Covid-19 Coronavirus

Cabinet Office announces approach to implementing the EU GDPR

Monday, 22 January 2018

The Isle of Man Government has today provided further detail on its approach to ensuring full compatibility with the European Union’s General Data Protection Regulation (GDPR), which comes into force on 25 May 2018.

GDPR aims to bring data protection legislation into line with new, previously unforeseen ways personal data is now used and shared. The measures are designed to give people greater control over how their personal data is used and provide EU businesses with a consistent legal environment in which to operate.

Government is reviewing and revising the Island’s Data Protection law to ensure full compliance with GDPR, in line with a policy statement contained within the Programme for Government, as well as the EU’s Law Enforcement Directive (LED), which contains similar provisions for organisations processing data for the purposes of crime prevention, investigation and law enforcement.

The Isle of Man is not a member of the EU, but has a limited relationship through Protocol 3 to the UK’s Act of Accession. The UK will remain a Member State until it leaves on 29 March 2019.

Under EU law, for Member States to legally transfer data to a country which is outside the EU, such as the Isle of Man, that country must have data protection legislation that is sufficiently similar to the EU law in order to be granted what is known as an ‘adequacy decision’ by the EU.

It is therefore essential for the Isle of Man to take into account the new and enhanced rights, fines and penalties within GDPR by enacting its own equivalent legislation.

Policy and Reform Minister Chris Thomas MHK said:

‘Updating the Island’s laws in line with the EU will benefit ourselves as residents, in terms of greater rights and control, and also allow businesses to continue to transfer personal data to and from the EU without any hindrance or additional cost.

‘The proposed changes are also designed to create more robust enforcement standards and we encourage people to provide feedback via the consultations hub.’

In summary, the revised Manx Data Protection law will:

  • Require organisations to simplify the withdrawal of consent for the use of personal data
  • Enable individuals to request their personal data held by companies to be erased or rectified
  • Enable parents and guardians to give consent for their child’s data to be used
  • Enable processing of sensitive personal data but will require ‘explicit’ consent to enable this processing
  • Include IP addresses, internet cookies and DNA in the definition of ‘personal data’
  • Mean that personal data held by companies will be more readily available for disclosure upon request by the individual concerned

The consultation document outlines how Government intends to do this within the necessary time frame – by 6 May 2018 for LED and by 24 May 2018 for GDPR – and is directed in particular to private sector businesses, public sector organisations and charities which process or are likely to process personal data.

The Council of Ministers will publish a copy of the short Bill which will allow the provisions in the GDPR to be applied directly into Manx domestic legislation.  It will also be consulting on the Orders by which the GDPR and LED will be applied to Manx legislation and the enabling Regulations.

A fully-subscribed conference aimed at preparing Manx businesses and organisations ahead of the introduction of GDPR will take place on Wednesday (24 January) at the Palace Hotel in Douglas. The event will feature a range of speakers including Information Commissioner Iain McDonald and Policy and Reform Minister Chris Thomas MHK.

The consultation is published on

A summary of responses will be published after the consultation has closed.

Issued By

Back to top