Bermuda Businesses: Are You Ready to Comply with Our New Privacy Rules?

Published: 27 Feb 2023
Type: Insight

There have been recent indications from the Bermuda Government that Bermuda’s Personal Information Protection Act 2016 (“PIPA”) may come into full force this year.

Since PIPA was enacted in 2016, the Government of Bermuda and the Privacy Commissioner have been developing the Office of the Privacy Commissioner, organising administrative resources, and educating the public and businesses who collect and use personal information of their respective rights and obligations under PIPA. That is a good thing, because there is a lot for businesses to address.

In many ways, PIPA is one of Bermuda’s few consumer rights laws and it is one that imposes onerous operational and administrative obligations that will be overseen by the experienced regulatory office of the Privacy Commissioner, Alexander White.

Given the recent indications that PIPA may be brought into full force this year, even if only on a sector by sector basis and perhaps with a compliance grace period, the questions for all businesses that collect and use personal information include:

  • Are you administratively ready to fully comply with PIPA?
  • How will you secure the consent necessary to collect and use personal information?
  • How will you manage communications with individuals who want to see a copy of all personal information that you have about them?
  • How will you manage their requests for corrections to, or deletions of, their personal information?
  • To what extent must you revise your outsourcing, IT service contracts, and data processing service agreements?
  • Are you organised to comply with an individual’s direction for you to stop using their personal information?

As a result of the many rights that PIPA bestows on individuals, organisations must ensure that all of their business processes, customer relations programmes, data management systems and administrative processes are compliant with the practices, protections, and use restrictions that PIPA will soon impose on them.

Just as other organisations who are subject to similar privacy laws around the world have done, Bermuda organisations will have to review all of their current business processes and assess to what extent must they now be revised to ensure PIPA-compliant practices.

It is the common failure of businesses across all privacy jurisdictions when privacy laws are first introduced to appreciate the profound nature of how PIPA will impact many of their internal business operations. For example, in addition to the questions posed above, are your business’ IT systems adequately secure from unauthorized access or cyber incident interference?

That is an important question because PIPA requires all businesses who use personal information (whether related to their personnel or otherwise in the course of their business) to ensure that they have “appropriate safeguards” (technological and otherwise) against: loss; unauthorized access, destruction, use, modification or disclosure; and, any other misuse of personal information. In order to determine what an “appropriate safeguard” is, PIPA prescribes that the quality and degree of safeguards that businesses must have in place to meet that standard must be proportional to the following factors and considerations: what is the likelihood and severity of the harm that could be threatened by the loss, access or misuse of the personal information; the sensitivity of the personal information been collected, stored and used by the business; the context in which it is held.

As for the sensitivity of the personal information, PIPA creates a unique category of especially sensitive information called “sensitive personal information” that includes personal information related to (among other attributes) race, ethnic origin, sexual orientation, and physical or mental health or disability. However, the sensitivity of many other categories of information must be taken into account for that “adequacy” determination, such as if the information is about financial matters, health insurance claims, the use of Employee Assistance programs, family relationships, and involvement in litigation or criminal matters (among other topics) can also constitute highly sensitive information that has the potential to cause harm if wrongfully used or disclosed.

As for the context in which the personal information is used, that criteria has many possible interpretations. However, it can be generally assumed, at this stage of pre-implementation, that a business that collects and uses (even commercially exploits) personal information as a part of their commercial operations (i.e., for profit), will likely have a higher standard of security care under PIPA than does a not-for-profit organization that collects and uses personal information for the sole benefit of the individuals who have provided that personal information to that organization.

As well, based on PIPA’s proportionality principle, it may be said that the more extensive the nature and scope of personal information collection and use is by a business, and the more sensitive the personal information is, and the greater the vulnerability of individuals will be if that personal information is misused, the more thorough the business’ adopted compliance “measures and policies” must be for them to be “suitable”, as expressly required by PIPA.

