In the UK, GDPR regulations help protect the privacy and security of personal data. It is commonly understood that GDPR laws apply to living individuals – but what about those who are deceased?
In legal terms, GDPR laws do not apply to information relating to deceased people. GDPR only applies to personal data pertaining to living individuals, thus, personal data relating to deceased individuals falls outside of this definition.
This description is outlined in Recital 27 of GDPR regulations, which states: “(27) This Regulation [GDPR] does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.”
Whilst GDPR does not apply to deceased people, there are still data privacy considerations that businesses have to take in relation to deceased individuals’ personal data. It is also important for businesses to operate sensitively around this kind of personal data, and ensure that databases are mostly made up of living individuals.
Since this kind of personal data is not recognised by GDPR, the processing of deceased individuals’ data can be different to processing living individuals’ personal data.
These key differences are explored below.
Do you have to remove deceased individuals’ data from a database?
Under GDPR, businesses have a legal obligation to keep their data up-to-date, which means that, theoretically, deceased data should be removed. Although there are no specific regulations that state that a deceased individual’s data should be removed.
However, by not removing deceased data, businesses do put their brand at risk. Deceased data is susceptible to fraud – it is often used by identity fraudsters who steal this information for monetary gain.
Additionally, deceased data often results in brand damage. Communications sent to individuals who have passed away can cause distress to friends and family of the deceased individual. In turn, this can result in a negative perception of your brand, especially if the mistaken communication is perceived as insensitive.
Deceased data will also affect the quality of your data. When using the data to gather customer insight, deceased entries can skew the results and make them unreliable, since they aren’t representative of your actual audience.
It’s important not to overlook deceased data. The good news is that it’s easy for businesses to identify and remove these kinds of data entry with deceased suppression services.
Accessing a deceased person’s personal data
Under GDPR, living individuals have the legal right to a Subject Access Request (SAR). This provides individuals with a copy of their personal data, for example, a request for bank details, social media data, or marketing data.
As GDPR does not apply to deceased individuals, you are unable to obtain data about a deceased person through a Subject Access Request. Instead, the application process is dealt with under the Freedom of Information Act 2000 (FOIA). This can make it slightly more complicated to obtain personal data if it belongs to a deceased individual.
Freedom of Information Act 2000 (FOIA)
The Freedom of Information Act 2000 provides a general right for people to access all data held by public authorities. For example, access to emails, notes, letters, and CCTV recordings.
When requesting information relating to deceased people, you may be able to seek this information under the FOIA. However if the data is sensitive in nature, it is important to consider whether the data should be disclosed.
There are no specific exemptions under FOIA in relation to whether a data subject is deceased or not, meaning an organisation is usually unable to refuse a request to disclose data relating to a deceased person.
Although, there are several exemptions that may act as grounds for refusal. For instance, Section 41 outlines an exemption from the right to access information if it was provided by the individual in confidence. Information belonging to the deceased individual cannot be accessed if it is confidential, such as health or banking information.
Find out more about deceased suppression and GDPR
Keep your data clean and compliant with our suite of data services. We help businesses avoid the risks of deceased data with unrivalled deceased suppression services, as well as GDPR compliance services to help them avoid fines and operate compliantly.
Get in touch with us today to find out how we can help you