Data protection for businesses

What is GDPR?

It stands for General Data Protection Regulation, which is an EU law, adopted in the Isle of Man by an Order under the Data Protection Act 2018.

The Isle of Man had to implement the GDPR into its law so that it can continue to do business with EU countries.

New data protection provisions are in a set of regulations which set out all the data protection procedures and powers of the Information Commissioner, called the GDPR and LED Implementing Regulations 2018 which are in operation from 1 August 2018.

These provisions were previously in the Data Protection Act 2002. 

How does it affect my business?

GDPR updates data protection law in the Isle of Man to account for new ways of sharing and exchanging data between businesses and other organisations, with Government and between individuals. 

The Isle of Man also needs to retain its ‘adequacy decision’ with the European Data Protection Board, so that it can continue to do business and exchange data with other jurisdictions.  

GDPR increases protection for individuals and places the obligations and onus upon the organisation to handle personal data lawfully and securely.  

What do I need to know?

Here are some of the key things businesses need to know about GDPR and the proposed changes to the law.

• Controllers and processors of data are defined in the same way as before, and the Information Commissioner is still the regulator
• The principles of data protection have been reduced in number, but obligations upon controllers are heightened
• Data controllers have new obligations including duties to ensure that your contracts with processors comply with the GDPR.  Data processors must maintain records of processing and are directly liable where they are responsible for a breach
• GDPR has an accountability principle which means that organisations must show how they comply and why, with documentation and records
• Some organisations may be required to carry out privacy impact assessments to assess risk to individual’s rights when using new technology
• GDPR introduces higher standards for consent, meaning that where you process data based upon consent, it must be specific, informed and explicit consent for the processing of that data for a specific purpose.  It requires a positive and affirmative action, and must be capable of being demonstrated
• GDPR introduces enhanced rights for individuals that organisations will need to observe, including the right to access data, the right to object to or restrict processing, the right to be forgotten, and similar rights for rectification and erasure of data, data portability and safeguards in relation to automated decision making
• You will need to make sure that you have robust procedures in place so that you can comply with the rights of individuals.  These include providing a response to access to personal data within one month of the request - at no charge 
• Some organisations will have to appoint a Data Protection Officer, which will be mandatory depending on the scale and nature of the processing carried out by your organisation, or if your organisation is a public sector body
• If you do suffer a data breach, in some circumstances you will have a mandatory duty to report within 72 hours to both the Information Commissioner and the subject of that data
• Failures to report may result in a fine or other enforcement measures being taken. 

There is still a requirement to register with the Information Commissioner and those requirements now extend to processors.

Where can businesses go for help and guidance?

The Information Commissioner provides a wealth of guidance and tools on data protection for businesses and other organisations.

This includes in many different areas such as definitions, data mapping, steps to compliance and other areas of data protection law.

There are also some helpful FAQ and guidance documents.