A fake tax scheme promoted to small companies, which plays on the fear of large fines for data loss or misuse under general data protection regulations (GDPR)

Accountingweb recently published a warning about the following tax avoidance scheme:

The Information Commissioners Office (ICO) is responsible for enforcing penalties under the Data Protection Act 2018, which enacted the GDPR.

The maximum financial penalty for misusing data under this law is the higher of 4% of the organisation’s worldwide annual turnover and £17.5m. The standard maximum penalty that can be imposed for breaches of the administrative requirements of GDPR is the higher of 2% of turnover and £8.7m.

Either figure could bankrupt a small company if it was imposed.

Small and medium sized companies, particularly in the IT sector, are being approached by various firms offering a service that checks their risk of a GDPR fine and offers a way to pay for this service while receiving a substantial corporation tax refund.

According to Accountingweb, the fake tax scheme has five stages:

  1. The “GDPR experts” produce a report detailing what level of financial penalties the company could face for GDPR non-compliance.
  2. This figure is used as a provision for the estimate GDPR penalty costs in the company’s accounts. The promoter calls this claim a “GDPR tax credit”, but there is no such tax relief in the legislation.
  3. The company adjusts its accounts for an earlier year (or three) to include this provision that reduces taxable profits.
  4. The tax return for the earlier period is amended to reflect the lower taxable profits, which triggers a tax repayment.
  5. The promoter of the fake tax scheme takes a fee of 30% of the tax repayment, plus VAT.

Why it doesn’t work

The requirements of accounting standard FRS 102 para 21.4 determine that a provision for a future cost can only be made when:

  • The company has an obligation to pay a cost, which has been established by the reporting date for the accounts, and arises due to a past event; and
  • It is probable (i.e. more likely than not) that the company will be required to pay that cost; and
  • The amount of the cost can be reliably estimated.

The GDPR penalty provision fails on all three points:

  • It has not arisen due to a past event, it has been invented at some point after the reporting date.
  • It is not “more likely than not” that the company will have to pay a penalty to the ICO or a civil claim for a breach of GDPR law.
  • As this liability is not probable, it cannot be reliably estimated in line with the guidance in HMRC’s Business Income Manual (BIM46555).

Even if the provision did meet the three tests in FRS 102, para 21.4, it fails at a higher level as any penalties for GDPR beaches, or civil punitive damages for such a breach, are not tax-deductible costs.

If a company does make such a provision in their accounts for an unquantifiable GDPR fine and claims a tax repayment, HMRC will probably pay the claim automatically with little upfront checking.

However, once HMRC realises the company has used the fake GDPR tax credit scheme it will open an enquiry into the company. The tax repayment at the centre of the scheme will have to be repaid in full, with no deduction for the fee paid to the scheme promoter, plus interest at 7.5%.

HMRC will also charge a penalty for a deliberate inaccuracy in a corporation tax return which could be up to 70% of the overclaimed tax.