Data protection, Brexit and the Isle of Man
In May 2018 the European Union General Data Protection Regulation will come into force.
There are significant changes that will take place in May 2018 when the European Union (EU) General Data Protection Regulation (GDPR) comes into force. As the new regime will be effected by way of regulation (rather than directive) it will have direct effect in each EU member state without the need for domestic legislation. As the GDPR will come into force in May 2018, it will be in effect before the United Kingdom (UK) leaves the EU. The GDPR is an EU regulation and whilst the UK is a member of the EU, the GDPR will automatically come into force in the UK. The UK’s departure from the EU will not happen until two years after notice to leave under the now infamous “Article 50” has been given by the UK Government to the European Council.
As a result, the GDPR is set to come into force automatically in the UK on 25 May 2018, possibly almost 10 months before the UK is expected to leave the EU. So businesses and organisations in the UK should still prepare for the introduction of the GDPR, regardless of when Article 50 notice is given and expires. The UK’s Information Commissioner is planning for the GDPR’s introduction on time and will expect those in the UK subject to the GDPR to comply with its terms notwithstanding the outcome of the referendum.
Although the Isle of Man is not part of the EU, it has adopted legislation that is modelled on current EU data protection legislation to allow the Isle of Man to obtain a so-called “adequacy finding.” An adequacy finding means that the European Commission has deemed that the Island's law ensures an adequate level of protection for personal data and this aids the transfer of personal data in and out of the Island to the European Economic Area.