Top 3 data privacy issues every trustee and executor should know

If you’re managing someone else’s legacy, safeguarding personal and financial information isn’t optional; it’s essential. In this follow-up, we reveal the privacy risks you need to be alert to and how to stay one step ahead.

Since the introduction of GDPR (General Data Protection Regulation)and the Data Protection Act 2018, family offices have faced complex data privacy regulations. When it comes to trusts and estates, the landscape can be especially confusing. Trustees and personal representatives (executors and administrators) handle large amounts of sensitive data, and mishandling privacy can lead to serious consequences.

Here are three essential data privacy points for trustees and personal representatives:

1.  Understand the legal basis for processing data

Trustees and personal representatives often process personal information, from beneficiaries’ details to financial records.  Under GDPR, merely possessing data isn’t enough; there must be a legitimate legal basis for using it.

Consent is often not a practical basis since it must be freely given, clear, and revocable.  Instead, valid legal bases generally include:

• Fulfilling a legal obligation (e.g., administering the estate)
• Performing a contract
• Pursuing a legitimate interest, balanced against individuals’ rights

Transparency is key.  Whenever possible, provide a privacy notice explaining what data you collect and why.

2.  Implement strong data security measures.

Having a lawful basis to process data is just one part of the responsibility; protecting that data is equally crucial.

Data controllers, trustees, and personal representatives should implement robust security measures: encryption, strict access controls, regular audits, and training for anyone handling data.  A data breach can cause reputational harm and lead to heavy fines.

When sharing data, ensure you have a valid reason and maintain strict confidentiality; discretion is paramount.

3.  Respect Data Subject Rights and respond promptly

Beneficiaries and others have rights under GDPR, including:

• Knowing what data, you hold about them
• Correcting inaccuracies or requesting deletion (the “right to be forgotten”)
• Objecting to how their data is used

Trustees and personal representatives must be ready to respond to such requests, typically within one month and free of charge.  Requests that are excessive or unfounded can be refused or charged for. It’s also important to note that UK law protects trustees’ privacy, so you are not required to disclose confidential trust decisions or discussions.

So, what should trustees and personal representatives do to stay compliant?

It’s essential to regularly assess your data processing activities to ensure you’re meeting your obligations under data protection laws.  This might involve:

• Maintaining up-to-date records of what data you collect, how it’s used, and who it’s shared with
• Keeping pace with updates to regulations and best practices.
• And, crucially, seeking legal advice when in doubt, especially when handling complex estates or sensitive family dynamics.

By being proactive, trustees and PRs can avoid legal pitfalls, protect personal data, and uphold the trust placed in them.

In today’s digital world, data is invaluable.  Mishandling it can cause reputational damage, legal risks, and loss of beneficiary trust.  This is about more than compliance; it’s about safeguarding legacies and relationships.

At Greenwoods, our Private Wealth team brings together expertise and a practical understanding of the real-world challenges that come with managing sensitive information in complex family dynamics.

We simplify complex legal frameworks to give you clear, practical advice on managing privacy risks and staying ahead of evolving regulations. Whether you need a quick compliance check or a comprehensive data protection solution, we’re here to support you.

Have a privacy concern? John Macaulay, Partner, Head of Employment and data protection specialist, is ready to help.