The Impact of Bermuda's PIPA on the Global Privacy Landscape

Author

Daniela Melo

Publish Date

Type

Article

Topics
  • Privacy

January 1, 2025 marked the enforcement date for Bermuda’s Personal Information Protection Act (PIPA). The legislation is likely to have an impact on firms that operate or are headquartered in Bermuda and firms tangentially associated with the country.

Bermuda has a unique position in the global market making it likely that significant ripples will be felt in the global financial services market. It is important that firms understand why and how the newly enforced legislation may affect them, what is different about Bermuda’s approach to privacy, and how to ensure compliance.

Why your firm may be affected by PIPA

PIPA is applicable to any organization that uses personal data in Bermuda. Organizations not headquartered in Bermuda may still be considered as operating in Bermuda based on their data processing activities.

Firms that partner with organizations in Bermuda, or have clients based in the country and consistently share data, should be cognizant of the requirements associated with these relationships.

Additionally, the act’s broad definition of an organization encompasses any individual, entity, or public authority, and provides no limitations on organization size or industry sectors.

Understanding PIPA

Bermuda is taking a unique approach to privacy regulation that is meant to strike a balance between the business-forward approach of the U.S. and the privacy-forward approach of European regulators. The intention is to make privacy regulation a more collaborative pursuit, focused on win-win scenarios that would allow business interests to flourish without compromising data protection or ethics.

PIPA attempts to ensure the safety of data through a framework that utilizes 12 key principles aligned to international Fair Information Practices (FIPs) and other major international regulations, such as GDPR. It is intended to guide organizations’ approaches to using personal information without defining “hard and fast rules.”

Five of these principles, namely responsibility and compliance, fairness, proportionality, integrity of personal information, and security safeguards, represent the minimum requirements for PIPA compliance, and apply even to organizations that qualify for exemptions under the Act.

Principle Overview
Responsibility and compliance Establishes a requirement for privacy policies, procedures, and a privacy official to serve as the main point of contact with the Bermuda Privacy Commissioner (PrivCom).
Conditions for using personal information Establishes required conditions for use of personal data, including provisions on consent and when consent may not be required for data collection and processing.
Sensitive personal information Establishes additional requirements for use of “sensitive” personal information, including instances where “lawful authority” may authorize its use and/or disclosure, such as by court order or order of the PrivCom.
Fairness Establishes the requirement for compliance with PIPA and other laws and specifies that personal information must not be used to the detriment of an individual.
Privacy notices Defines the requirements for privacy notices and conditions when privacy notices would not be required.
Purpose limitation Establishes further conditions for the use of personal data, including documentation of purposes and acceptable exceptions.
Proportionality Establishes requirements for data minimization; companies only collect and process enough data to meet a documented purpose.
Integrity of personal information Defines expectations of the protection of personal data and its integrity; companies protect personal information against unauthorized modification, deletion, and access.
Security safeguards Determines that organizations should institute safeguards proportional to the risk personal information may be exposed to.
Breach of security Establishes required actions to be taken in the event of a breach, including notifying PrivCom.
Transfer of personal information to an overseas third party Specifies Bermuda companies responsibility to maintain oversight of overseas third parties to ensure data protection equivalent to PIPA requirements.
Personal information about children in the information society Establishes additional requirements for the use of data related to children under the age of 14.

Non-compliance with PIPA risks significant penalties, with convictions liable to fines of up to BMD $250,000. However, PrivCom has demonstrated they will work directly with organizations to review novel approaches to privacy. Organizations may be credited for trying to do the right thing as they work with PrivCom to ensure their data privacy protocols are in -line with PIPA’s requirements.

PIPA compliance

PIPA’s use of principles aligns with other international standards to ensure that, should companies already have an established privacy program, they may apply aspects of their program towards PIPA compliance. PrivCom also launched the “Road to PIPA 2024” campaign to help organizations comply with PIPA requirements. Some of the key aspects include:

Element Guidance
Organizational commitment Designate a Privacy Officer and set a timetable for progress reports.
Groundwork Meet with each member of your privacy committee to create a plan for your privacy program.
Inventory Create a map to track collection, storage, and dissemination of personal information.
Risk assessment Work with your privacy committee to identify controls, mitigate risks, and set realistic implementation timelines for these controls.
Policy & procedure Create a privacy policy and set expectations that staff act in accordance with PIPA.
Training Develop role-based training for each business unit/process to instruct staff how to follow privacy policies and procedures.
Outsourcing and Service Providers Identify the countries where information is being transferred or stored and document whether and how the contractual provisions create a reasonable belief that the protection overseas is comparable to PIPA requirements.
Incident response Prepare an incident response plan with your leadership team and other stakeholders that includes instructions for managing a data breach (i.e. who can make public statements, how is harm analyzed, and what documentation is required)
PIPA rights requests Create a workflow for PIPA Rights Requests and how access to information is granted – take into account compliance with statutory timelines and the need for documentation.
External communications Privacy officers should set reminders to re-evaluate the privacy program annually and advise stakeholders of any changes

PrivCom also established the Pink Sandbox to engage with organizations, encouraging a privacy- by- design approach under the guidance of the PrivCom. The process allows organizations to contribute to the development of the office’s approach to regulating novel issues.

Our guidance

Firms should consider the following steps to ensure compliance:

  • Review their data processing operations to determine if they fall under the scope or PIPA.
  • Assess privacy programs to determine what gaps would need to be addressed.
  • Determine whether existing third-party providers fall under the scope of PIPA and establish a process to confirm they are compliant with PIPA requirements.

How we help

ACA Aponix® can help your firm develop, implement, and maintain a privacy program to meet regulatory requirements and industry best practices.

For questions, or to find out how we can help you meet industry best practices, contact our privacy experts here.

Contact us