What is the Cost of Non-Compliancy to GDPR?

The Digital ghost: What happens to our data when we die.
Charlotte Bourguignon

The Digital ghost: What happens to our data when we die. 

Flat image with ghosts and digital data


Written by: Enzo Marquet

Have you ever wondered what happens with your digital data when you’re gone? Although the passing of a person might not be an easy topic to broach, readiness for an unforeseen loss can help ease the emotional weight and minimise its effects on everyone involved. We might not always realise it, but our digital footprint lives on long after we are gone.  

To reduce the administrative burden, this post will explore how individuals and organisations can proactively prepare for the event of their own, or of a colleague’s passing, focusing on security and data protection.  

Planning ahead for individuals

When a person passes, a significant portion of their personal data gets locked within the applications they’ve used, including social media, email services, and online cloud storage – essentially forming their digital legacy.  

Some of this data holds sentimental value, like photos, while other parts may have administrative importance, such as certificates and government documents. It is crucial to have a plan in place for the management of this data after your passing. 

1. Making an inventory

Safeguarding your digital legacy involves several steps, with the first one being creating an inventory of your digital assets. These assets include a wide range of accounts, information, and files accessible via electronic devices. Some examples of digital assets to consider are: 

  1. Official services (bank accounts, medical records, retirement accounts) 
  2. Email, e-commerce, social media accounts 
  3. Media files (photos, videos, music) 
  4. Subscriptions (music, boxes/products, newspapers) 
  5. Data storage and files (iCloud, Dropbox, Google Drive) 
  6. Streaming services (Netflix, Hulu, etc.) 
  7. Data stored on devices 
  8. Smartphone-related accounts and apps 

Creating a comprehensive inventory may reveal more assets than expected, but it is essential to ensure your loved ones are aware of your digital wishes, especially for sentimental items like photos and memories. 


2. Social media 

Any social media account remains active after your passing, but nobody can access it. With a few clicks and preparation, you can spare them from having to go through all the administrative procedures in various ways. 

Many platforms allow you to select a ‘legacy contact’; this is a person who can memorialise your profile. Memorialising means your profile gets frozen as is. Nothing will change about it, but it will still be open for people to see, and sometimes people can post share memories on your profile. 

However, maybe you might not want your profile to be used in such a way. In that case, you can select your profile to be deleted once the platform is informed of your passing. 

In any case, discuss this with your loved ones to understand how you and they feel about this. Talk about what everybody wants and then decide how to proceed in case of an untimely passing. 

3. (Online) storage 

You store a lot of data in your storage such as your laptop or personal cloud. This can include videos, financial documents, and trivia. Your loved ones might want to recover some of this information. However, without direct access to your storage, it is rightfully difficult to access it.  

Think of a way you want to allow your loved ones to be able to access your storage. When you use a password manager, you can designate a contact with emergency access. This contact can then access your password vault and thus your files. 

Another safe way to do this is to use a Belgian platform, created by notaries, called Izimi. Izimi automatically stores all your important documents related to your notary such as deeds and your will. You control who can access the documents in Izimi after your passing. Izimi also acts as a small online storage, so you can put more documents in there besides the official ones automatically included. For example, you can put a list of your (most) important passwords and pin codes.  

Keep in mind that many services these days require multi-factor authentication to log in. So, your loved ones might also need access to your e-mail or smartphone to log in.  

Planning ahead for companies 

For companies, it is imperative to address both the emotional and practical aspects simultaneously. On a personal level, inform the company in a compassionate manner and extend a hand of support to the family. However, it is also essential to manage other practical considerations, which may include addressing the employee’s inbox, their access, and the files on their account. 

1. Application of the GDPR 

The GDPR states in recital 27 that it does not apply to deceased people, but Member States are free to implement their own rules regarding the processing of personal data of deceased people. Be sure to check your national legislation for such rules. 

Regardless of national laws, it is important to take the following into account: 

2. Inbox & e-mail 

Do not immediately delete the inbox of the employee. You might want to recover some emails and/or contacts. However, ensure a genuine automatic reply is put into place to inform contacts that the email is no longer in use. Under no circumstance should you send additional e-mails from this address.  

You can invite the family of the employee to recover specific (personal) emails and/or files. Employees often have some personal files on their work devices even though it might not be allowed.  

3. Files & personal belongings 

The deceased employee could have files on their local storage which you might want to recover. Involve your IT-department, and possibly the family, to go through the files and select which files you want to keep and which to delete. Ensure this is done in a proper way. Keeping data on a deceased person is both inconsiderate towards their family and puts the image of your brand at risk.  

4. Access management 

While proper access management should be done from the inception of a company, we can highlight some of the risks that arise when an employee suddenly passes away. Imagine if this employee was your system administrator, and only this employee had access to specific key controls such as creating users, administering roles, deleting accounts. If this person suddenly passes, with no way to get into their account, then the whole company would be locked.  

As such, it is important to ensure there are ways to either access any user account remotely, or to implement a procedure where at least two employees have access to any specific file/role. If one of the employees then suddenly passes, the other one is still there as back-up.   


Addressing death is a delicate subject and its repercussions are profound and extensive. Therefore, engaging in such discussions and preparing, whether for yourself or your organisation, can help mitigate additional burdens, encompassing both emotional and administrative facets. 

Picture of CRANIUM Employees

Hi! How can we help? 

CRANIUM has expertise on GDPR and other, international privacy laws. Need help or advice? Reach out via the form.

[contact-form-7 id=”3″ title=”Contact form 1″]

For urgent matters, you can contact us via 02 310 39 63.