News and Press

Is it time for the rights of the deceased to be considered when it comes to data?

In legal terms, the General Data Protection Regulation (GDPR) does not apply to identifiable data that relates to a person once they have died.So what rights do the deceased have when it comes to their personal information?

However, GDPR does stipulate that member states may provide their own rules regarding the processing of personal data of deceased persons

In France for instance it is possible to regulate the processing of your data after your death. People can give data controllers general or specific indications about the retention, erasure, and communication of their personal data once they have passed away. It is also possible to nominate someone else to act on your behalf ensuring your wishes are implemented.

In the UK there are no such considerations meaning that when we die our data lives on in hundreds, if not thousands of databases. Ultimately the only reason it will be deleted is once the data controller realises that you have passed away and determines they have no further use of your data and it is deleted. Of course, under GDPR organisations have a legal requirement to keep their data up-to-date so theoretically deceased data should be removed eventually. However, for organisations the very presence of this data, even for a short time, is incredibly risky. There are three very clear risks:

  1. Data breach: it can be stolen and used by identify fraudsters
  2. Brand damage: it can mistakenly be used to communicate with someone that has passed away causing distress to the family and friends of the deceased
  3. Biased AI: it can be processed and used to inform AI-powered algorithms, which could ultimately lead to a biased model

Whilst the deceased in the UK currently have no rights when it comes to their data, it is best practice for organisations to erase that data as soon as possible – not only ethically, but to protect themselves against the three scenarios that would arguably be in breach of GDPR and could be liable for a fine.

For information on a quick and cost effective solution to identifying deceased data please contact Patrick on Patrick.lymath@wilmingtonmillennium.co.uk

 


Back