logo

GDPR & UK Data Protection

Last updated: April 2026

WpAccPac is designed to support UK accounting firms in meeting their data protection obligations. This page explains how the service aligns with the UK GDPR framework, as updated by the Data Use and Access Act 2025 (DUAA).

1. Legal framework

Data protection in the UK is governed by the UK GDPR, as amended by the Data Use and Access Act 2025. WpAccPac operates in line with core data protection principles including lawfulness, fairness, transparency, data minimisation, purpose limitation, and security.

2. Roles and responsibilities

In most use cases, WpAccPac acts as a data processor, providing software that allows accounting firms to store and manage working papers, schedules, and related documentation.

Accounting firms using WpAccPac are typically the data controllers in respect of their client data, as they determine what data is entered, uploaded, and how it is used.

Firms remain responsible for ensuring that any personal data entered, uploaded, or linked within WpAccPac is processed lawfully and in accordance with applicable data protection requirements.

3. Beta and early access

WpAccPac may be made available in beta or early access form while features are being refined.

During initial evaluation, firms may choose to use test or sample data. If real client personal data is entered, firms remain responsible for ensuring that such use is appropriate and compliant with their own data protection obligations.

WpAccPac provides role-based access controls and logical separation of organisation data. Firms should assess whether the platform is suitable for their intended use before uploading sensitive information.

4. Data processing

WpAccPac processes personal data only as required to deliver and support the service.

For full details of the categories of data processed, how data is used, lawful bases, retention, and user rights, please see our Privacy Policy.

5. Data subject rights

Requests relating to client data should normally be handled by the accounting firm acting as data controller.

WpAccPac will support firms in responding to valid requests where required, to the extent applicable to our role as processor.

6. International transfers

WpAccPac may use managed infrastructure, storage, and delivery providers to operate the service. Where data is processed outside the UK, appropriate safeguards are applied where required to support compliance with UK data protection law.

7. ICO registration

Once the business is formally registered, WpAccPac will be registered with the Information Commissioner's Office (ICO) where required.

8. Further information

For more detail on how personal data is handled, please see our Privacy Policy and Security & Data Ownership pages.

9. Contact

For GDPR or data protection queries, contact us at admin@wpaccpac.org.