GDPR and The Isle of Man
The Isle of Man has agreements with the UK which allow for free trade with the UK and permit the trade of Manx goods without non-EU tariffs. Crucially, The Isle of Man is not in the EU. Think of it as any other non-EU country, and so the GDPR is not part of Isle of Man law. But the extra-territorial nature of GDPR means it applies directly to businesses outside the EU that offer goods or services to, or monitor the behaviour of, individuals living in the EU or process personal data either with or on behalf of EU businesses.
All other Isle of Man businesses, including government, that do not provide goods or services to EU residents, but require access to, or the sharing of, personal data processed in the EU/UK, will also be impacted by the GDPR. Most Isle of Man organisations are therefore required to comply with the GDPR.
Any enforcement and sanctions under the GDPR will delivered by the most relevant EU Data Protection Authority on a case by case basis.
The Isle of Man already has its own Data Protection Act which will continue to remain in force. This means the requirement to comply with both the Isle of Man Data Protection Act and the GDPR. Since the GDPR is more stringent in it requirements than the DPA, complying with the GDPR sill cover many of the bases of the DPA.
The European Union grants the Isle of Man with adequacy status, meaning that it is permitted to have Manx controllers and processors process EU personal data (just as countries such as Canada, New Zealand and Switzerland can).