STEP is aware that many members are looking for clarification as to how GDPR should be interpreted in the context of trusts and estates.
STEP’s Data Protection Working Group has made submissions to, and had discussions with, the Information Commissioner’s Office on this topic, and intends to publish guidance early next year (most likely in January or February 2020).
The topics covered by the guidance will include:
- how to apply tests such as ‘number of staff’ and ‘turnover’ in the trusts and estates context;
- the distinction between data processors and data controllers;
- the extent to which GDPR applies to trustees and personal representatives acting in a non-professional capacity;
- the legal basis on which trustees and personal representatives can process special category data;
- the circumstances in which trustees and personal representatives should issue privacy notices to beneficiaries; and
- the obligations on trustees and personal representatives when responding to subject access requests.
The Data Protection Working Group intends to add to this guidance in due course, including setting out views on matters such as the treatment of bare trusts and of attorneys and deputies.
Edward Hayes, Chair of STEP Data Protection Working Group
Posted in digital, Membership, Policy, Technical
- Tagged attorneys, bare trusts, Data Protection Working Group, deputies, Edward Hayes, GDPR, Information Commissioner’s Office, trusts
STEP’s GDPR working group recently hosted a roundtable event that enabled representatives from professional bodies, including the Law Society, ICAEW and CIOT, to update each other on their progress in relation to GDPR implementation. It is widely felt by the private client industry that when the legislation was drafted it was not designed with trust and estate practitioners in mind and there are some significant grey areas in practice.
Key issues that continue to be an industry concern discussed were:
- How the GDPR applies to lay trustees and personal representatives.
- How non-legal advisors process special category data.
- How the GDPR impacts upon international transfers.
- Queries in relation to joint data controllers and confidentiality.
- GDPR and its impact upon engagement letters.
- GDPR and its impact upon attorneys and deputies.
- Erasure of files and filing system requirements.
STEP’s working group is in the process of preparing a joint paper that it will submit to the Information Commissioner’s Office (ICO) identifying the practical issues that have arisen for trust and estate practitioners. We hope that the ICO will be able to address some of the gaps in the guidance and legislation.
STEP has scheduled another roundtable in February 2019 to further discuss these issues and aims, to provide STEP members with a best practice position and guidance in due course. In the meantime, STEP has published an update to its briefing note on the GDPR, listed below.
Please note that STEP will be publishing a webinar in January 2019, recorded by the chair of STEP’s GDPR working group, Edward Hayes TEP of Burges Salmon, that will offer some interim guidance on the application of the GDPR to trust and estate practitioners.
Emily Deane TEP is STEP Technical Counsel
Even though the European General Data Protection Regulation (GDPR) came into force on 25 May this year in the UK there is still widespread confusion around its application to the private client industry.
STEP has formed a Data Protection Impact Group with the objective of reviewing the GDPR’s impact in relation to the trust and estate industry. The group would like to collate some of the practical issues that have arisen and submit them to the Information Commissioner’s Office (ICO) with the intention of the ICO addressing some of the gaps in the guidance and legislation.
Tell us your views
STEP would like to invite members to provide examples of how the ICO guidance/legislation may be difficult to apply in practice, so that we can present these issues to the ICO and underline that the impact is potentially far-reaching.
Issues that have been identified include:
- Firms will be holding large amounts of personal data on clients and non-clients relating to their wills, family trusts and estates. Information (‘special category data’) on individuals other than clients is generally required in order to carry out the client’s instructions, for example a will. However as it stands a firm will have to obtain consent from third parties for this information because there are no express exemptions that apply in Article 9(2). Unlike the express exemption for ‘legal advice’ in the DPA 1998.
- Subject access requests have become a first port of call now for potential beneficiaries who are seeking further information about a will or trust. It is currently very difficult for an advisor to gauge how much information they can provide or restrict and what the applicable justifications are for doing so.
- The majority of private client firms in the UK will also undertake international work. File notes and legal documents containing personal data will need to be sent to third countries. If this data applies to a client it is possible to reply upon their consent to the transfer, however when the data relates to non-client data subjects then their consent is required. There does not appear to be an exemption in the GDPR that deals with this common occurrence.
- Firms are currently uncertain as to whether they should destroy/delete some of the personal data that they hold, for example, some personal information that is held on a family member could be more pertinent to one person than another. The firm may be exposing itself to risk by destroying data that become relevant at a later date.
STEP is hopeful that by providing the ICO with some working examples then it might recognise and review the difficulties that advisors are facing in this connection. We aim to provide members with a best practice position when further information is available.
We would very much value your input. Please send your examples to email@example.com.
Emily Deane TEP is STEP Technical Counsel