PDPA Compliance for Accounting Firms
Accounting and bookkeeping firms act as data intermediaries, accessing sensitive financial records, payroll data, and NRIC numbers belonging to their clients' employees and customers. This dual role creates unique PDPA obligations that many firms overlook.
Common PDPA Risks for Accounting Firms
Accounting firms hold concentrated access to highly sensitive financial and personal data from multiple businesses simultaneously.
Access to Client Financial Records
Handling detailed financial records, bank statements, and transaction histories belonging to clients and their customers — often without clear data processing boundaries.
Data Intermediary for Multiple Businesses
Acting as a data intermediary processing personal data on behalf of multiple client businesses, creating complex obligation chains and increased breach surface.
Staff Accessing Multiple Client Databases
Accounting staff routinely accessing multiple client systems and databases without proper access controls or segregation between client data.
Tax Filings Containing NRIC Numbers
Processing and storing tax filings, CPF submissions, and IR8A forms containing employee NRIC numbers — often retained far longer than necessary.
Sharing Data with IRAS/Authorities
Submitting personal data to IRAS, CPF Board, and other authorities on behalf of clients without clearly documented consent or authority to do so.
No Retention Policy for Historical Records
Retaining years of client NRIC copies, payroll records, and financial data without defined retention limits or regular purging schedules.
Key PDPC Requirements for Accounting Firms
As data intermediaries, accounting firms have specific obligations both to their own clients and to the individuals whose data they process.
Data Intermediary Obligations
As a data intermediary processing personal data on behalf of clients, accounting firms must act only on client instructions, implement adequate security, and not retain data beyond what is needed for the engagement.
Retention Policies for Tax Records
While IRAS requires certain records to be kept for 5 years, this does not justify retaining all personal data indefinitely. Establish clear policies distinguishing regulatory retention from business convenience.
Access Controls Across Client Files
Implement role-based access controls ensuring staff can only access client data relevant to their assignments. Prevent junior staff from browsing multiple client databases freely.
Consent for Processing on Behalf of Clients
Ensure proper authorisation chains — your client must have obtained consent from their employees/customers before sharing their data with you for processing. Document this authority clearly.
How Our Personal Data Compliance System Helps Accounting Firms
Compliance tools designed for firms that manage personal data on behalf of multiple business clients.
Data Intermediary Gap Analysis
A guided assessment covering your obligations as a data intermediary, client data segregation, access controls, retention policies, and authority documentation.
Staff Training for Accounting Teams
Training modules covering NRIC handling protocols, client data segregation, proper disposal of financial records, and responding to data access requests.
Retention Schedule Management
Automated tracking of retention periods across multiple clients, with alerts when IRAS mandatory periods expire and data should be reviewed for deletion.
Client Access Control Framework
Tools to document and manage which staff members can access which client data, implement segregation policies, and maintain audit trails of data access.
Real Enforcement Case
Accounting Firms & NRIC Data Retention
Multiple accounting firms have been found holding years of client NRIC copies and financial data without proper retention policies. The PDPC advisory guidelines on NRIC collection make clear that full NRIC numbers should not be collected or retained unless there is a clear legal requirement.
Globally, breaches at professional services firms (including the Deloitte email system breach) have demonstrated that accounting firms are high-value targets due to the concentrated financial data they hold. A single breach can expose sensitive data belonging to hundreds of client businesses and thousands of individuals simultaneously.
Key Lesson: Accounting firms must implement strict data minimisation — collect only what's needed, retain only what's required by regulation, and ensure robust access controls across all client data. The concentration of sensitive data makes you a high-value target.
Protect Your Clients' Data Today
As a data intermediary, your compliance obligations extend to every client you serve. Get a clear picture of your PDPA readiness in under 10 minutes.