January 1, 2025 marked the full enforcement date for Bermuda’s Personal Information Protection Act (PIPA). The legislation, which establishes a robust framework for data privacy in Bermuda, will impact firms that operate or are headquartered in Bermuda, but may also affect firms tangentially associated with the country.
Bermuda has a unique position in the global stage, with Members of the Association of Bermuda Insurers and Reinsurers making up approximately 36% of the global insurance and reinsurance market. In the U.S. alone, Bermuda insurers and reinsurers support over 25% of the medical liability insurance and reinsurance market.
This position could make PIPA one of the most impactful pieces of data privacy legislation within the global insurance and reinsurance market and makes it likely that significant ripples will be felt in the global financial services market by association. It is important that firms understand why and how the newly enforced legislation may affect them, what is different about Bermuda’s approach to privacy, and how to ensure compliance.
Why your firm may be affected by PIPA
PIPA is applicable to any organization that uses personal data in Bermuda, with ‘organization’ being defined as any individual, entity, or public authority with no limitations on organization size or industry sectors. Organizations not headquartered in Bermuda may still be considered as operating in Bermuda based on their data processing activities.
Firms that partner with organizations in Bermuda, or that have clients based in the country and consistently share data should be cognizant of the requirements associated with these relationships. Organizations in Bermuda will be held responsible for ensuring that overseas third-parties offer levels of data protection equivalent to PIPA, so firms with existing partnerships in the country should actively communicate with their partners and clients to determine how these partnerships may be affected.
Understanding PIPA
In a series of blogs entitled “The Mid-Atlantic Privacy Compass”, the office of the privacy commissioner (PrivCom) outlined a unique approach to privacy regulation that is meant to strike a balance between the business-forward approach espoused by the United States and the privacy-forward approach pursued by European regulators. The intention is to make privacy regulation a more collaborative pursuit, focused on win-win scenarios that would allow business interests to flourish without compromising data protection or ethics.
PIPA attempts to ensure the safety of data, from collection to disposal, through a framework that utilizes 12 key principles aligned to international Fair Information Practices (FIPs) and other major international regulations, such as GDPR. The act does not set a prescriptive model as its intention is to guide organizations’ approaches to using personal information without defining “hard and fast rules.”
Five of these principles, namely responsibility and compliance, fairness, proportionality, integrity of personal information, and security safeguards, represent the minimum requirements for PIPA compliance, and apply even to organizations that qualify for exemptions under the Act.
| Principle | Overview |
|---|---|
| Responsibility and compliance | Establishes the requirement for privacy policies and procedures, and a privacy official to serve as the main point of contact with the Bermuda Privacy Commissioner (PrivCom). |
| Conditions for using personal information | Establishes required conditions for use of personal data, including provisions on consent and when consent may not be required for data collection and processing. |
| Sensitive personal information | Establishes additional requirements for use of “sensitive” personal information as defined by the act, including instances where “lawful authority” may authorize its use and/or disclosure, such as by court order or order of the PrivCom. |
| Fairness | Establishes the requirement for compliance with PIPA and other laws and specifies that personal information must not be used to the detriment of an individual. |
| Privacy notices | Specifies requirements for privacy notices under PIPA and defines when privacy notices would not be required. |
| Purpose limitation | Establishes further conditions for the use of personal data, including documentation of purposes and acceptable exceptions. |
| Proportionality | Establishes requirements for data minimization, namely that companies only collect and process enough data to meet a documented purpose. |
| Integrity of personal information | Defines expectations of the protection of personal data and its integrity. Companies must protect personal information against unauthorized modification, deletion, and access. |
| Security safeguards | Determines that organizations should institute safeguards proportional to the risk personal information they collect or process may be exposed to. |
| Breach of security | Establishes required actions to be taken in the event of a breach, including notification requirements to PrivCom. |
| Transfer of personal information to an overseas third party | Specifies Bermuda companies are responsible for maintaining oversight of overseas third parties to ensure data protection equivalent to PIPA requirements. |
| Personal information about children in the information society | Establishes additional requirements for the use of data related to children under the age of 14. |
Non-compliance with PIPA risks significant penalties, with convictions for non-compliance making companies liable to fines of up to BMD $250,000. However, PrivCom has demonstrated they will work directly with organizations to review novel approaches to privacy. Organizations may be credited for trying to do the right thing as they work with PrivCom to ensure their data privacy protocols are in line with PIPA’s requirements.
PIPA compliance
PIPA’s use of principles aligned with other international standards was intended to ensure that, should companies already have an established privacy program, they could apply aspects of their program towards PIPA compliance. The lengthy timeline between PIPA first being made into law and coming to full force was meant to give companies the opportunity to adapt their programs for PIPA compliance.
PrivCom also launched the “Road to PIPA 2024” campaign to help organizations comply with PIPA requirements, consistently sharing guidance such as quarterly checklists to help firms meet privacy program expectations under PIPA. Some of the key elements include:
| Element | Guidance |
|---|---|
| Organizational commitment | Designate a Privacy Officer and set a timetable for progress reports. |
| Groundwork | Meet with each member of your privacy committee to create a plan for your privacy program. |
| Inventory | Create a map to track collection, storage, and dissemination of personal information. |
| Risk assessment | Work with your privacy committee to identify controls to mitigate risks, and set realistic timelines for implementation of these controls. |
| Policy & procedure | Create a general policy regarding commitment to privacy compliance and expectations that staff act in accordance to PIPA. |
| Training | Develop role-based training for each business unit/process to instruct staff members that use personal information directly on how to follow privacy policies and procedures. |
| Outsourcing and service providers | Identify the countries where information is being transferred or stored and document whether and how the contractual provisions create a reasonable belief that the protection overseas is comparable to PIPA requirements. |
| Incident response | Prepare an incident response plan with your leadership team and other stakeholders, such as the Privacy Committee, that includes step by step instructions for managing a data breach (i.e. who can make public statements, how is harm analyzed, and what documentation is required). |
| PIPA Rights Requests | Create a workflow for how PIPA Rights Requests are received and how access to information is granted – take into account compliance with statutory timelines and the need for documentation. |
| External communications | Privacy Officers should set reminders to re-evaluate the privacy program annually and advise stakeholders of any changes. |
In addition to the quarterly checklists and other guidance published by the office, PrivCom also established the Pink Sandbox: a sandbox for “Privacy Innovation and Knowledge Sharing”. The Pink Sandbox serves as a formal mechanism to allow the office to engage with organizations early, encouraging a privacy by design approach that anticipates issues and allows companies to develop how they engage with privacy under guidance of the PrivCom. This engagement process would also allow organizations to contribute to the development of the office’s approach to regulating novel issues.
Our guidance
Firms should consider the following steps to ensure compliance:
- Review their data processing operations to determine if they fall under the scope or PIPA.
- Assess privacy programs to determine what gaps would need to be addressed.
- Determine whether existing third-party providers fall under the scope of PIPA and establish a process to confirm they are compliant with PIPA requirements.
How we help
ACA Aponix® can help your firm develop, implement, and maintain a privacy program to meet regulatory requirements and industry best practices.
For questions, or to find out how we can help you meet industry best practices, contact our privacy experts here.