Data privacy for English law trusts and estates: top three things to think about
Since the introduction of General Data Protection Regulation (GDPR) and the Data Protection Act 2018, family offices will be familiar with data privacy as part of their compliance and administration responsibilities, both in running the office itself and looking after a family’s entities and affairs.
However, whilst we are increasingly aware of the requirements imposed by GDPR in the context of businesses, the issues are less clear in relation to private, family arrangements such as trusts and estates, and its application to trustees and personal representatives (executors or administrators) of deceased estates (PRs).
We would not attempt to cover the entirety of the legal requirements of GDPR in one short article, but here are the top three data privacy issues we think that PRs should be aware of:
1. Lawful Processing of Personal Data: Trustees and PRs often handle personal data, such as beneficiary information, financial records, and other sensitive information. The GDPR requires that personal data is processed lawfully, fairly, and transparently. This means that trustees and PRs must have a lawful basis for processing personal data.
Consent of a beneficiary is unlikely to be a ground used by trustees and PRs. For consent to be valid, it must be freely given, specific, informed, and unambiguous. This could prove difficult where, initially at least, their information has been provided by the settlor or testator. If consent is relied upon as the legal basis for processing, additional obligations apply and importantly, if consent is withdrawn, the processing must cease.
Alternative lawful bases include the necessity of processing for compliance with a legal obligation or for the performance of a contract (e.g. administering the estate). Another ground that may be used is where the processing is necessary for the legitimate interests of the data controller or a third party, provided these are not overridden by the interests of the data subject. However, reliance on this ground requires the data controller to undertake a balancing act between these rights (known as a legitimate interest assessment) and could result in a conflict.
Trustees and PRs must also (where it is possible to do so) provide individuals with a privacy notice to inform them about how their data will be used and ensure that they have a legitimate reason for processing it.
2. Data Security and Protection Measures: Protecting personal data is a crucial aspect of data protection. As a data controller, trustees and PRs must implement appropriate security measures to safeguard personal data from unauthorized access, disclosure, alteration or destruction. This includes encryption, access controls, regular security assessments, and employee training on data protection practices. Breaches of personal data can result in significant fines and reputational damage, so it is essential to take data security seriously.
When sharing personal data with third parties, trustees and PRs must be mindful of the GDPR principles of integrity and confidentiality and should only share personal data where there is a legitimate reason to do so.
3. Data Subject Rights: Data subjects (i.e. the individuals whose data is being processed) have certain rights under the GDPR, including the right to access their data, to request its deletion (the “right to be forgotten”) and to object to the processing of their data under certain circumstances. Trustees and PRs need to be aware of these rights and have procedures in place to respond to data subject requests within the legally mandated timeframes. Beneficiaries can ask the trustees what information is held about them, the purposes and length of time for which it will be held, other recipients to whom the information has been disclosed, and the source of this information. Unless the information is exempt from disclosure, copies of the data must be provided free of charge upon request and within one month, but there is also a right to refuse or to charge if the request is “manifestly unfounded or excessive”. That said, the UK government has confirmed that: “… the GDPR directly protects against disclosure where it would adversely affect the rights and freedoms of others, including any rights or freedoms of trustees”. The government’s position appears to be that disclosure can be refused in relation to information that would be protected under trust law, such as trustee deliberations or reasons for their decisions.
It’s important for trustees and PRs to conduct regular assessments of their data processing activities to ensure compliance with data protection laws. This may involve appointing a Data Protection Officer (DPO) if required, conducting privacy impact assessments for high-risk activities, and maintaining comprehensive records of data processing activities. Seeking legal advice and staying informed about updates to data protection regulations is also advisable to address evolving compliance challenges.
This update is for general purposes and guidance only and does not constitute legal or professional advice. You should seek legal advice before relying on its content. Greenwoods Legal LLP is a Limited Liability Partnership, registered in England, registered number OC306912. Our registered office is Queens House, 55-56 Lincoln’s Inn Fields, London, WC2A 3LJ. A list of the members’ names is available for inspection at our offices in Peterborough, Cambridge and London. Authorised and regulated by the Solicitors Regulation Authority, SRA number 401162. Details of the Solicitors’ Codes of Conduct can be found at www.sra.org.uk. All instructions accepted by Greenwoods Legal LLP are subject to our current Terms of Business. VAT Reg No: 161 9287 89.