The General Data Protection Regulation (GDPR) will introduce a new data protection regime in the UK from 25 May 2018. The rules represent a tightening of the obligations owed by trustees and personal representatives (PRs) to their data subjects.
How does the regime apply to trustees and PRs? Trustees and PRs may find that they have access to data about beneficiaries (such as addresses or sensitive information) from letters of wishes, wills and other testamentary documents. The GDPR applies to any type of processing of that data, including gathering, storing and using information to assist with estate administration.
Under the GDPR, the data controller must only process personal data on the basis of one or more of several grounds, which includes having obtained prior consent, and legal obligation. In most cases, the PRs will not have gathered data about a beneficiary with their consent, and may therefore seek to rely on the ground that they are legally obliged to hold information about the beneficiaries as part of their duties in running the trust or administering the estate.
Sensitive data A special category exists for the processing of sensitive data, which includes information relating to an individual’s relationships. Take for example a testator who in his will has created a right for his wife to occupy the property while she is alive, such right terminating if she remarries or cohabits. During the lifetime of the trust, it is discovered by the PRs that the surviving spouse has begun cohabiting with someone else. In order to be able to gather and retain this information, the PRs must comply with one of the more stringent special conditions laid out in the GDPR.
Rights and obligations Trustees and PRs generally have a discretion as to whether to disclose information relating to a trust to the beneficiaries, however, the GDPR cuts across this by providing beneficiaries with rights to information about the trust or administration. This includes the general right to access the data (e.g. an adult beneficiary who has an interest in possession under a trust is entitled to know the existence of the trust, and the nature of his interest), the right to request that information be erased, and the right to complain to the Information Commissioner’s Office of any abuse of the regulations.
The PRs will have an obligation to ensure, amongst other things, that the data is being processed securely, and that they are transparent about the nature of the processing.
Trustees and PRs should already be aware of their duties to beneficiaries as data subjects, however with the new rules coming into force in May, they should review their arrangements and put in place new processes if necessary, to avoid falling foul of the stricter regulations and facing the large fines that may be imposed for a breach.
For information on wills and trusts generally, please do not hesitate to contact Laura Sentkovsky in the Private Client department on 0207 703 5034 or at firstname.lastname@example.org
Meaby&Co is authorised and regulated by the Solicitor’s Regulation Authority (SRA Number 447880) and registered in England and Wales with registered number OC322672 at 2 Camberwell Church St, London, SE5 8QY.