Law: Data Protection Act 2018 (the Act), Data Protection (Application of the GDPR) Order 2018 (the GDPR Order), Data Protection (Application of the LED) Order 2018 ('the LED Order'), The GDPR and LED Implementing Regulations 2018 (the Implementing Regulations), and the GDPR and LED Implementing (Amendment) Regulations 2018 (the Implementing Regulations)

Regulator: Information Commissioner (the Commissioner)

Summary: The Isle of Man implemented the GDPR in 2018 through the Data Protection Act 2018 (the Act), the Data Protection (Application of the GDPR) Order 2018 (the GDPR Order), Data Protection (Application of the LED) Order 2018 (the LED Order), and the GDPR and LED Implementing (Amendment) Regulations 2018, repealing and replacing the Data Protection Act 2002.

The Act provides that the GDPR and EU Law Enforcement Directive apply in the Isle of Man by order, and such legislation is brought into effect through the Implementing Regulations.

The GDPR Order and the Implementing Regulations have extra-territorial effect in the same way as the GDPR. With regard to penalties, the GDPR differs from the Implementing Regulations in that the latter sets the maximum amount of a penalty at £1 million in relation to an infringement of a provision of the Applied GDPR. The Information Commissioner (the Commissioner), established by the GDPR Order and the Implementing Regulations as the supervisory authority, has published guidance on Data Protection Impact Assessments, direct marketing, data protection officers, cookies, and children's data. The relevant legislation for direct marketing is Unsolicited Communications Regulations 2005, which provides that consent for electronic marketing should be obtained for both B2B and B2C relationships. The European Commission has recognized Isle of Man as providing adequate protection for personal data.