GDPR regulates “personal data”, which is any information from which a living individual can be identified, whether from that information alone or from that information in combination with other information you have or which may come into your possession. Data from which the deceased can be identified is, therefore, not personal data for the purposes of GDPR, unless another living individual can be identified from that same data. However, there are various scenarios where charity legacy professionals will likely deal with personal data as regulated by the GDPR, for instance data regarding executors, beneficiaries or parties assisting with estate administration, such as Smee & Ford or solicitors. This note identifies some typical scenarios.
It is important to remember the six main principles which you must usually comply with under the GDPR, which are:
1. Lawfulness, fairness and transparency: personal data must be processed lawfully, fairly and in a transparent manner;
2. Purpose limitation: personal data must be collected for specified purposes and cannot be processed in a way that is incompatible with those purposes;
3. Data minimisation: personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for what it is processed;
4. Accuracy: personal data must be accurate and, where necessary, kept up to date;
5. Storage limitation: personal data must be kept for no longer than is necessary for the purposes for which it is processed; and
6. Security: personal data must be processed in a way that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, damage or destruction.
Typical situations where a charity legacy professional might need to be mindful of their obligations under GDPR are:
1. Notification of a legacy or recording a legacy
When charity legacy professionals are notified of a legacy by Smee & Ford, or are directly contacted by executors (or solicitors acting on their behalf) about a legacy, they are likely to be receiving various pieces of personal data. This could include data relating to executors, beneficiaries and other service providers, which is all potentially covered by the GDPR.
From the point of receipt, the GDPR considers charity legacy professionals “controllers”, because they receive and then determine the purposes and means of processing personal data. This means that that they must consider the use of personal data against the six principles listed above.
2. Communications with executors, next of kin, trustees and life tenants
Once they have been notified of a legacy, it is an essential part of a legacy professional’s role to communicate effectively with individuals such as the executors, next of kin, trustees or life tenants as part of the estate administration. These communications can be carried out largely without those individuals’ consent, under the “legitimate interests” lawful basis for processing data. This is the most flexible basis upon which legacy professionals can lawfully process data. However, they should also be aware that using the legitimate interest basis requires them to consider and satisfy a three-stage test. First, identify a legitimate interest; second, show that the processing is necessary to achieve that legitimate interest; and finally, balancing that against the individual’s interests, right and freedoms. See the ICO’s latest guidance on legitimate interests here.
Legacy administrators may also wish to communicate with individuals through direct marketing. Whether it’s updating next of kin or family members about a charity’s work, or requesting an in memoriam gift, the general rule is that electronic (i.e. email, SMS and phone use where an individual is registered with the Telephone Preference Service) direct marketing requires prior “opt-in” consent. Consent can be a difficult standard to achieve. The GDPR specifies that it must be a freely given, specific, informed and unambiguous indication of an individual’s wishes, demonstrated by statement or clear affirmative action. You cannot rely on recipients, for example, to “uncheck” a pre-ticked box to signify that they do not wish to receive such communications, because implied consent is no longer sufficient. It is also important to remember that consent can be withdrawn at any time, which can be challenging when you rely on electronic marketing to achieve marketing objectives and grow legacy portfolios. Ways to obtain consent which do not breach the GDPR include by hard copy letter, by phone call (where the individual is not registered with the Telephone Preference Service, with a record kept of the consent given) or in person (again with a record kept of the consent given). Online mechanisms such as pop-up windows or banners are also becoming an increasingly popular and accepted method of gaining consent.
3. Communicating with other charities
It is perfectly acceptable to share relevant information about the deceased with other charities in connection with the administration of an estate in which they are necessarily involved, for example where the same testator leaves gifts to different charities. However, you will need to be careful when considering related information. For example, is it lawful to share the names and information of executors or beneficiaries with other charities? You will need to ensure that you are able to rely on one of the lawful bases in Article 6 of the GDPR – if it is legitimate interests, ensure that the legitimate interests test is satisfied. Whilst it may be fairly straightforward to determine the legitimate interests upon which you are processing the data, proving that it is necessary to process the personal data to achieve that legitimate interest is harder (i.e. is there an alternative way you could achieve your legitimate interest?). Even if you can prove this, you will still need to satisfy the balancing test and assess the rights and freedoms of the individual against that necessary, legitimate interest. Importantly, whatever outcome you arrive at after applying the test, document your conclusion. This assists you when articulating how you’ve applied the lawfulness, fairness and transparency principle.
4. Claims Made Against an Estate
When a claim is made against an estate, often charities that are included in the will as residuary beneficiaries will group together to defend the claim. It is not uncommon for claims to be made against an estate by family members who request greater provision from the estate on the basis of, say, medical need. In this case, legacy professionals may receive special categories of personal data (i.e. what used to be called sensitive) such as information relating to a person’s health. These categories of data require an additional lawful basis for processing, under Article 9 of the GDPR. In this case, you may have to rely on explicit consent, which is an even higher test that the normal test of “freely given, specific, informed and unambiguous”. Incidentally, it is important to note that claims about a testator’s capacity after their death are not covered by the GDPR rules on sensitive personal data, meaning that the deceased’s medical records would not be caught.
5. Storage of Case Files
Legacy administrators may hold a notification of a gift in a will for decades until the death of the testator and may continue to do so indefinitely because, for example, the terms of the will have been changed without the charity being notified. In this instance, the valid purpose is holding on to the notification in order to administer the estate.
As a rule of thumb, after an estate is administered, it is good practice to keep the personal data as long as there may be a legal claim under relevant statutory limitation periods.
6. Outsourced Administration
Some legacies are administered by service providers who carry out the role of a legacy officer. In this instance, the service provider becomes a “processor” under Article 28 of the GDPR as they act solely on the instructions of the controller. Prior written agreement with prescribed terms is required under Article 28, as well as a number of enhanced due diligence requirements. It is important to remember that any existing arrangements between legacy administrators and outsourcing providers must be compliant with Article 28 and any existing arrangements should be appropriately reviewed.
Although the GDPR requires organisations – including charities – to review their practices and make various changes to ensure compliance, the ICO has repeatedly stated that it will take a reasonable and pragmatic approach, depending on the circumstances. In general, provided you have taken proactive steps to ensure that you are compliant with the GDPR and identified where the data processing risks lie within your organisation, the ICO is unlikely to take enforcement action. It does not expect a lengthy, repetitive and costly “root and branch” review which would cause unreasonable interruption to business. However, this general rule is very dependent on circumstances – if in doubt, best practice is always to take appropriate legal advice as soon as possible.
All content on this page is correct as of June 28, 2018.