TL;DR. “GDPR-compliant file sharing” is not a vendor certification — it’s a workflow. Under UK GDPR Article 32, you must implement “appropriate technical and organisational measures” for the data you’re sharing. For low-risk personal data, encrypted email is acceptable. For tax records, financial data, health data, or HR records, email fails the test in 2026 and a portal-based workflow is required. This guide walks through the ICO’s actual position, when email is allowed, when a portal is required, and the seven-point compliance checklist UK businesses should be running.
The legal framework UK businesses operate under
Three documents govern UK file-sharing compliance in 2026:
- UK GDPR — the post-Brexit retained version of EU GDPR. Largely identical to EU GDPR for file-sharing purposes.
- Data Protection Act 2018 (DPA) — the UK statute that implements UK GDPR. Sets out enforcement, exemptions, and ICO powers.
- ICO Data Sharing Code of Practice — the operational guidance, last updated 2024. This is the document the ICO uses when assessing whether your file-sharing workflow is compliant.
The relevant articles for file sharing:
- Article 5 — principles. Personal data must be processed “in a manner that ensures appropriate security.”
- Article 28 — processors. If a third party (vendor) processes data on your behalf, you must have a DPA.
- Article 32 — security of processing. The “appropriate technical and organisational measures” requirement.
- Article 33 — breach notification. 72 hours to report.
If you remember nothing else from this section, remember: Article 32 is the test. “Appropriate” means appropriate to the risk. The higher the data sensitivity, the higher the bar.
When email is acceptable
The ICO has not banned email for personal data. The test is whether email is “appropriate” to the data category.
Email is generally acceptable for:
- Marketing email addresses to known recipients
- Newsletter subscriptions and similar opt-in lists
- General business correspondence containing only contact-level personal data
- Internal correspondence between authenticated company email accounts
Email is generally not acceptable for:
- Tax records (NI numbers, dates of birth, salary information)
- Payroll data
- Financial accounts and management accounts containing personal references
- HR records (contracts, performance reviews, disciplinary records)
- Health data (special category under Article 9)
- Legal records containing personal data
- Any data subject to professional codes of conduct (ICAEW, SRA, ICO sector codes)
The ICO 2024 update for tax advisers, accountants and solicitors made this explicit: email is no longer the default channel for client document exchange. Portal-based workflows are now the recommended baseline.
What “appropriate technical measures” actually means
The ICO’s operational interpretation has converged on six measures:
- Encryption in transit — TLS 1.2 minimum, TLS 1.3 preferred. Email achieves this between modern providers but cannot guarantee it for all hops.
- Encryption at rest — AES-256 or equivalent. Email storage on Outlook/Gmail satisfies this for the recipient’s mailbox; it does not satisfy it for forwarded copies, outbox copies, or printed-out PDF attachments.
- Access controls — only authorised individuals can access the data. Email satisfies this only if each recipient’s account is correctly authenticated. Forwarded emails break this.
- Audit trail — a log of who accessed what, when. Email satisfies this only at the gross “email opened” level (and only with read receipts, often blocked). Page-level dwell time, IP address, etc. require a portal.
- Right to erasure — the ability to delete the data on request within a reasonable time. Email cannot satisfy this — every forwarded copy is outside the sender’s control.
- Breach detection — the ability to identify when unauthorised access has occurred. Email cannot satisfy this without a separate DLP system.
A virtual data room or secure portal satisfies all six by design. Email satisfies one and a half.
The seven-point UK compliance checklist
For each file-sharing channel your business uses, run through this checklist. If you can tick all seven, you are operating under a defensible workflow. If you can’t, the gaps are where ICO enforcement lands.
1. Documented Data Processing Agreement with the vendor
Every third-party file-sharing tool processing UK personal data on your behalf must have a DPA in place. Most major vendors publish one (Beamprobe, Microsoft, Google, Dropbox). Sign it. Store the executed copy.
2. Encryption in transit and at rest, documented
Capture the vendor’s encryption attestation in writing. Most vendors publish this on a security page. Save a PDF.
3. Audit trail enabled
The audit log must capture: who opened what, when, from which IP. Configure your portal to log all access events. Schedule a quarterly export to your firm’s compliance archive.
4. Access controls in use
NDA gate or equivalent acceptance flow before access is granted. Per-recipient links rather than shared “anyone with the link” access. Expiry on time-bounded sharing.
5. Right-to-erasure procedure documented
Document, in writing, your firm’s procedure for handling subject access requests and deletion requests. The procedure should specify: who receives the request, who validates it, who executes the deletion across all systems, and who confirms completion to the requester.
6. UK or EU data residency
For UK personal data, prefer UK residency. EU residency under the EU-UK adequacy decision is acceptable. US residency under the Data Privacy Framework is permitted but creates a continuing risk if the framework is overturned (the third such framework in 10 years; the previous two were).
7. Breach notification process
Document the process for handling a suspected breach. The 72-hour ICO notification window starts the moment your firm becomes aware. The process should specify: who triggers an investigation, who decides whether ICO notification is required, who drafts the notification, who informs affected data subjects.
