Do English lay trustees have to protect data?
Even under the pre-GDPR regime, data protection was a topic for trustees, albeit it is only now coming to the fore through the Dawson-Damer line of cases.
In an effort to bridge the gap between the rules and the reality, the Society of Trust and Estate Practitioners (STEP) has issued guidance on the GDPR in the context of private non-charitable trusts and estates.
STEP have updated this guidance recently to include a potentially helpful clarification for individuals acting as trustees or personal representatives in an unpaid, non-professional capacity.
Following discussions with the UK’s data protection authority (the Information Commissioner’s Office (ICO)), STEP’s view is that such individuals are likely to be outside the scope of the GDPR’s rules as they fall within an exemption for processing personal data “in the course of a purely personal or household activity”.
This exemption only applies to “natural persons”, so does not extend to trust corporations or other entities acting as trustees or personal representatives, but is likely to be a welcome clarification for many individuals acting as trustees or personal representatives as a result of family or personal connections.
As ever, the details are important:
- re-imbursing expenses would not count as payment and neither would the payment of a legacy from an estate which is conditional upon the recipient taking on the role of personal representative; and
- where multiple trustees or personal representatives are acting, the fact that one can benefit from the exemption does not change the GDPR obligations of the remainder. Instead, the non-exempt trustees or personal representatives are left to shoulder the burden of GDPR compliance.
The ICO has not endorsed treating the “purely personal or household activity” exemption as a blanket carve-out for individual unpaid trustees and personal representatives, but their dialogue with STEP suggests (as a minimum) that acting in a fiduciary capacity does not prevent the exemption from being available.
More generally, the ICO has also confirmed that case law on the Data Protection Act 1998 (the UK legislation implementing the EU’s pre-GDPR data protection rules) may still be relevant when considering the GDPR. It remains to be seen how much help this will be in practice, but it provides another resource to which trustees, personal representatives and their advisers can turn when attempting to apply the GDPR’s rules in practice.