Data protection & GDPR on the Isle of Man
This website is intended as a guide, and should not be construed as legal advice or an authoritative statement of the law.
Organisations and individuals should take independent advice.
What is GDPR?
GDPR stands for General Data Protection Regulation. This is an EU law.
The GDPR sets out the rights of the individual and establishes the obligations of those processing and those responsible for controlling and holding data. It also establishes the methods for ensuring compliance as well as the scope of sanctions and penalties for those in breach of the rules.
Key parts of the GDPR include a widened definition of personal data, new obligations for processors as well as boosted rights for individuals.
The Isle of Man needs to implement the GDPR into its law by 25th May so that it can continue to do business with EU countries.
The GDPR will be implemented in the Isle of Man using an Order made under a new Data Protection Bill which enables the Isle of Man to bring in EU law relating to data protection. New data protection provisions will be in a set of regulations which set out all the data protection procedures and powers of the Information Commissioner.
These were previously in the Data Protection Act 2002.
GDPR sits alongside the EU's Law Enforcement Directive (LED), which contains similar provisions for organisations processing data for crime prevention, investigation and law enforcement.
The legislative approach
The Isle of Man's approach is different from that of the UK, Jersey and Guernsey as we are starting from a different constitutional position with different requirements.
The Isle of Man will introduce a short Data Protection Bill, giving specific powers to introduce EU data protection as part of Manx law – after approval by Tynwald – and then implemented with any necessary Regulations.
So it is these Regulations which will contain the legal essence of the Island's approach to GDPR and which should be read as a replacement for the existing Data Protection Act 2002.
This approach ensures that the Island's legislative position is equivalent to the GDPR so that we can meet EU requirements, but it will also allow more flexibility in future.