GDPR and Wills?

January 14, 2019

Many of you will now be aware of the introduction of the new EU General Data Protection Regulation (‘GDPR’) on 25 May 2018 which applies to all business and organisations which hold data in relation to private individuals. The new rules have raised an interesting query – do solicitors and other professional advisers holding wills on behalf of their clients have an obligation to send beneficiaries named in a will a ‘privacy notice’ informing them that the adviser is holding information about them? Do they need to tell them that they are in fact beneficiaries?

The GDPR gives what are known as ‘data subjects’ the right to be provided with all information that a ‘data controller’ holds about them, save in certain circumstances. There was already a similar ‘subject access request’ right under the Data Protection Act 1998, but that has very rarely been used in relation to wills and estates.

Data controllers are also required to issue ‘privacy notices’ to individuals whose personal data they hold, and whom they have reason to think may have good reason to see or amend that data. That is why there has been such a large volume of e-mails arriving in everyone’s inbox over recent weeks as companies try to ensure that they are GDPR compliant.

The Information Commissioner’s Office (ICO) has not yet dealt with the specific issue of wills. However, it has replied to a solicitor who asked the question directly via its own website. What the ICO says is that an adviser who stores a will on behalf of a client does not have to contact beneficiaries when the will is written, but only when it comes into effect on the client’s death and the estate begins to be administered. At that point the adviser should send beneficiaries a privacy notice to let them how their data will be stored and processed. The ICO indicated that the situation with beneficiaries when a will is drafted falls under Article 14(5)(d) of the GDPR, which states that the data controller need not comply with the request if the personal data concerned must remain confidential subject to an obligation of professional secrecy. The adviser is a data processor and the client is the data controller. The adviser is therefore holding information on behalf of the data controller, and is responsible for the security of that data, but seemingly has no wider obligation. Once the client dies the adviser may then be properly viewed as the data controller.

The obvious issue in the case of a will is that a testator is unlikely to want their beneficiaries to know about their inclusion in the will when it is initially drafted so an obligation to contact them would create more problems than it solves. In addition, a will is ‘ambulatory’, that is, it speaks from death and does not in fact have any effect unless and until the testator dies. Given that an individual can, and almost certainly should, change the terms of their will many times during their life, providing information to a beneficiary at the drafting stage would be most unhelpful and could cause confusion amongst friends and family members who might ultimately not end up receiving the inheritance that they were expecting.

If you are finding all of this rather confusing, welcome to the club! The full effects and impact of GDPR will not be known for some time as it beds in across many aspects of day to day life. There is no doubt that at some stage the Courts will have to adjudicate on some of the thornier aspects of the rules and we may well be in for some unexpected results. However, the basic principle remains unchanged – going to an experienced Private Client solicitor to get good estate planning advice and have your will professionally drafted is still the best possible course of action.

An article of this kind can never provide a complete guide to the law in these areas which may be subject to change from time to time. The opinions and suggestions made within this article should not be interpreted as specific advice in relation to any particular individual or individuals. Neither Michael Graham nor Cleaver Fulton Rankin accept responsibility for any loss occasioned by someone acting or refraining to act on the basis of the opinions and suggestions contained in this article.

Michael Graham is Head of the Private Client Department at Cleaver Fulton Rankin and a founding member of the Northern Ireland Branch of the Society of Trust & Estate Practitioners. He is also a full member of Solicitors for the Elderly.