Data protection laws in the Isle of Man, the UK and Europe are being completely overhauled. The General Data Protection Regulation (or “GDPR” as it is commonly referred to) is enforceable from 25 May 2018. In order to implement these changes and bring the Isle of Man up to the new international standards of data protection, the Isle of Man’s Data Protection Act 2002 is replaced by a combination of the new Data Protection Act 2018, the Data Protection (Application of GDPR) Order 2018 and the GDPR and LED Implementing Regulations 2018. The Order contains the text of the GDPR as it is implemented in the Isle of Man along with the recitals, which assist with the interpretation of the GDPR. The Regulations bring into force additional provisions that are required by the GDPR and provide for the retention of some provisions of the Data Protection Act 2002.
International and local businesses, and certain individuals are required to take the necessary steps to evidence that they have complied with the GDPR. In order to ensure that you and/or your business are compliant, among other things you will have to ensure that you know exactly what data you hold, who it belongs to, why and on what legal basis you hold it, where you have obtained it from, whether you transfer it to others and where you transfer the data. You will also require updated public facing privacy notices, updated terms of business, updated agreements with your data processors and updated internal and external facing policies relating to many aspects of the GDPR (including for example periods for data retention).
Consequences for non-compliance with GDPR, such as fines of up to 4% of annual turnover or EUR 20,000,000, (whichever is higher) are by now well known, but the Isle of Man legislation is likely to limit this maximum fine to GBP 1,000,000. However, an arguably much more significant penalty is also open to regulators: contravention may result in a business or individual being required to cease all processing of personal data. This could have the effect of shutting down your business overnight.
Cains provides practical advice and assistance relating to all aspects of GDPR. If you would like to know more or have any queries, please do not hesitate to contact Adam Clark.