Even though the European General Data Protection Regulation (GDPR) came into force on 25 May this year in the UK there is still widespread confusion around its application to the private client industry.
STEP has formed a Data Protection Impact Group with the objective of reviewing the GDPR’s impact in relation to the trust and estate industry. The group would like to collate some of the practical issues that have arisen and submit them to the Information Commissioner’s Office (ICO) with the intention of the ICO addressing some of the gaps in the guidance and legislation.
Tell us your views
STEP would like to invite members to provide examples of how the ICO guidance/legislation may be difficult to apply in practice, so that we can present these issues to the ICO and underline that the impact is potentially far-reaching.
Issues that have been identified include:
- Firms will be holding large amounts of personal data on clients and non-clients relating to their wills, family trusts and estates. Information (‘special category data’) on individuals other than clients is generally required in order to carry out the client’s instructions, for example a will. However as it stands a firm will have to obtain consent from third parties for this information because there are no express exemptions that apply in Article 9(2). Unlike the express exemption for ‘legal advice’ in the DPA 1998.
- Subject access requests have become a first port of call now for potential beneficiaries who are seeking further information about a will or trust. It is currently very difficult for an advisor to gauge how much information they can provide or restrict and what the applicable justifications are for doing so.
- The majority of private client firms in the UK will also undertake international work. File notes and legal documents containing personal data will need to be sent to third countries. If this data applies to a client it is possible to reply upon their consent to the transfer, however when the data relates to non-client data subjects then their consent is required. There does not appear to be an exemption in the GDPR that deals with this common occurrence.
- Firms are currently uncertain as to whether they should destroy/delete some of the personal data that they hold, for example, some personal information that is held on a family member could be more pertinent to one person than another. The firm may be exposing itself to risk by destroying data that become relevant at a later date.
STEP is hopeful that by providing the ICO with some working examples then it might recognise and review the difficulties that advisors are facing in this connection. We aim to provide members with a best practice position when further information is available.
We would very much value your input. Please send your examples to [email protected]p.org.