Having the ability to block access to NI number, date of birth and personal UTR number from certain staff (users)

These are personally identifiable information as per GDPR, and staff members who deal with limited company clients only do not need to have access to personal information relating to directors of the same companies.