Making Tax Digital data privacy: your 2026 compliance guide

Making Tax Digital data privacy is defined as the set of legal and operational obligations UK businesses and tax professionals must meet to protect personal data when using digital tax reporting systems under HMRC’s MTD programme. These obligations sit squarely within the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. From april 2026, sole traders and landlords with income above £50,000 must keep digital records and submit quarterly updates via HMRC-compatible software. That shift moves vast amounts of sensitive personal data through cloud platforms, third-party integrations, and automated workflows. Getting the privacy side wrong is not a minor oversight. It is a legal liability.
What is Making Tax Digital data privacy and why does it matter?
Making Tax Digital data privacy covers every point at which personal data is collected, processed, stored, or shared as part of digital tax compliance. Under UK GDPR, personal data includes names, National Insurance numbers, income figures, bank account details, and any information that identifies a living individual. Tax professionals and businesses are not simply users of MTD software. They are data controllers, and that status carries direct accountability under law.
The Data Protection Act 2018 supplements UK GDPR and applies specifically to the UK post-Brexit framework. Together, these two instruments require that data is processed lawfully, fairly, and transparently. They also require that data is kept accurate, stored securely, and not retained longer than necessary. Every MTD workflow must be assessed against these principles before it goes live.

The distinction between data controller and data processor is critical here. Your business or practice is the data controller. Your accounting software provider, such as Xero, QuickBooks, or Sage, is the data processor. The processor acts on your instructions. The controller carries the legal responsibility. Using HMRC-approved software does not transfer your privacy obligations to the software vendor.
What are the key UK data protection obligations for MTD compliance?
UK GDPR sets out six core principles that apply directly to MTD data handling. Each one has a practical implication for how you run your digital tax workflows.
- Lawfulness, fairness, and transparency. You must identify a lawful basis for processing client or employee data in MTD submissions. For most tax practices, this will be contract performance or legal obligation. Document your chosen basis before processing begins.
- Purpose limitation. Data collected for MTD submissions must not be repurposed for marketing, profiling, or any other use without a separate lawful basis.
- Data minimisation. Submit only the data HMRC actually requires. Responding to HMRC requests by uploading entire document folders rather than targeted records violates this principle and increases your liability.
- Accuracy. Digital records must be kept up to date. Errors in MTD submissions can trigger investigations that expose more personal data than necessary.
- Storage limitation. HMRC requires records to be kept for at least five years after the relevant tax year. Retaining data beyond statutory periods without justification breaches UK GDPR.
- Integrity and confidentiality. You must apply technical and organisational measures to protect data against unauthorised access, loss, or destruction.
Accountants must conduct lawful basis assessments for each third-party integration in their MTD workflow. This is not a one-off exercise. It must be reviewed whenever a new tool is added or an existing one is updated.
Pro Tip: Document your lawful basis for every data processing activity in a Record of Processing Activities (ROPA). The Information Commissioner’s Office (ICO) can request this at any time, and having it ready demonstrates accountability.
How to secure tax data in Making Tax Digital workflows