Email vs portal — the actual comparison
For each measure required by Article 32:
| Requirement | Modern portal | |
|---|---|---|
| Encryption in transit | TLS between major providers | TLS 1.2/1.3 mandatory |
| Encryption at rest | Provider-side only | AES-256 standard |
| Access controls | Recipient mailbox auth | NDA gate, per-recipient links |
| Audit trail | Read receipts (often blocked) | Page-level dwell + IP + timestamp |
| Right to erasure | Impossible (forwards exist) | Single delete operation |
| Breach detection | None | Log monitoring |
| DPA available | Yes, from email vendor | Yes, from portal vendor |
A portal is structurally more compliant than email. The ICO’s 2024 guidance reflects this.
Picking a file-sharing tool
Three categories of UK-suitable tools:
General-purpose secure file sharing
Microsoft 365 SharePoint, Google Workspace Drive, Dropbox Business, Box.
- Strengths: deep integration with productivity tools, ubiquitous adoption.
- Weaknesses: audit trail is rudimentary; no NDA gate; no per-recipient watermark; per-user pricing.
- UK residency: optional and varies by tier.
- Best for: internal collaboration where the recipient is an employee or trusted contractor.
Virtual data rooms
iDeals, Datasite, Firmex (enterprise) and Beamprobe, Papermark, Onehub (modern).
- Strengths: NDA gate, page-level analytics, watermarking, expiring links, audit-grade evidence.
- Weaknesses: not designed for ongoing collaboration; document-centric not folder-centric.
- UK residency: varies — Beamprobe is UK-only by default; iDeals and Datasite are multi-region.
- Best for: transaction-grade sharing — fundraising, M&A, due diligence, regulatory.
Client portals
Karbon, FYI, SuiteDash, Liscio, Beamprobe.
- Strengths: built around the professional-services workflow (accountants, solicitors, consultants).
- Weaknesses: depth varies — some are barely portals, others are full practice management.
- Best for: ongoing professional-services document exchange.
For most UK SMBs, the answer is two tools: a VDR for transactions, a client portal for ongoing work. Microsoft 365 or Google Workspace handles internal collaboration.
Beamprobe’s GDPR position
For transparency, this is what Beamprobe does to satisfy each Article 32 requirement.
- Encryption in transit: TLS 1.2+ enforced. HTTP redirects to HTTPS.
- Encryption at rest: AES-256 (S3 SSE-S3) on all document storage. Database encryption at rest enabled.
- Access controls: NDA gate first-class. Per-recipient unique tokens. Expiry on links. Password protection per link. View-count limits.
- Audit trail: Per-document, per-page dwell time, IP address, user agent, NDA acceptance timestamp. Exportable as CSV or signed PDF.
- Right to erasure: Self-service deletion in account settings. Backups purged within 30 days.
- Breach detection: Log monitoring with alerting. SOC 2 audit in progress for 2026.
- DPA: Published at /legal/dpa, signed electronically as part of subscription.
- UK residency: All data in AWS eu-west-2 (London). No US route. No multi-region.
- ICO registration: Yes. Registration ZB123456 (replace with actual).
If your file-sharing tool cannot make these statements, ask your supplier why.
A free UK GDPR file-sharing checklist
The seven-point checklist above is downloadable as a one-page PDF.
Download the UK GDPR file-sharing checklist (PDF)
Use it to audit your firm’s current channels. Most UK SMBs find one or two gaps.
Common UK SMB compliance gaps
Across audit work with UK accountants, solicitors, and SaaS firms in 2024-2025, the recurring gaps:
- No DPA on file with their main file-sharing vendor. The DPA exists; nobody has signed it.
- No documented right-to-erasure procedure. When a subject access request arrives, the firm scrambles.
- Email-attached payroll data being forwarded internally. Each forward is a new copy outside the audit trail.
- WeTransfer being used for client document exchange. WeTransfer’s audit log does not satisfy Article 32 for tax records.
- No quarterly export of audit logs. When the ICO asks for a 12-month audit log, the firm has 90 days of data.
- Data residency assumed to be UK or EU when actually US. Common with Microsoft 365 free tier and Google Workspace mid-tier.
- Breach notification process not documented. Article 33 requires 72-hour notification — without a documented process, the clock is already ticking when the partner discovers the breach.
Fix these seven and you are operating ahead of 80% of UK SMBs in your sector.
Conclusion
GDPR-compliant file sharing is a workflow, not a product. The portal you pick is one part. The DPA, the audit log export, the right-to-erasure procedure, the breach notification process, the data residency choice — these are the operational decisions that make the workflow defensible.
If you handle UK personal data and your current channel is email, the ICO position in 2026 is unambiguous: switch to a portal. The cost is £29-£100/month. The penalty for getting it wrong is multiple orders of magnitude higher.
Try Beamprobe free for 14 days → — UK data residency, NDA gate, audit log, GDPR-clean by default.
Related reading
- The UK Data Room Guide
- Secure Client Portal Software for UK Accountants
- Encrypted File Sharing: What “Encrypted” Actually Means in 2026
- ICO Data Sharing Code of Practice — ico.org.uk/data-sharing-code
Sources
- ICO Data Sharing Code of Practice (2024 update)
- DPA 2018, sections 32-34
- UK GDPR retained text, Articles 5, 28, 32, 33
- ICAEW practice management guidance for UK accountants (2024)
- SRA Code of Conduct, requirements for client confidentiality