Introduction of a new Data Protection Bill (GDPR)

Closed 5 Mar 2018

Opened 23 Jan 2018

Feedback Updated 10 May 2018

We Asked

The Cabinet Office asked for feedback on proposed changes to the Isle of Man’s new data protection framework between 23 January and 5 March 2018. The proposed enabling Data Protection Bill, with secondary legislation comprising draft Orders implementing the GDPR and the LED, and implementing regulations were published with the consultation, along with a number of questions on various areas of fundamental policy.

You Said

The consultation attracted over 50 responses in total, from a number of categories of respondent, including businesses, industry associations, local authorities and individuals, in addition to Government Departments and other associations. The majority of responses supported the specific questions set out, and set out further comments on diverse areas from drafting and typographical issues, areas requiring clarification or further regulation, or specific issues such as modifications and exemptions.

We Did

The Cabinet Office has considered all of the comments and suggestions received. A paper providing full details of the consultation feedback, and the Cabinet Office’s responses has been published on the Isle of Man Government’s Consultation Hub. The enabling Bill completed its passage through the House of Keys and Legislative Council, and as a direct result of the consultation, parts of the draft GDPR and LED Orders, together with significant parts of the Implementing Regulations have been amended. 

The revised Orders and Implementing Regulations as amended are due to be laid before Tynwald at its May sitting. There will be further development of additional secondary legislation and such guidance, codes or otherwise as required to ensure proper implementation of the GDPR and the LED.

Results Updated 9 May 2018

The Cabinet Office received 57 responses to the consultation (32 organisations and 25 individuals responded).

  • 18 gave permission to publish their response in full
  • 26 gave permission to publish anonymously
  • 13 did not give consent to publish on the consultation hub

Clear themes emerging from the consultation responses include:

  • openness and transparency
  • need for guidance and good practice information
  • concerns around divergence from UK position
  • ensuring that sanctions / fines etc. are enforceable

The revised Orders and Implementing Regulations as amended are due to be laid before Tynwald at its May sitting.

GDPR Legislative Update

After the recent consultation and feedback on the Island’s move towards full GDPR compliance, it’s important that you are kept up to date with all the latest developments and the likely legislative timetable.

First of all, we can reaffirm the Island’s firm commitment to GDPR and to ensuring that we give increased protection to people and their personal data. The consultation process and the valuable discussions on the back of that have clearly demonstrated that there is clear agreement on this.

We are hoping that Royal Assent will be received at Tynwald in May for the Data Protection Bill. If this is the case, we are now planning the following approach to introducing GDPR:

  • The Act will be brought into force with an Appointed Day Order in May Tynwald on a supplementary Order paper
  • Tynwald will be asked to approve the Data Protection (Application of GDPR) Order 2018 and the Data Protection (Application of LED) Order 2018.  These Orders will apply both the GDPR and the LED into Manx domestic law. However, we are delaying the introduction of the implementing regulations. This means that the Data Protection Act (2002) will not be repealed until the Regulations are approved.  In practice therefore, although the GDPR and LED are applied through the Orders, the practical application of those Orders will not take place until the implementing Regulations are approved and the existing regime will remain in place
  • The implementing Regulations will now be brought to Tynwald in June, along with a further schedule of exemptions, in addition to those already included within Schedule 9 of the implementing Regulations. In particular these include exemptions for Trusts and exemptions relating to the LED.  We will also be excluding very small organisations from some of the requirements of the GDPR

By taking this approach we can ensure that we have a measured, fair and proportionate GDPR framework for the Island. We will also ensure that we give businesses and organisations time to get ready for the new regime.

Once again, we appreciate the thoughtful and measured feedback we received throughout the consultation. As a result we will have legislation which gives protection for our personal data, whilst committing to remaining in step with international standards.

 

 

 

Files:

Published Responses

View submitted responses where consent has been given to publish the response.

Overview

In the Programme for Government, the Council of Ministers committed to ensuring that the Island’s legislative position is equivalent to the EU General Data Protection Regulation (GDPR) by May 2018. 

The Isle of Man Government’s proposed approach is the introduction of a short Data Protection Bill giving specific powers to apply EU data protection instruments as part of Manx law (with any necessary modifications) by Order approved by Tynwald and then implemented with Manx Regulations.

Why We Are Consulting

We seek views from everyone, but it is addressed in particular to organisations from the private, public and third sector which process, or are likely to process personal data. 

The Cabinet Office invites views on the proposed Orders and Regulations.

What Happens Next

The Council of Ministers intends to introduce the draft Bill to the Keys on 6 February 2018 

Areas

  • All Areas

Audiences

  • Anyone from any background

Interests

  • Legislation
  • Technology