UK government receives dissertation written by Guernsey’s deputy data protection commissioner

The UK government has received a dissertation on the data protection implications of a ‘Hard Brexit’ for businesses that was written and researched by Guernsey’s deputy data protection commissioner.

Chair of the Data Protection Authority, Richard Thomas CBE, sent Rachel Masterton’s paper to the UK Information Commissioner’s Office and then onwards to the UK Department of Culture, Media and Sport’s (DCMS) international team.

He also sent it to The International Association of Privacy Professionals (IAPP) and the Centre for Information Policy Leadership (CIPL). Richard Thomas commented on his reasons for distributing Rachel’s dissertation:

‘The data protection implications of a ‘Hard Brexit’ are mind-boggling and stretch well beyond the British Isles. Rachel’s paper contains well-researched material and various insights which many people will find helpful in the months ahead as the scenes change on the wider Brexit stage with bewildering speed. Nowhere else are the various issues discussed in a single place in such depth.’

Mrs Masterton, who has worked at the Office of the Data Protection Commissioner (ODPC) for five years, completed the paper as part of her Master of Laws Information Rights Law and Practice and was awarded a distinction.

The dissertation considers how personal data can be transferred between EU Member States, knowing that these jurisdictions are governed by the same legislation, now known as the General Data Protection Regulation (GDPR). ‘Third countries’ (those outside the EU) cannot receive personal data from EU Member States unless they are deemed ‘adequate’ by the European Commission or by putting additional measures in place to safeguard that data and provide a level of protection similar to that offered by the GDPR. Therefore, when the UK leaves the EU the existing free flows of personal data will need to cease.

‘I had imagined my paper would end up on the shelf in our office with a very limited readership, so it is extremely flattering that our Chairman, Richard Thomas, had such faith in the document that he has circulated more widely,’ said Mrs Masterton. ‘Working in a jurisdiction that understands the importance of an adequacy decision from the European Commission for the free flow of data between us and EU Member States, I felt in a position to add a different slant to the subject, drawing on the experience of the Bailiwick. The issue of personal data is extremely important within the Brexit conversation, and the UK government has made a number of references to the data protection implications of Brexit since the vote in June 2016. It seems to be aware that trade could be impacted adversely. ‘Locally, The Data Protection (Bailiwick of Guernsey) Law, 2017 was drafted with Brexit in mind and so provides a gateway for transfers to UK-based organisations once the split happens. Businesses in the UK and EU need to be aware that Brexit will have data protection implications and start looking at how they will handle those. If the UK receives adequacy, that will address those issues in the most part and put the UK in the same position as the Bailiwick. If, for any reason, adequacy is not forthcoming, UK organisations and the EU based organisations that they receive personal data from will need to make use of the various safeguarding mechanisms within the GDPR,’ she added.

At her recent graduation from the University of Northumbria, Mrs Masterton was one of a number of people from the Law and Business Faculty to share the Faculty Pro Vice-Chancellor’s Award. The top three points from Rachel Masterton’s dissertation - 'Leaving the EU: the data protection implications of a ‘Hard Brexit’ for UK businesses with EU data flows and clients' are:

1. Post Brexit the UK will likely lose the influence it currently has on data protection throughout the EU, no longer having representation on the European Data Protection Board, the group tasked with the consistent application of the GDPR across the EU and promoting cooperation between the various EU data protection authorities.
2. Receiving an ‘adequacy decision’ from the European Commission is the most appropriate way to ensure that transfers of personal data between EU and UK can continue post Brexit.
3. No jurisdiction has ever gone from being part of the free flow of personal data one day and being a third country the next. There are a number of unknowns around process and timing that could impact on transfers even if efforts are made to secure an adequacy decision. The UK government and businesses need to be cognisant of these unknowns and look to bridge any gaps that may arise.

Read: Leaving the EU: the data protection implications of a ‘Hard Brexit’ for UK businesses with EU data flows and clients