GDPR – Invitation to Members

Emily Deane TEP

Even though the European General Data Protection Regulation (GDPR) came into force on 25 May this year in the UK there is still widespread confusion around its application to the private client industry.

STEP has formed a Data Protection Impact Group with the objective of reviewing the GDPR’s impact in relation to the trust and estate industry. The group would like to collate some of the practical issues that have arisen and submit them to the Information Commissioner’s Office (ICO) with the intention of the ICO addressing some of the gaps in the guidance and legislation.

Tell us your views

STEP would like to invite members to provide examples of how the ICO guidance/legislation may be difficult to apply in practice, so that we can present these issues to the ICO and underline that the impact is potentially far-reaching.

Issues that have been identified include:

  • Firms will be holding large amounts of personal data on clients and non-clients relating to their wills, family trusts and estates. Information (‘special category data’) on individuals other than clients is generally required in order to carry out the client’s instructions, for example a will. However as it stands a firm will have to obtain consent from third parties for this information because there are no express exemptions that apply in Article 9(2). Unlike the express exemption for ‘legal advice’ in the DPA 1998.
  • Subject access requests have become a first port of call now for potential beneficiaries who are seeking further information about a will or trust. It is currently very difficult for an advisor to gauge how much information they can provide or restrict and what the applicable justifications are for doing so.
  • The majority of private client firms in the UK will also undertake international work. File notes and legal documents containing personal data will need to be sent to third countries. If this data applies to a client it is possible to reply upon their consent to the transfer, however when the data relates to non-client data subjects then their consent is required. There does not appear to be an exemption in the GDPR that deals with this common occurrence.
  • Firms are currently uncertain as to whether they should destroy/delete some of the personal data that they hold, for example, some personal information that is held on a family member could be more pertinent to one person than another. The firm may be exposing itself to risk by destroying data that become relevant at a later date.
  • There is uncertainty as to whether all potential beneficiaries of a trust or estate should be provided with a copy of the trust’s privacy policy, even when the settlor or testator was adamant that they did not want the individual, who may be vulnerable, to know that they may benefit at some stage.

STEP is hopeful that by providing the ICO with some working examples then it might recognise and review the difficulties that advisors are facing in this connection. We aim to provide members with a best practice position when further information is available.

We would very much value your input. Please send your examples to standards@step.org.

Emily Deane TEP is STEP Technical Counsel

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s