Posted on 18 July, 2019
In legal terms, the General Data Protection Regulation (GDPR) does not apply to identifiable data that relates to a person once they have died.So what rights do the deceased have when it comes to their personal information?However, GDPR does stipulate that member states may provide their own rules regarding the processing of personal data of deceased persons
In France for instance it is possible to regulate the processing of your data after your death. People can give data controllers general or specific indications about the retention, erasure, and communication of their personal data once they have passed away. It is also possible to nominate someone else to act on your behalf ensuring your wishes are implemented.
In the UK there are no such considerations meaning that when we die our data lives on in hundreds, if not thousands of databases. Ultimately the only reason it will be deleted is once the data controller realises that you have passed away and determines they have no further use of your data and it is deleted. Of course, under GDPR organisations have a legal requirement to keep their data up-to-date so theoretically deceased data should be removed eventually. However, for organisations the very presence of this data, even for a short time, is incredibly risky. There are three very clear risks:
Whilst the deceased in the UK currently have no rights when it comes to their data, it is best practice for organisations to erase that data as soon as possible – not only ethically, but to protect themselves against the three scenarios that would arguably be in breach of GDPR and could be liable for a fine.
For information on a quick and cost effective solution to identifying deceased data please contact Patrick on Patrick.lymath@wilmingtonmillennium.co.uk