Preparations for GDPR
The new EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018, with the EU Law Enforcement Directive (LED) coming in on 6 May 2018. This will affect the whole of the Isle of Man Government including all of its Departments, Boards and Offices, as well as every other public sector or private sector organisation which holds or processes personal data.
The new law will introduce new responsibilities, including:
- the need to demonstrate compliance
- more stringent enforcement
- enhanced rights for individuals
- the possibility of increased penalties when compared with the existing Data Protection Act 2002 (DPA)
The Isle of Man Government is committed to high standards of privacy, including transparency and information security. We appreciate the need to keep data safe and place a high priority on protecting personal data and managing personal data in accordance with accepted standards including ISO 27001.
Under both the existing and the new law, the Isle of Man Government will have the same obligations upon it as other controllers and processors, and will work closely with its stakeholders to meet its legal and contractual obligations in the provision of public services.
Following its commitment in the Programme for Government, the Cabinet Office is the project sponsor for the implementation of GDPR and the domestic legislation across the Isle of Man Government. Whilst Departments, Boards and Offices each have different legal functions, and provide differing services, the Isle of Man Government is working collectively to ensure compliance with GDPR.
As project sponsor, the Cabinet Office has constituted a project team consisting of a project manager and policy officer, with administrative support within the Office of Cyber-Security and Information Assurance (OCSIA), assisted by a Legal Officer from the Attorney General’s Chambers to provide advice and guidance at various stages of the project. Our team are working with the Information Commissioner, together with all Departments, Boards and Offices to ensure that the Isle of Man Government is ready to meet its obligations under GDPR.
The Isle of Man Government preparation for GDPR is overseen by the project team, together with internal peer review by the Data Protection Officers working across Government.
The main areas upon which the project team are focussing are:
- identification of how and why we are dealing with personal data
- provision of visibility and transparency in our approach to dealing with personal data including privacy and fair processing notices, guides, disclaimers or terms and conditions, and online or paper application forms
- enhancing data integrity and security – by building on existing information security management systems and certifications, including ISO27001, and information governance at a corporate level, to prevent the risk of a data breach
- ensuring a robust compliance regime including:
- ensuring policies and procedures are up to date and are GDPR compliant
- appointment and training of Data Protection Officers across Government
- ensuring procedures are in place to ensure that Departments, Boards and Offices can both respond to requests for access to data, rectification or deletion of data, and service such requests within the statutory deadline
- auditing contractual obligations to ensure that any personal data dealt with is appropriately protected, and where appropriate ensuring that adequate contractual arrangements, including data processing or data sharing agreements, are in place
- providing services and support across the Isle of Man Government to help Departments, Boards and Offices develop compliance plans and build a robust platform for compliance in the future, including awareness training for all staff, briefings, staff training, workshops and seminars
Compliance is a shared responsibility and all Departments, Boards and Offices of Government will need to adapt business processes and data management practices to ensure compliance with GDPR.