The purpose of this privacy notice is to explain how the Institute of Accountants and Bookkeepers (“IAB”) processes your personal data to fulfil our data protection responsibilities.
The role of IAB in data protection terms is that of a data controller where we determine the purpose and use of the personal data being processed. It is the responsibility of our Privacy Manager (PM) to ensure the processing of your personal data is in accordance with the UK’s data protection legislation. The PM is contactable using hello@iab.org.uk.
The sort of personal data collected by IAB will be basic contact details sufficient to be able to respond to your general enquiries and for sales purposes and, separately, to administer your membership if you are a member.
IAB’s duty of confidentiality means that our staff will treat your personal data with due respect and confidence. It is only disclosed to others when absolutely required. We use reasonable organisational and technical measures to ensure personal data is kept secure. We also expect the same duty of confidentiality of all third parties with whom we share your personal data. All processing takes place on-site and/or agreed off-site locations, all within the UK, with routine backups performed on UK and EU based servers.
The processing of personal data by IAB is processed in accordance with the principles of data protection and always against a lawful basis such as those below:
- We will pursue our legitimate interests to respond to your general enquiries and stay in touch with you for marketing purposes
- To comply with our legal obligations
- Where we have a contractual arrangement with you to administer your membership of the IAB
- When processing for a pre-defined purpose for which your consent will be sought prior to the processing commencing – please note that consent can be withdrawn at any time by contacting the PM
IAB will share your personal data but only when necessary, with some or all of the following:
- Administrative support where personnel are bound by a data processing agreement and/or contractual arrangements
- Appointed contractors for specific outsourced services who are subject to a data processing agreement or equivalent as bound by their contracts
- Professional bodies
- Law enforcement agencies
- Public authorities, including regulators
- HMRC
These organisations are reviewed regularly, and the number is kept to a minimum.
IAB follows a retention schedule to determine the length of time we hold different types of personal data. The key retention periods are as follows:
- Routine correspondence for casual enquiries in hard copy or in emails will be stored for 7 years after the last interaction with IAB
- Routine correspondence relating to payments will be retained for 6 years starting at the end of the tax year in which this personal data was collected
- Contact data is stored indefinitely unless a valid request to erasure has been received, in which case it will be given due consideration
At the end of the retention period IAB will destroy or delete your personal data and any associated emails or relevant documentation for which IAB has no lawful basis to justify retention. If it is technically impractical to delete electronic copies of personal data, it will be put beyond operational use. It should be noted that IAB allows up to 3 months after the retention period has ended to complete this action.
The UK General Data Protection Regulation defines the rights that you have (although these do not apply in all situations) and these are summarised below:
- Right to be informed as to how your personal data are being processed – this is done through this notice
- Right to access personal data held by us; this is done by submitting a ‘Subject Access Request’ (SAR) to the privacy manager
- Right to rectification of personal data if we have collected it incorrectly or it needs to be updated
- Right to erasure of your personal data for which we no longer have a legitimate purpose to process
- Right to restrict processing under certain circumstances, during which your personal data will be taken out of operational use until the matter is resolved
- Right to data portability of your personal data in a machine-readable version, but this only applies to data provided with your consent or under contract
- Right to object to processing personal data for which we do not have a legal or contractual obligation
- Rights related to automated decision making and profiling, however, IAB does not use these techniques in its decision making
Further details of all these rights can be found on the Information Commissioner’s Office (ICO) website: https://ico.org.uk.
Raising concerns, exercising rights, or making queries about our processing of your personal data can be done by contacting the PM. Please be aware that IAB will need to verify a requesters/ enquirer’s identity before responding fully. For that reason, you may be asked for proof of identification that, in context, will enable IAB to confirm your identity. Alternatively, you may contact the ICO directly, using the details provided above.
December 2025
Affiliated with
MEMBERS OF
Follow us on
