichever is higher. ICO enforcement is increasing year-on-year.
EU AI Act (High Risk — Aug 2026)
€30m
Or 6% of worldwide annual turnover. Applies to AI systems serving EU clients, regardless of where your firm is based.
ICAEW / Professional Standards
Suspension
Regulatory sanctions including practice certificate suspension can follow a material breach of professional obligations related to AI use.
Not sure where your practice stands?
Get a free AI compliance assessment. We'll review your tool stack, identify your highest-risk exposures, and tell you exactly what to fix — at no cost.
No spam. We'll contact you once. Unsubscribe any time.