Why are Island businesses affected?
The GDPR is intentionally designed to apply to personal data of individuals living in the EU so that they are “not deprived of the protection to which they are entitled” just because a controller or processor is established outside the EU.
It applies directly to businesses outside the EU that offer goods or services to, or monitor the behaviour of, individuals living in the EU or process personal data either with or on behalf of EU businesses. Many Island businesses are, therefore, immediately affected.
Other Island businesses, including government, that do not provide goods or services to EU residents, but require access to, or the sharing of, personal data processed in the EU/UK, will also be impacted by the GDPR.
Island businesses need to consider the impact of the GDPR on their business and take steps to ensure compliance.
What about the existing Data Protection Act?
The Act will continue in force until such time as it is revised, replaced or repealed.
Therefore, until equivalent legislation to the GDPR is implemented in the Island:
- All Island controllers must continue to comply with the current Act.
- Island controllers subject to the GDPR will need to comply with two separate regimes and regulation by two supervisory bodies.
- Island residents will continue to have the same rights and protection for their personal data in the Isle of Man under the Data Protection Act.
- Island residents will have stronger rights and better protection for their personal data if it processed outside the Island by an EU controller or an EU processor engaged by an IOM controller.