HMRC are making tax administration an entirely digital system for the majority of individuals and businesses by the end of 2019. This digital system is called Making Tax Digital.

Making Tax Digital is being championed as the future of making the dreaded chore of tax more efficient, effective and easier for those using the digital system.

The information to be held within the Making Tax Digital system (particularly with individual users) is a goldmine of personal data. No doubt those who currently run scams pretending to be HMRC will see this as a prime opportunity to take advantage. As such there may be a rise in emails and phone calls purporting to be HMRC designed to trick you in giving up information that allows hackers to gain access to your account and therefore personal information.

It is key to remain vigilant regarding your data’s security and treat the Making Tax Digital system as you would an online bank account.

 What about data protection?

In order to use the Making Tax Digital you must have suitable software in place. This could be your current supplier of accounting software, or a new supplier. You will need to ensure that the software provider you choose are fully compliant with the General Data Protection Regulations and the Data Protection Act 2018 before using and sharing information with them.

Although HMRC have a list of software providers, it will be down to each business to complete their due diligence and ensure the service they are engaging with is GDPR compliant. For example, do they have their servers within the European Economic Area (EEA) or are they based in a country outside the EEA?

Legal Agreements to consider

You should have a Data Processing Agreement in place with the software provider. This agreement should preferably be a standalone document; alternatively the software provider may have the terms on which they process data incorporated in their terms and conditions of business.

The Data Processing Agreement should detail how the data is used and processed, including but not limited to:

  • the legal basis for processing data;
  • data retention;
  • data transfers;
  • security measures;
  • data breach and reporting procedure.

What to do if I think my data has been breached?

We have a dedicated data protection team here at Stephens Scown LLP that is happy to advise further on any data protection issues. Please feel free to contact us on or 01392 210700.