On Wednesday 19th October, Quinn Legal sponsored an important Brexit, Data Protection and the Isle of Man lecture. Hosted by the Institute of Chartered Secretaries and Administrators, the topic was delivered by two of the firm’s advocates, Steven Coren (Isle of Man civil litigation) and Peter Cannell (Isle of Man corporate and commercial law).
The lecture highlighted what the future may hold in light of Brexit, the Isle of Man’s current data protection position and a discussion of how the proposed General Data Protection Regulation will likely affect local businesses.
Steven and Peter’s discussion was well received by local residents:
Just a quick note to say – ‘great job’ – on your talk last night – very informative and much appreciated.
Thanks again to you and Peter for an excellent talk last night which was well received.
Thank you for the lecture last night which I enjoyed and found very informative.
To follow from last week’s lecture, we’ll consider Brexit, data protection, and their impacts on the Isle of Man in this blog post.
What is the Isle of Man’s constitutional status?
A self-governing Crown Dependency, the Isle of Man is neither part of the United Kingdom, nor an EU member state. The Island has its own legislature, executive and judiciary.
The traditional view, as set out in the Kilbrandon Report of 1973 (see also Crown Dependencies: developments since 2010), was that the Crown was responsible in international law for the Isle of Man’s international relations and defence. The Island retained domestic legislative competence, but the Crown remained ultimately responsible for the Isle of Man’s ‘good government’. The scope of the UK’s ability to legislate for the Isle of Man has remained open to some debate. In recent years, the UK and the Isle of Man have also agreed a framework to develop the Island’s international identity.
How might Brexit affect the Island’s relationships with the UK and the EU?
In the June 2016 referendum, the UK voted (by 51.9% to 48.1%) to leave the EU. The UK Prime Minister recently indicated that the UK will start the process of ‘Brexit’, by triggering Article 50 of the Lisbon Treaty, by the end of March 2017. Whether this may occur without the consent of the UK Parliament is awaiting a decision, at the time of writing this blog post, from the High Court in London.
The process of Brexit will involve a re-appraisal of the Isle of Man’s relationship with both the UK and the EU, and is likely to raise a host of constitutional law issues with real, practical implications for individuals and businesses on the Isle of Man. This is not least because the primary basis for the Island’s current relationship with the EU – Protocol 3 of the Act of Accession 1972 – will itself come to an end when the UK leaves the EU.
The Isle of Man European Union Advisory Group, reporting to the Council of Ministers, is currently considering where and how the EU law impacts on the Isle of Man, in order to prepare for the process of withdrawing from the Island’s Protocol 3 relationship with the EU. The Advisory Group is also considering what new relationship the Isle of Man might have with the EU. The wide range of EU law currently applied, or applicable, in the Isle of Man makes this a potentially daunting task.
In the meantime, a post-referendum exchange of correspondence between the Chief Ministers of the three Crown Dependencies and the UK Prime Minister elicited the indication, from the UK Prime Minister, that the Crown Dependencies will be: ‘kept informed and offered the opportunity to contribute where it is relevant and appropriate to do so’. Further in the correspondence the UK Prime Minister commented that the result of the referendum in June 2016: ‘does not change the constitutional relationship between the [UK] and the Crown Dependencies’.
As to whether this proves correct, time will tell.
What data protection legislation is currently in place on the Island?
Data protection legislation has been active on the Isle of Man since 1986 and is in place to safeguard how personal data is processed by organisations. All organisations, whether public, private or non-profit are subject to the legislation and have to adhere to its principles.
Currently, local organisations adhere to the Data Protection Act 2002. As set out by the Information Commissioner (IC), the 8 principles include:
- ‘Fair and lawful processing’
- ‘Purpose for which data are obtained and processed’
- ‘Adequacy and relevancy of data’
- ‘Accuracy of data’
- ‘Time for keeping data’
- ‘Rights of data subjects’
- ‘Measures against misuse and loss of data’
- ‘Transfer of data abroad’
More specific detail on the 8 principles can be found on the IC’s website.
All businesses store data about their customers, from demographic details (e.g. name, age, address and email) to more personal details (e.g. financial information). If you determine how data is handled at your company, it’s important to understand that you’re deemed to be a Data Controller. Under the Data Protection Act 2002, anyone involved in controlling how personal data is used must respect the rights of those involved. For example, people are within their right to make a subject access request to an organisation and ask to have copies of all the information that is held on file about them.
What is the GDPR and how might it impact your business?
The General Data Protection Regulation (GDPR) is new legislation being introduced on the Isle of Man. Some features of this regulation have been in force since May 2016 and will bring further requirements for EU-related data that is processed on the island and vice versa, information held by EU businesses that relates to island residents.
Scheduled for implementation by May 2018, local businesses will have to comply fully with the GDPR to ensure that data is processed fairly.
Some businesses will have to work on compliance and make the following areas a strict focus for improvement (where necessary):
- Policies and procedures
- Record keeping (e.g. evidence of compliance with the 6 new principles)
- Security arrangements
- Name and contact details of an appointed Data Protection Officer
Following introduction of the GDPR, in cases where organisations are found not to be compliant, there may be fines of up to €20,000,000 (for infringement of the Principles, Rights and Transfers) or €10,000,000 (for infringement of accountability or data security requirements) (see Article 83 – General conditions for imposing administrative fines).
Supervision and enforcement of the GDPR will fall under the role of the Information Commissioner and the most relevant EU Data Protection Authority.
How can Quinn Legal help?
Our advocates are always up-to-date with political changes on the island and are following the progress of Brexit and the GDPR closely. We have teams working across civil litigation and corporate and commercial who are ready to assist you.
In respect of Brexit, our civil litigation team can advise on the constitutional law implications of Brexit, including the Isle of Man’s current and potentially new relationships with the UK and EU.
In respect of the GDPR, our corporate and commercial team can help your business to:
- Know and understand the data you handle
- Conduct risk assessments
- Check and update policies and procedures, including collection and consent, security, handling of Subject Access Requests and data destruction
- Test compliance, including board buy-in and training
- Appoint a Data Protection Officer (where required)
- Provide training for Data Protection Officers and staff
- Conduct a fixed-fee audit, including policies, procedures and data held
If you or your business would like further information on any of the areas above, or you have a different query relating to these topics, please get in touch with Steven Coren (on Brexit) or Peter Cannell (on data protection Isle of Man) by calling 665522 or emailing email@example.com or firstname.lastname@example.org
We also offer a free enquiry service on our website.