The new General Data Protection Regulations (“GDPR”) were introduced on 25 May 2018 and is the most important change in data privacy regulation in 20 years. The aim of GDPR is to protect individuals from breaches of privacy and data.
What many people do not know is that GDPR also applies to Executors/Administrators (“PRs”) and Trustees, irrespective of whether they are professionals or not.
Information held by PRs and Trustees about beneficiaries of a Will or under a Trust is often provided to them by the testator or settlor without the consent of the beneficiary or even, in some circumstances, without their knowledge.
For the purposes of GDPR, PRs and Trustees have obligations regarding the “personal data” they hold including names, addresses or other information they hold about any beneficiary. This information can be provided to PRs and Trustees from letters of wishes, trust documents and other testamentary documents, such as a Will. As such, PRs and Trustees will be deemed to be “data controllers” under GDPR. They therefore have an obligation to ensure, amongst other things, that personal data is being processed (e.g. used and stored) securely and that they are transparent about the nature of the processing.
The data controller must only “process” data on the basis of one or more of the several grounds, including having obtained prior consent and “legal obligation”. It most situations, PRs and Trustees will seek to rely on the “legal obligation” ground on the basis that they are obliged to hold beneficiary information to fulfil their duties in administering the estate or trust.
PRs and Trustees may also hold “sensitive data” including information on a beneficiary’s race, sexual orientation, religious beliefs, health etc and, unless the individual has given consent, or it is in the public interest, processing such data is prohibited under GDPR. PRs and Trustees may be able to argue that processing such sensitive information is necessary to enable them to carry out the testator/settlor’s wishes and therefore it is in the public interest.
Generally, under trust law principles, PRs and Trustees are able to exercise discretion as to whether to disclose information to beneficiaries. GDPR rules have now enhanced the information that beneficiaries are entitled to about the trust or administration of estate which may now conflict with their rights to withhold information under established trust law.
Going forward, PRs and Trustees should consider providing beneficiaries with privacy notices in order to satisfy their obligations under GDPR (unless one of the grounds not to do so applies).