The Isle of Man’s data protection legislation now consists of the following, plus further regulations concerning fees:
Data Protection Act 2018 (Act)
Data Protection (Application of GDPR) Order 2018 (SD2018/0143) (GDPR Order)
Data Protection (Application of LED) Order 2018 (SD2018/0144) (LED Order)
GDPR and LED Implementing Regulations 2018 (SD2018/0145) (Implementing Regulations)
The Act, the GDPR Order and the LED Order were approved by Tynwald (the Isle of Man’s parliament) in May 2018. However, because of a number of material comments received regarding the Implementing Regulations, these were not put before the May sitting of Tynwald and were instead subject to further revision.
When laid before the June sitting of Tynwald, the Implementing Regulations were rejected by the upper house following considered criticism from Member of the House of Keys Lawrie Hooper, stating that ‘they are onerous, they are bureaucratic, they are expensive and they are inadequate’ and calling them ‘obtuse’, ‘difficult to follow’ and ‘unnecessarily complex and bureaucratic’.
The government were able to pass the Implementing Regulations in the July sitting of Tynwald, with an implementation date of 1 August so all of the above Orders and Regulations are now in force. However this should not be seen as the end of the story of the Isle of Man’s implementation of GDPR, instead changes to the Implementing Regulations are expected to be laid before Tynwald this Autumn to address additional concerns. We also understand that a Bill to replace the Information Commissioner with a statutory board is anticipated in early 2019. The responsible Minister has also repeatedly indicated that this legislation is an interim way of implementing GDPR in the Isle of Man and may well be overhauled again in the not-too-distant future with new primary legislation.
The Data Protection Act 2002 was repealed on 1 August, although provisions relating to maintaining a notification of processing with the Information Commissioner remain in force for a transitional period until 1 February 2019. During this period renewals can be made under either the old or the new legislation, but new entries must be under the new legislation.
There are further transitional provisions, giving until 25 May 2019 to provide the transparency information required under GDPR (as applied to the Isle of Man by the GDPR Order) to data subjects and allowing consent given in compliance with the Data Protection Act 2002 to be used as the lawful ground for processing personal data until 25 May 2019, even if it does not comply with the requirements of GDPR (as applied to the Isle of Man by the GDPR Order). These transitional provisions will not apply where GDPR itself applies (for example where the data subject is in the European Union).
We are pleased to note that exemptions with regard to trusts have been included in the Implementing Regulations and there are now exemptions, in certain circumstances, from the requirement to provide notice to a data subject that you are processing their data and from the rights of a data subject to make a subject access request. Unfortunately similar exemptions have not been included for beneficiaries of life policies, so we hope this will be picked up in the further revisions to the Implementing Regulations.