{# PostHog web analytics (EU region) — deliberately cookieless: memory-only persistence, no cookies, no cross-visit identity, so no consent banner is needed. Pageviews only (autocapture, session recording and surveys off). Marketing pages only — the client app and HQ are never tracked. Feeds the HQ Analytics panel. Public project token, same precedent as GA in base.html. #}
Free Resource · Accountants & Accountancy Firms

AI Compliance for Accountants
2026 Readiness Checklist

The Data (Use and Access) Act 2026 is in force. GDPR still applies. The EU AI Act high-risk provisions arrive in August 2026. Use this guide to assess your practice, identify which tools expose you, and copy a ready-made policy statement.

In this guide: ✓ 10-point compliance checklist ✓ AI tool risk table (8 tools rated) ✓ Copyable policy statement ✓ Penalty reference

Why this matters now

Most accountancy practices have adopted at least one AI tool — ChatGPT, Copilot, or an AI feature inside their existing software. Under UK GDPR, the Data (Use and Access) Act 2026, and (from August 2026) the EU AI Act's high-risk provisions, using those tools without proper controls is a compliance failure. ICO enforcement action is increasing. The maximum GDPR fine is £17.5 million or 4% of global turnover — whichever is higher.

10-Point Compliance Checklist

Tick each item your practice has addressed. Your progress updates automatically.

Your progress 0 of 10 complete

AI Tool Risk Assessment

Common tools used in accountancy practices — rated by compliance risk under UK GDPR and the Data (Use and Access) Act 2026.

Tool Risk Level Key Concern Minimum Requirement
ChatGPT (free/Plus) HIGH Data sent to US servers; no DPA for free/Plus tier; OpenAI may use inputs for training by default. Never input client PII. Use Enterprise tier only if required, with DPA signed.
Voice-to-text tools (Otter.ai, Whisper) HIGH Audio recordings of client meetings contain highly sensitive data. Most consumer transcription tools have no DPA. Obtain explicit client consent before recording. Only use tools with signed DPAs and EU/UK data residency.
Microsoft Copilot for M365 MEDIUM DPA via M365 agreement — but data residency depends on your tenant configuration. Verify your region settings. Confirm EU/UK data residency in M365 admin. Update your privacy notice to reference Copilot processing.
Xero AI features MEDIUM Xero holds a DPA (GDPR Article 28 compliant), but AI features process financial data in the cloud. Review Xero's current DPA for AI-specific provisions. Confirm your Xero DPA covers AI features. Add Xero to your data processing register.
QuickBooks AI / Intuit Assist MEDIUM Intuit DPA available; US-based processing. Under Schrems II / UK IDTA, international transfer mechanism must be in place. Verify Intuit's UK IDTA or adequacy decision applies. Document the transfer in your data register.
Google Workspace AI (Gemini) MEDIUM DPA via Google Workspace agreement. AI features need to be explicitly configured — review admin settings for data usage options. Disable AI training on your data in admin console. Confirm EU data residency configuration.
IRIS Elements / CCH Central LOWER Purpose-built for UK accountancy, UK-based data centres, existing DPAs. AI features being rolled out — review each release's data handling notes. Review DPA when new AI features are enabled. Keep your data register entry current.
Grammarly LOWER Low risk for general drafting. Risk increases if staff use it to draft client-facing communications containing PII. Staff policy: do not paste client names, financial figures, or reference numbers into Grammarly. Business plan DPA available.

Copyable Policy Statement

Copy this into your employee handbook or client engagement letters. Customise the bracketed fields. This is a starting point — not legal advice.

[Practice Name] AI Use Policy — Effective [Date]

[Practice Name] operates an AI Use Policy in accordance with UK GDPR, the Data (Use and Access) Act 2026, and ICAEW professional obligations.

APPROVED TOOLS: Only the following AI tools may be used in client-related work: [list approved tools]. Use of any other AI tool for client work requires prior written approval from [Practice Manager / Partner].

DATA RESTRICTIONS: No client personal data — including names, addresses, UTRs, National Insurance numbers, financial records, or correspondence — may be entered into a third-party AI tool that does not have a signed Data Processing Agreement with this practice.

DISCLOSURE: Where AI tools have materially assisted in preparing advice, reports, or correspondence for a client, this will be disclosed in writing to that client.

VALIDATION: All AI-generated output must be reviewed and approved by a qualified [accountant / ACA / ACCA] before it is shared with a client, submitted to HMRC, or filed with any regulatory body.

BREACH: Any suspected breach of this policy, including accidental input of client PII into an unapproved tool, must be reported to [DPO / Practice Manager] within 24 hours.

Policy reviewed: [Date] | Next review: [Date + 12 months]

Penalty Reference

UK GDPR / Data Act 2026

£17.5m

Or 4% of global annual turnover — whichever is higher. ICO enforcement is increasing year-on-year.

EU AI Act (High Risk — Aug 2026)

€30m

Or 6% of worldwide annual turnover. Applies to AI systems serving EU clients, regardless of where your firm is based.

ICAEW / Professional Standards

Suspension

Regulatory sanctions including practice certificate suspension can follow a material breach of professional obligations related to AI use.

Not sure where your practice stands?

Get a free AI compliance assessment. We'll review your tool stack, identify your highest-risk exposures, and tell you exactly what to fix — at no cost.

No spam. We'll contact you once. Unsubscribe any time.

Call Now Claim Your Free Audit