GDPR takes full effect

Published On:Friday, May 25, 2018


The General Data Protection Regulation (GDPR) takes full effect throughout the European Economic Area today, 25th May 2018, marking the end of a 10 year journey since modernisation of the EU Data Protection Directive 95/46/EC was first mooted and over 5 years since the first draft of the Commission’s proposal was published in January 2012.

Today also marks a new beginning.

The GDPR establishes modern, comprehensive legislation designed to protect personal data in an era of ubiquitous computing, sophisticated surveillance technologies, social media and big data.  Organisations now have the incentive and the opportunity to put their customers and staff at the centre of their processing.  Being fair, clear and accountable to both customers and employees is common sense and builds trust.

For Isle of Man based businesses that provide goods or services to EU residents, the GDPR applies from today.  For most businesses this means goods or services provided to UK residents and therefore compliance with the UK’s data protection legislation.

The UK’s Data Protection Act 2018 received Royal Assent on 23 May 2018 and also entered into force today.  In welcoming the new legislation, Elizabeth Denham, UK Information Commissioner commented:

“Our personal data is a version of each of us – what we’ve done, what we’ve read, where we’ve been and who is in our network. It is our health status, our financial decisions, our political beliefs and affiliations. Our desire to book a flight, update our browser, or sign up for a service should not be governed merely by terms and conditions set by an organisation.  Life is too short to decipher fine print… The new laws provide tools and strengthened rights to allow people to take back control of their personal data.”

In the Isle of Man, the Data Protection Act 2018 received Royal Assent on 15 May 2018. Two Orders, the Data Protection (Implementation of GDPR) Order 2018 (SD2018/0143) and the Data Protection (Implementation of LED) Order 2018 (SD2018/0144), were approved by Tynwald on 16 May 2018. The Island's new data protection law will take effect once the Implementing Regulations have been approved by Tynwald.

The full implementation of the GDPR is is not the only significant development that has occurred this week.  On Friday 18th May 2018, Council of Europe’s Committee of Ministers finally adopted Protocol CETS No. 223 which amends Council of Europe Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data, the original data protection instrument dating from January 1981. The modernised Convention 108 can be described as a high level GDPR.

Both the GDPR and the new Convention 108 Protocol owe their origins to the 2009 Madrid Resolution on “International Standards on the Protection of Personal Data and Privacy” which was adopted by the International Conference of Data Protection and Privacy Commissioners with support from organisations such as the US Federal Trade Commission, OECD and the boards of directors of ten of the world’s largest companies.