Preparing for the new data protection laws
Published On:Wednesday, March 7, 2018
We are receiving increased levels of contact regarding the changes to the data protection law in the Isle of Man. The Commissioner's office, whilst not responsible for the policy or for drafting the new laws, will be responsible for monitoring compliance with, and enforcement of, the laws once enacted.
The Cabinet Office's consultation on the new laws ended on 5 March and the Data Protection Bill 2018, which is the enabling legislation for the Orders and Regulations that were consulted on, was read for a third time in the House of Keys this week.
Minister Thomas stated in Keys that the responses to the consultation will be considered over the next 4 weeks "to make sure that that legislation is fit for purpose, is suitable for the Isle of Man and will work to make us a good place to keep data private from the perspective of individuals and useful from the point of view of businesses" before bringing the Orders and Regulations to Tynwald in the May sitting.
Businesses should be aware that:
- if they process personal data in respect of the offering of goods and services to residents in the European Union they must be compliant with the GDPR and will be subject to monitoring and enforcement by an EU Member State data protection authority;
- if they process personal data of any other individuals, then they must comply with the Island's law, whether that is the current Data Protection Act 2002 or the new law, as and when it comes into force(in addition to the GDPR if it applies).
However, as the Isle of Man's new law is expected to be substantially similar to the requirements and standards set out in the GDPR, all businesses should be moving towards compliance with the 'GDPR' standards. The new requirements are an evolution of those in the existing law; if you are already complying with the Data Protection Act 2002, and have good data protection practices and policies in place, then you are already on the way to being prepared.
The Commissioner cannot provide bespoke advice on particular scenarios or issues but has published a new guide, "Getting ready for the new data protection laws - A guide for small businesses, charities and voluntary organisations", which is intended to assist businesses understand their new obligations and prepare for compliance with the new laws.
This new guide contains links to several resources already available on the website. Working your way through the guide and other resources should help you identify areas where changes, improvements or new practices are required. Although this may take some time and effort, the business is responsible for its compliance and for bringing procedures and processing up to date to meet the new obligations.
We are getting more queries about registration. There will be some form of registration and the draft new laws do refer to registration.
However, until the policy and law are resolved and finalised by Cabinet Office and the Attorney General's Chambers, the Commissioner cannot provide any further clarity to businesses about what the new registration system or procedure will look like or when it will take effect.
Therefore, registration will continue as usual for now, but once we have had sight of the relevant new provisions we will be able to provide more information to businesses about their obligations.