Everyone, by now, will have heard about the new data protection regime (GDPR) as organisations rush to send out emails on the subject before its introduction on 25 May 2018. But what does GDPR involve and how does it apply to trustees and executors (PRs)?
Trustees and PRs are in an unusual position because the information they hold about beneficiaries will often have been provided by the settlor or testator without the beneficiary's consent or even without their knowledge in some circumstances. Trustees and PRs of deceased estates are nevertheless subject to GDPR, whether they are paid professionals or not, and so will have increased obligations in relation to the personal information ('data') such as names, addresses or other details they hold about any trust and estate beneficiaries and anyone else who is a natural, living person.
The GDPR sets out several principles which data 'controllers' (such as trustees and PRs) must comply with, including that personal data must be collected only for specified, legitimate purposes and that it must be 'processed' (e.g. used and stored, whether on a computer or in paper form) in a lawful, fair, transparent, accurate and secure manner, for no longer than is necessary in the circumstances.
Processing certain sensitive information about a person's race, politics, religion, genetic and biometric data, health, or sexual orientation is prohibited under the GDPR unless the individual has given consent or it is necessary for reasons of substantial public interest. This may be problematic for trustees and PRs who have access to this type of sensitive data from letters of wishes, trust and testamentary documents or from other individuals in the context of considering how the trust fund or estate should be distributed. Trustees and PRs may be able to argue that it is in the public interest to see that the wishes of a settlor or testator are followed as closely as possible, or that the processing is necessary to establish beneficiary rights.
GDPR rules will also enhance the information that the beneficiaries are entitled to and, as is the case under current data protection laws, this may cut across trustees' rights to withhold information under trust law principles. Beneficiaries can ask the trustees what information is held about them, the purposes and length of time for which it will be held, other recipients to whom the information has been disclosed and information as to its source. Copies of the data must be provided free of charge upon request but there is a right to refuse or to charge if the request is "manifestly unfounded or excessive". Trustees and PRs faced with an access request should take care to redact personal information about others so as not to adversely affect their rights.
In order to fulfil their obligation to give access to the information, trustees and PRs should consider pro-actively providing beneficiaries with a privacy notice as soon as possible unless one of the grounds not to do so applies (for example if this would be impossible or involve disproportionate effort, or it would seriously impair the objectives of the processing or breach confidentiality obligations). A privacy notice would cover matters such as the source, nature and purpose of the information held, how it will be used and shared and the beneficiary's rights in relation to it, for example, to request access to it, to rectify mistakes and their rights to erasure and making complaints to the Information Commissioner's Office (ICO).
In the absence of guidance, the extent of the transparency obligation and the exceptions to it are not entirely clear in relation to trustees and PRs. Generally, trustees and PRs owe their main duties to the beneficiaries and settlors have only limited rights to enforce confidentiality. This would seem to tip the balance in favour of sending privacy notices to the principal beneficiaries at least. In any event GDPR requires accountability and so trustees and PRs should consider their position and be able to defend whatever they decide to do.
There is a lot that trustees and PRs will need to consider and digest to ensure that they are GDPR compliant. Some of the action points they may wish to consider include conducting an audit of what data is held and why; who it is shared with; how long it will be kept; arrangements for keeping it secure and up to date; procedures to identify and report breaches as well as complying with access requests; reviewing contracts with others to whom the information is disclosed to ensure they too are GDPR compliant; taking care when sending information to a third party who is outside the EU; developing a policy, including considering future record keeping, and issuing privacy notices to relevant beneficiaries.