Digital legacies: what should happen to your data?

Summary:

• Personal data protections largely end at death, leaving information managed by platform rules rather than clear law
• A digital estate includes owned and licensed assets, many of which are inaccessible or non transferable without planning
• AI enables post mortem digital personas, raising unresolved issues of consent, ownership and misuse

Philip Larkin’s famous closing line from the poem An Arundel Tomb, ‘what will survive of us is love’, resonates today as much as it ever did — yet in the 21st century, another legacy endures long after we are gone: our digital footprint. For IT professionals, this raises questions about data governance, privacy, security and the long‑term stewardship of personal information.

The digital self: protected in life, vulnerable in death

While alive, individuals in the UK and EU benefit from the General Data Protection Regulation (GDPR), which imposes strict obligations on organisations to protect personal data. Other jurisdictions have their own frameworks, and protections vary widely. However, current GDPR rights do not extend beyond death. Once a person dies, their data becomes subject to a patchwork of company policies, contract law and limited national legislation.

Where something is an asset, then UK law recognises these digital assets and the value they have — for example, with crypto-tokens and crypto-assets. This informed the Property (Digital Assets etc) Act 2025. However, for data that isn’t considered an asset, there remains no unified statutory framework. Moreover, even where legally recognised, if there are no physical records and a person's accounts are locked, the family or executors may not know of the existence of or be able to access assets. The result can be confusion, inconsistency, and, in some cases, distress for families and executors.

What counts as a digital estate?

A digital estate includes any digital asset with emotional, practical or monetary value. This can include:

• Photos, videos, documents and creative works
• Email accounts and cloud storage
• Social media profiles
• Cryptocurrency wallets and non-fungible tokens (NFTs)
• Online banking and investment accounts
• Domain names and websites
• Loyalty points, gaming assets and subscription services for music or videos

Note that many digital services are licensed, not owned. Kindle books, iTunes libraries and streaming accounts cannot legally be transferred to heirs — a point often overlooked by consumers.

Risks of unmanaged digital legacies

Consider genetic testing services such as 23andMe or AncestryDNA. These datasets can reveal hereditary conditions relevant to living relatives. While medical records have strong legal protections, copies stored in email, cloud folders or third‑party apps may not. If accessed or leaked, they could expose family members to discrimination risks or unwanted profiling. Moreover, deleting accounts could be difficult, again depending on organisational policies rather than legislation.

Identity theft and fraud

The deceased are prime targets for identity theft. Infosecurity magazine recently highlighted this, as did the OpenID Foundation's call for action on a Global Digital Estate Standard, with criminals using personal data to open credit cards, apply for loans or create synthetic identities. Without proper digital estate planning, an individual’s estate may face financial or legal complications.

Locked or lost assets

Cryptocurrency is the most dramatic example. Without private keys, wallets are unrecoverable — an estimated 20% of all Bitcoin is believed to be permanently inaccessible due to lost credentials. Providing details of how to access this in your will could be one mechanism, but the public nature of probate records means this can itself be a problem. 

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

But similar issues apply to cloud photo libraries, password‑protected devices and encrypted backups. Families often discover too late that they cannot access cherished memories or valuable assets.

An example of this is the 2019 legal case brought by Rachel Thompson to access the photos and videos on her deceased husband's Apple account. Whilst she eventually won the case, it took four years and thousands of pounds.

Emotional harm and unintended persistence

Social media accounts can become digital memorials — sometimes comforting, sometimes painful. Platforms differ widely: 

• Facebook allows memorialisation or deletion via a legacy contact
• Google offers an ‘inactive account manager’ to specify how data is handled
• Apple introduced digital legacy contacts
• Twitter/X has a mechanism to deactivate accounts

Without clear instructions, families may face lengthy legal processes or be unable to remove or manage accounts at all

GenAI and the rise of the digital afterlife

Generative AI introduces a new dimension: the possibility of posthumous digital personas. Some companies already offer AI avatars trained on a person’s messages, post and recordings. The BBC explored this in a recent EastEnders episode, where one character became reliant on AI following their on-screen son’s death. Social platforms are experimenting with automated posting or memorial bots. This raises ethical questions:

• Should your digital likeness be allowed to continue generating content?
• Who owns the training data after death?
• Could an AI version of you be misused — commercially, politically or personally?  

In the creative industry, using AI and other techniques to recreate deceased actors can enable a movie to be completed. Still, with the availability of tools and data, this can be an option for many today. Who should have the right to determine that? The UK’s Information Commissioner’s Office (ICO) has highlighted concerns about AI models trained on personal data, but post‑mortem rights remain largely undefined.

The legislative gap

The UK’s proposed Digital Device Access Bill (2021) aimed to simplify access to digital content after death but stalled before becoming law.

Other countries are experimenting with frameworks, but global consistency is lacking. In the absence of legislation, access depends entirely on each platform's terms of service. These are often opaque, vary widely, and can change without notice. 

This means, individuals should:

• Create a digital will that specifies who should have access to which accounts and assets
• Use legacy options and tools offered by major platforms (Google, Apple, Facebook)
• Maintain an encrypted password manager and ensure a trusted person can access it, though note that such access may be unauthorised depending on the platform
• Decide what should be deleted, memorialised, or transferred to others
• Document the location of digital assets, including cryptocurrency wallets

While organisations should:

• Educate users about digital estate planning as part of cybersecurity awareness
• Review policies on account access after death to ensure clarity and fairness
• Consider the ethical implications of AI‑driven posthumous content
• Ensure data minimisation to reduce the risk of post‑mortem misuse

A new kind of legacy

Just as we plan for our physical estate, we must now plan for our digital one. Our data — our photos, our messages, our creative work, our online presence — forms part of our identity. Whether we want it preserved, passed on, or erased, the choice should be ours. Larkin was right that love endures. But in the digital age, what survives of us is also shaped by the systems we use, the data we create and the decisions we make today.