Bermuda’s privacy laws come into effect on 1 January 2025 – Are you ready?

Privacy Law & Data Protection Services

Our specialized privacy law and data protection team assisted with drafting Bermuda’s Personal Information Protection Act, 2016, which is heavily based on Canadian law with some influences from Europe’s GDPR data protection regime. With Canadian trained legal counsel on our team, we have over 20 years of privacy law and regulation compliance with the privacy law regimes that PIPA is primarily based on. Having already assisted many dozens of domestic and international clients, in both the private and public sectors, to comply with PIPA when it comes into full force and effect on 1 January 2025, we can provide your organization with the following privacy law and compliance services and products:

• Assistance with Structuring Your Privacy Compliance Program: We can provide a turn-key analysis of your enterprise’s privacy laws obligations and requirements from start to finish, as well as advise on discrete aspects of your current approach to the privacy compliance program that has already commenced.
• Privacy Compliance Program Audit and Assessments: We can review your existing compliance policies, procedures, forms of notices and consents, operational practices, security protection practices, and proposed governance oversight regime to identify any gaps or shortfalls that may exist, and to recommend any improvements that may be required.
• Privacy Compliance Policy & Practices Staff Education and Training: Whether as training seminars, presentations or instructional sessions, we can provide privacy compliance training for Privacy Officers, general staff, organizational managers and C-Suite executives, as well as for Board of Directors. We will tailor those instructional sessions to address the nuances of your organization that you feel are unique and important for sustainable compliance with PIPA.
• General Counsel Consultation: We provide an ongoing service to provide highly specialized privacy law and compliance advice and guidance to all levels of in-house counsel, including to serve as a resource and compliance sounding-board as well as offering assistance with complex compliance and corporate governance issues as they may arise.
• The Availability and Invocation of PIPA’s Grounds of Compliance Exemption: We offer private and public sector organizations with understanding and implementing the policies, procedures and operational activities to take full advantage of PIPA’s express, but highly qualified, grounds of compliance exemption.
• Privacy Security Standards Requirements: Given the proportional nature of PIPA compliance duties, we can assist your enterprise to determine the quality and nature of privacy security standards and requirements that are specifically demanded of your organization under PIPA. Our cyber-security compliance experience allows us to also assist with consolidating multiple processes for security incident reporting where organizations are so regulated in addition to PIPA.
• Processes for Individual Access and Correction Requests: We can develop the required policies and processes for organizations to comply with their obligations to allow, facilitate and respond to personal information access, use purposes, correction and deletion requests, including all organization responses, permitted refusals, and related compliance undertakings. Given the scrutiny that such privacy rights policies and procedures will receive from the Privacy Commissioner over time, we will design those access regimes to comply with PIPA’s related requirements and stipulations.
• Complaints and Dispute Resolution: Internal processes to handle complaints and to resolve disputes is encouraged under PIPA, and the existence of such practices may influence when the Privacy Commissioner may decide to become involved in such matters. We can design and structure those internal complaints and dispute management processes for the purpose of mitigating, if not avoiding, the escalation of such matters: for consideration, investigation or action by the Privacy Commissioner; or, as a matter of possible civil litigation before a Court of competent jurisdiction; or, as a matter of prosecutorial investigation or action by the Crown.