Securing tax data across MTD workflows requires more than choosing a reputable accounting platform. The real risk sits in the connections between systems.
Managing third-party integrations safely
MTD workflows typically involve multiple connected tools: cloud accounting software, payroll applications, receipt capture apps, and bank feeds. Each connection is a potential breach point. Third-party integrations are common breach points in MTD environments, and every one of them requires a documented Data Processing Agreement (DPA). A DPA sets out what data the processor handles, how it is protected, and what happens in the event of a breach. Without one, you have no contractual protection and no audit trail.
Understanding the importance of DPAs between firms and third-party apps is a foundational step in building a compliant MTD workflow.
Technical safeguards every practice needs
The following controls form the baseline for secure MTD data handling:
- Role-based access controls. Restrict access to client data based on job function. A junior bookkeeper does not need access to all client records.
- Multi-factor authentication (MFA). Apply MFA to all platforms that handle MTD data, including accounting software, email, and cloud storage.
- Encryption. Encrypt data both in transit and at rest. Most reputable cloud accounting platforms do this by default, but verify it in the DPA.
- Secure backups. Maintain encrypted backups stored separately from your primary system. Test restoration procedures at least annually.
- Data flow mapping. Mapping client data flows identifies every point where data enters, is processed, and is stored, including often-overlooked browser caches and local device storage.
- Shadow IT controls. Unsanctioned third-party apps bypass audit controls and expose client data. Maintain an approved software register and enforce it.
| Control | Purpose | Risk if absent |
|---|---|---|
| Role-based access | Limits data exposure by job function | Overexposure of client records |
| MFA | Prevents unauthorised account access | Account takeover and data breach |
| DPA with processors | Defines processor obligations contractually | No legal recourse after a breach |
| Data flow mapping | Reveals hidden data leakage points | Undetected breaches via cache or device storage |
| Shadow IT policy | Keeps all tools within audit scope | Unsecured data and compliance gaps |
Pro Tip: Run a data flow mapping exercise before your MTD go-live date. Map every system that touches client data, including tools your team uses informally. You will almost certainly find at least one unsanctioned app.
Common data privacy pitfalls under Making Tax Digital
The most damaging mistakes in MTD data privacy tend to stem from misunderstanding who is responsible for what.
The single most widespread misconception is that HMRC approval of a software product removes the business’s privacy obligations. It does not. The business remains the data controller regardless of which platform it uses. The software vendor is a processor acting on your instructions. Due diligence on that vendor is your responsibility.
Other common pitfalls include:
- Data dumping. Submitting full client folders to HMRC rather than targeted records violates the data minimisation principle. Tax authorities must only request data strictly necessary for tax proceedings. The same logic applies to what you submit.
- Failing to secure client consent for third-party sharing. If your MTD workflow shares client data with a payroll provider or receipt capture tool, clients must be informed. Your privacy notice must reflect this.
- Overexposure of employee and contractor data. MTD submissions can include payroll data covering employees and contractors. These individuals are data subjects with rights under UK GDPR.
- No records of processing. Failing to maintain a ROPA leaves you unable to demonstrate compliance to the ICO.
- Inadequate incident response. A data breach involving MTD data must be reported to the ICO within 72 hours if it poses a risk to individuals. Many practices have no plan for this.
“Tax transparency driven by automated data exchange clashes with GDPR principles requiring proportionality and necessity. Tax professionals bear the burden to prove data collection is limited and proportionate.” — Regulatory Encyclopedia, Privacy in tax context
How can tax professionals implement best practices for MTD data stewardship?
Strong MTD data stewardship is built on process, not just technology. The following framework gives tax professionals a structured approach.
- Update your privacy notices. Your client-facing privacy notice must explain that you use MTD-compatible software, name the processors involved, and describe how data is shared with HMRC. Review it before april 2026.
- Conduct and document lawful basis assessments. For each data processing activity in your MTD workflow, record the lawful basis, the categories of data involved, and the retention period. Store this in your ROPA.
- Adopt a connected compliance model. Cloud computing enables connected tax compliance technology ecosystems that improve audit trails and reduce human error. Integrated platforms reduce the number of data transfer points and therefore the number of breach opportunities.
- Train your team. Staff who handle MTD data must understand their responsibilities under UK GDPR. Annual training is the minimum. Quarterly briefings on new threats are better.
- Establish a data retention and deletion policy. Define how long each category of MTD data is kept and how it is securely deleted at the end of the retention period.
- Build an incident response plan. Assign a named individual to manage data breaches. Document the 72-hour reporting process. Test it with a simulated incident at least once a year.
- Use technology that supports audit trails. Secure document processing practices, including tools that generate a verifiable record of every document interaction, reduce your exposure and demonstrate accountability.
Pro Tip: Treat your MTD data privacy review as a live document, not a one-time project. Schedule a quarterly check-in to assess new integrations, staff changes, and any updates to HMRC’s technical requirements.
Key takeaways
MTD data privacy requires UK businesses to act as accountable data controllers, applying UK GDPR principles to every digital tax workflow, integration, and submission.
| Point | Details |
|---|---|
| Controller responsibility | Your business remains the data controller even when using HMRC-approved software. |
| Data minimisation | Submit only the data HMRC requires; uploading full document folders violates UK GDPR. |
| DPAs are mandatory | Every third-party integration in your MTD workflow needs a documented Data Processing Agreement. |
| Shadow IT is a breach risk | Unsanctioned tools bypass audit controls and expose client data without legal protection. |
| Audit trails matter | Connected compliance platforms with verifiable audit trails reduce breach risk and demonstrate accountability. |
The tension no one talks about enough
The honest challenge with MTD data privacy is that HMRC’s drive for tax transparency and UK GDPR’s data minimisation principle pull in opposite directions. HMRC wants more data, more frequently, in digital form. UK GDPR says you must collect only what is strictly necessary and protect it rigorously. Tax professionals are caught in the middle, and most compliance guidance glosses over this tension.
In practice, I have seen firms treat MTD as a purely technical project. They choose a software platform, connect their bank feeds, and consider the job done. The privacy layer gets added as an afterthought, usually after a near-miss or an ICO enquiry. That is the wrong sequence entirely.
The firms that handle this well start with data flow mapping before they select their software stack. They know exactly what data moves where before they sign a single DPA. They also treat supplier diligence as an ongoing obligation, not a box ticked at onboarding. When a payroll provider updates its terms of service, they read them.
The audit trail in data handling is where accountability becomes visible. A firm that can produce a complete, timestamped record of every document interaction is a firm that can defend itself. That capability does not happen by accident. It requires deliberate choices about which tools you use and how you configure them. The MTD deadline is not the finish line for data privacy. It is the starting gun.
How Docpolish supports secure MTD document handling
Tax professionals handling sensitive client documents under MTD face a specific challenge: refining and processing those documents without exposing personally identifiable information to external AI systems.

Docpolish addresses this directly. Its client-side PII detection anonymises sensitive data within the browser before any document reaches an AI processing engine. The original data is restored in the final output. Every processed document receives a trust identifier, creating a verifiable audit trail that supports your UK GDPR accountability obligations. For practices building a privacy-first MTD workflow, Docpolish offers intelligent document refinement designed for regulated environments where data never leaves your control.
FAQ
What is Making Tax Digital data privacy?
Making Tax Digital data privacy refers to the legal obligations under UK GDPR and the Data Protection Act 2018 that apply when businesses and tax professionals collect, process, and store personal data as part of MTD digital tax reporting.
Does using HMRC-approved software remove my data protection responsibilities?
No. Your business remains the data controller regardless of which software you use. The software provider is a data processor acting on your instructions, and due diligence on that provider is your legal responsibility.
What is a Data Processing Agreement and do I need one?
A Data Processing Agreement is a contract between a data controller and a data processor that defines how personal data is handled, protected, and managed in the event of a breach. Every third-party tool in your MTD workflow requires one.
What does data minimisation mean for MTD submissions?
Data minimisation means submitting only the specific records HMRC requires for a given tax period. Uploading full document folders or excessive client data violates UK GDPR and increases your legal exposure.
When does MTD for Income Tax start and who does it affect?
MTD for Income Tax applies from 6 april 2026 to sole traders and landlords with annual income above £50,000, requiring digital record-keeping and quarterly submissions via HMRC-compatible software.