The concept of consent existed under the DPA 2002 but GDPR introduced more stringent rules for consent to be valid.  The Implementing Regulations allowed controllers to continue to rely on consents which were valid under the DPA 2002 for a transitional period.  Now that the transitional period has come to an end, controllers may only rely on consent which complies with the GDPR, in summary:

  • Consent must be active and there must be tangible evidence of consent.
  • Delivery of services should not be contingent on consent.
  • Consent should be clear and separate, rather than hidden away in terms and conditions.
  • It should be easy for the data subject to withdraw consent.
  • To be valid consent has to be freely given.  This can be difficult where there is an imbalance in the relationship between the parties such as in an employer and employee scenario.

Consent is only one of the possible grounds for lawful processing of personal data.  We have seen businesses move away from seeking consent and instead considering the other conditions for lawful processing which may apply, such as being under a legal obligation to process that data, the performance of a contract to which the data subject is a party or pursuing the legitimate interests of the controller or a third party.

Transparency and Data Privacy Notices

Transparency is a key theme under GDPR.  Data controllers must provide individuals with all the information necessary to understand what will happen to their personal data, how it will be protected, how long it will be kept, where it may be transferred to, and know what rights they have in relation to that data.  This information must be provided in a concise, transparent, intelligible and easily accessible form in clear, plain language.  Under GDPR, there is a positive obligation to provide this information at the time it is collected, rather than just making it available upon request.

Data controllers may also receive personal data from third parties, such as details of directors, shareholders or employees of a corporate client.  In these circumstances controllers must provide information to the individual concerned within a reasonable period of having obtained the data but within no longer than a month.  There are some exceptions to this requirement where the data subject has that information already, or it is impossible to give them the information or it would involve a disproportionate effort to do so, or where it would make it impossible or seriously impair the objective of the processing.

Future Developments

There are further changes on the horizon, with the proposed establishment of an independent Information Commission which will replace the current Information Commissioner’s Office.  Additionally, the conditions and exemptions set out in the Implementing Regulations are likely to be simplified and a new fee scale for maintaining an entry on the register of controllers and processors introduced.  The Unsolicited Communication Regulations 2005 will also be updated to ensure that the Information Commission has sufficient enforcement powers to prevent the Isle of Man becoming the “Isle of Spam”.

While GDPR is a year old, data protection and privacy will continue to be an evolving area of law so controllers, processors and data protection officers should continue to keep abreast of developments.

Twitter LinkedIn Email Save as PDF
More Publications
31 Jan 2020 |

Brexit Day has arrived: What does that mean for Jersey, Guernsey and the Isle of Man?

Brexit Day has arrived, and at 11 o’clock this evening the UK’s EU membership will come to an en...

2 Dec 2019 |

The International Comparative Legal Guide to Gambling 2020 – Isle of Man Chapter

Appleby has provided the Isle of Man chapter to the ICLG Gambling 2020. The "International Comparati...

Contributors: Sophie Corkish
2 Dec 2019 |

Reflections on the 16th Annual Isle of Man STEP Conference 2019

Appleby Isle of Man Senior Associate Erin Trimble-Cregeen and Associate Melissa Wong recently attend...

Contributors: Erin Trimble-Cregeen
9 Oct 2019 |

Transparency and the Crown Dependencies

Transparency of beneficial ownership information has been a political issue since June 2013 when Bri...

18 Sep 2019 |

Offshore listing Vehicles to benefit from the Shanghai - London stock connect

Offshore listing Vehicles to benefit from the Shanghai - London stock connect

Contributors: Huiyan Liew
22 Jul 2019 |

Isle of Man Personal Injury Discount Rate Revision

The Lord Chancellor has this week announced the long-awaited revision of the Discount Rate in Englan...

26 Jun 2019 |

Regulatory Headwinds

Faced with increased scrutiny from regulators on both global and jurisdictional levels, businesses m...

Contributors: David Dorgan
24 Jun 2019 |

Reflections on the AIJA – INSOL Europe Joint Insolvency Conference

Claire Corkish attended the AIJA - INSOL Europe Young Members Insolvency Seminar in Mallorca on 13-1...

Contributors: Caren Pegg
19 Jun 2019 |

Beneficial Ownership Update: Crown Dependencies

The Crown Dependencies (Jersey, Guernsey and the Isle of Man) have announced a joint policy commitme...

Contributors: Caren Pegg