What is GDPR?
Dubbed “the most important change in data privacy regulation in 20 years”, the General Data Protection Regulation (GDPR) aims to protect all EU citizens from privacy and data breaches.
After four years of debate, GDPR was finally approved by the EU Parliament in April 2016 – with enforcement beginning in May 2018.
It all sounds like revolutionary stuff. But the truth is that much of the new legislation simply writes existing common-sense data security ideas into law.
Still, there is one important change that should be making Manx businesses pay attention.
GDPR and Isle of Man Businesses
The major change is the introduction of what’s called Increased Territorial Scope (Extra-Territorial Applicability).
Increased Territorial Scope ensures that GDPR applies to all companies processing the personal data of subjects residing in the European Union, regardless of the company’s location.
As such, GDPR – and the new duties and fines it brings with it – will apply to any company offering goods or services to, or monitoring the behaviour of, EU citizens.
So, although the Isle of Man holds neither membership not associate membership of the European Union, and lies outside of the European Economic Area, GDPR will still apply to any Manx business selling to EU customers – which currently includes UK citizens.
With many Manx companies trading with EU citizens – and many more dealing with UK citizens – GDPR will apply to pretty much every Manx business.
The Brexit Question
“Ah, but what about Brexit – will that get me out of complying with GDPR?”
In short, probably not.
The earliest the UK can leave the EU is March 2019. Since GDPR will be enforced in May 2018, there will be at least one year when all Manx businesses will be subject to the new rules.
And, even with Britain out of the EU, due to Increased Territorial Scope, Manx businesses trading with EU citizens will still need to be compliant.
However, when an Isle of Man business’s activities are limited to the Isle of Man or the UK, the post-Brexit position becomes much murkier.
What we do know is that the UK government has indicated that it will implement an equivalent or alternative data protection legal mechanism after Brexit. Though the details of this legislation won’t be known for a while yet, it’s likely that, given the UK government and ICO’s previous support of GDPR, whatever comes will look very similar to it.
The Penalties for Non-Compliance
GDPR demonstrates how seriously the EU is taking data security. As of May 2018, organisations in breach of the legislation will be fined up to four percent of global turnover or €20 million (whichever is greater).
Though this is the maximum fine, and will only be issued in cases involving serious security lapses, GDPR also establishes a tiered fining system. For example, a company may be fined up to two percent of global turnover for failing to have their records in order, not notifying the supervising authority about a data breach or not conducting impact assessments (article 28).
With hefty fines like these, it’s much better to ensure compliance now.
- New EU data protection legislation, called “GDPR”, will be enforced in May 2018.
- The legislation’s Increased Territorial Scope means that any Manx company selling to, or monitoring the activities of, EU citizens will need to be GDPR compliant.
- All Manx companies will be subject to GDPR until at least March 2019 (the earliest date the UK can leave the EU).
- Post-Brexit, Isle of Man companies dealing with EU citizens will still be subject to GDPR.
- Post-Brexit, Isle of Man companies whose operations are restricted to the Isle of Man or UK will likely be subject to legislation very similar GDPR.
- Non-compliant companies will be fined up to 4% of global turnover or €20 million.
Are you worried about GDPR and what it means for your business? Wi-Manx is ISO 27001 certified and is well-placed to help you become GDPR compliant. Get in touch to find out about our data, governance and security solutions.