Introduction of a new Data Protection Bill (GDPR)

Feedback updated 26 Jun 2018

Results updated 26 Jun 2018

The Cabinet Office received 57 responses to the consultation (32 organisations and 25 individuals responded).

• 18 gave permission to publish their response in full
• 26 gave permission to publish anonymously
• 13 did not give consent to publish on the consultation hub

Clear themes emerging from the consultation responses include:

• openness and transparency
• need for guidance and good practice information
• concerns around divergence from UK position
• ensuring that sanctions / fines etc. are enforceable

The revised Orders and Implementing Regulations as amended are due to be laid before Tynwald at its May sitting.

• Data Protection (Application of GDPR) Order 2018
• Data Protection (Application of LED) Order 2018
• GDPR and LED Implementing Regulations 2018

GDPR Legislative Update

After the recent consultation and feedback on the Island’s move towards full GDPR compliance, it’s important that you are kept up to date with all the latest developments and the likely legislative timetable.

First of all, we can reaffirm the Island’s firm commitment to GDPR and to ensuring that we give increased protection to people and their personal data. The consultation process and the valuable discussions on the back of that have clearly demonstrated that there is clear agreement on this.

Royal Assent for the Data Protection Bill was received at the May sitting of Tynwald and the new Data Protection Act 2018 has been in force since 16 May 2018, together with the Data Protection (Application of GDPR) Order 2018 and the Data Protection (Application of LED) Order 2018. These Orders apply both the GDPR and the LED into Manx domestic law, but will require to be implemented by Manx regulations. The GDPR and LED Implementing Regulations 2018 are due to be laid before Tynwald again in July, so although the approach remains unaltered, there is a slight delay to the implementation of these regulations.  Subject to approval, the GDPR and LED Implementing Regulations 2018 are to come into force on 1 August 2018.

In the interim period, controllers will remain subject to the provisions of the Data Protection Act 2002, including the requirement to register and renew that registration with the Information Commissioner.  That Act will only be repealed when the GDPR and LED Implementing Regulations 2018 come into force, and in the meantime data subjects can continue to exercise their rights under the current Act. The GDPR is automatically law in Member States and as such controllers and processors that deal with EU citizens and process their personal data wholly or partly by automated means will need to comply with the GDPR.

By taking this approach we can ensure that we have a measured, fair and proportionate GDPR framework for the Island. This will also ensure that we give businesses and organisations time to get ready for the new regulations. We remain committed to development of further regulation to consider trust law and other exemptions, and further regulatory and enforcement matters that develop as we continue on the journey to implement this new regime.  

Once again, we appreciate the thoughtful and measured feedback we received throughout the consultation. As a result we will have legislation which gives protection for our personal data, whilst committing to remaining in step with international standards.

 

Files:

• Consultations response report, 526.0 KB (PDF document)
• GDPR Regulations 2018, 1.5 MB (PDF document)
• GDPR Fees Regulations 2018, 305.1 KB (PDF document)
• GDPR and LED Implementing Regulations 2018 (tracked - PDF), 1.6 MB (PDF document)

Published responses

View submitted responses where consent has been given to publish the response.