Trusts and restricting access to information: The impact of GDPR

18/09/2018 Caroline Rao, senior associate - private capital, Harbottle & Lewis,

One rationale for the GDPR is to give EU data subjects more control over their personal data. This article provides some insight on the impacts for access to personal data held by trustees. 

Personal Data

The ICO guidance states that personal data is information that relates to an identified or identifiable individual. At first, this appears to be an extremely wide definition, particularly as an individual can be identified not only by name or reference but also by other markers including location data, IP address and cookie identifiers.

Trustees hold information which is personal data of the settlor, and of each individual in the beneficial class. However, Trustees may also hold personal data of persons expressly excluded from benefitting from the trust, and also of persons who are not beneficiaries of the trust but in relation to whom the trustees hold information (including those mentioned in the letter of wishes, perhaps because the settlor does not want them to be added as beneficiaries of the trust or only added in certain circumstances). Obviously such information may be extremely sensitive.

Pre-GDPR limitation on disclosure

Since Schmidt v Rosewood, a trustee has had a significant degree of confidence as to the information that could/should be disclosed to such beneficiaries (including the trust deed and trust accounts) and what information is confidential (including non-binding letters of wishes and recorded reasons for exercising trustee discretions). As far as third parties were concerned, in most circumstances, the trustee would have been confident in refusing to make any disclosure (or indeed provide any response) to a request from a third party. 

GDPR – access to personal data/SARs

The GDPR potentially drives a coach and horses through this established trusts law position and presents a significant new challenge to trustees. 

In relation to accessing information, any individual beneficiary or third party now has the ability to request copies of their personal data from the Trustee by making a Subject Access Request.

Upon receiving a SAR (which can be written or verbal), a Trustee must usually respond within a month, and so Trustees need to be prepared and should have appropriate policies in place to deal with any future SARs. 

The trustee must first identify the SAR requestor in order to undertake a search of both electronic and hardcopy records (and may include searching employee devices) for the requestor’s personal data.

When determining what should be disclosed, the trustee must determine whether it is in fact personal data of the requestor. This will include considerations such as whether it is clearly about/linked to/of biographical significance to the requestor, and whether it is information that could be used to make a decision which impacts the requestor.

The trustee will then have to determine whether the information is also personal data of another, as disclosure cannot be made under a SAR if it would adversely affect another, unless he consents or it is reasonable to do so. Trustees may find themselves in the unenviable position of having to balance the privacy rights of two or more individuals. Efforts will need to be made to satisfy disclosure, for example where redaction of the third party information would be effective.

There are a number of exemptions to disclosure; one of the most important being where legal professional privilege applies. This is a difficult issue in itself and care must be taken to avoid inadvertently waiving privilege, which will then deny this exemption.

The motive behind the SAR is irrelevant, so there is nothing to prevent a beneficiary seeking greater information which he would be entitled to under trusts law, and nothing to prevent a disappointed heir, creditor or inquisitive third party making an SAR and using the information received for litigious purposes.


The risk of failing to deal with a SAR properly or sufficiently is investigation by the ICO and ultimately penalties. The danger of improperly disclosing information that is also personal to another is a data breach for which penalties also arise. In addition to these, the trustee may also be liable for breach of trust. 

It is also worth noting that unsatisfied requestors may complain to ICO, who then investigate the claims. The ICO is a public body and may be vulnerable to freedom of information requests, so that will also require careful handling.


All trustees, but in particular those administering trusts with sensitive or potentially contentious elements, should consider how they would deal with a SAR before they receive one. In particular, a trustee should look at their data retention policy, as they only have to disclose data currently held. This can enable a trustee to vastly reduce the risks posed to a particular structure.

With careful consideration, it may be possible using a combination of data analysis and the GDPR exemptions to significantly limit disclosure relating to a SAR, but as soon as a SAR is received, the trustees will need to act quickly, so investment in preparation is recommended, particularly for those trusts where information is most sensitive.

Share with Linkedin Share with Twitter

Poor   Average   Good   Excellent