Mr. White describes PIPA’s proportional requirement of “suitability” in these terms: “What exactly may be ‘suitable’ for an organisation’s privacy programme under Section 5 (1) will naturally vary by the organisation, the uses of personal information and the specific context. Our office’s guidance, “What is a privacy programme?”, provides some examples of the types of measures and policies that may be suitable for an organisation to adopt, but the exact nature will differ from programme to programme.”

Whether as requirements for “appropriate safeguards” to protect personal information, or when ensuring that a business’ compliance measures are “suitable”, businesses who outsource any part of their operation that uses personal information to either a commercial service provider or an affiliate, all of the business’ PIPA duties and obligations under PIPA remain with that business and cannot be delegated. Therefore, businesses must ensure that they flow down all of those duties and requirements to their service providers in all outsourcing agreements. Even recently executed outsourcing agreements will have to be reviewed and re-assessed to ensure they are brought up to date with PIPA’s many compliance requirements.

The full breadth of the restrictions, duties and obligations that PIPA will soon impose on businesses to protect individual privacy rights will be daunting to many businesses. It is in that context that organisations must now administratively address how they will comply with PIPA.

First Published In The Bermuda Chamber of Commerce Newsletter (Chamber Insider), February 2023

Share
More publications
050-Insolvency-Restructuring-Grid-Image
13 Jul 2026

Bermuda: Restructuring & Insolvency

This country-specific Q&A provides an overview of Restructuring & Insolvency laws and regulations applicable in Bermuda.

Appleby-Website-Regulatory-Practice
10 Jul 2026

It’s healthy to sometimes disagree with regulators

At some point, almost every regulated business will disagree with its regulator.

Appleby-Website-Privacy-and-Data-Protection
8 Jul 2026

Bermuda Privacy Commissioner Signals Shift to Stronger PIPA Enforcement

The Office of the Privacy Commissioner (PrivCom) has issued its first annual report since Bermuda's Personal Information Protection Act 2016 (PIPA) came fully into force, with the reports content signaling a transition from education and implementation to a stronger focus on enforcement.

Bermuda-1024x576-1
1 Jul 2026

A Forest for the Future

A first since the blight, the airport cedar forest is growing tall and standing strong.

Appleby-Website-Regulatory-Practice
1 Jul 2026

Complied out of business

Firms are complying themselves out of business because compliance no longer matches the evolving sophistication of the Bermuda Monetary Authority (BMA).

Appleby-Website-Insurance-and-Reinsurance
1 Jul 2026

The long game: how Bermuda became the world’s life reinsurance capital

Ask a life insurer in New York, London or Tokyo where the liabilities behind their book ultimately sit and there is an increasingly good chance the answer is a 21-square-mile island in the North Atlantic.

Appleby-Website-Insurance-and-Reinsurance
1 Jul 2026

Record H1’26 Cat Bond Issuance Driven by Rising Sponsor Comfort and Diversified Risk

With H1 2026 officially breaking the record for the most catastrophe bond deals to come to market and settle in the first six months of the year, a key trend driving this momentum is how comfortable sponsors have become with the mechanics of the overall cat bond space. This familiarity has ultimately encouraged a wave of new sponsors to enter the market, according to Brad Adderley, Managing Partner at law firm Appleby.

Appleby-Website-Employment-and-Immigration
12 Jun 2026

The Cost of Getting Employee Departures Wrong: Five Common Pitfalls for Bermuda Employers

Employee departures are an inevitable part of running a business, but the way they are managed can have significant legal, financial and operational consequences. In Bermuda, employers who approach terminations without adequate preparation may expose themselves to unnecessary disputes, regulatory issues, and reputational harm. Whether an employee is being dismissed for performance reasons, made redundant or departing as part of a negotiated exit, by recognizing the following common mistakes and taking a proactive approach, organizations can manage departures more effectively and reduce risk.

Appleby-Website-Privacy-and-Data-Protection
8 Jun 2026

It’s time to bridge Pipa compliance gap

A review of 200 publicly available privacy notices of companies in Bermuda has revealed that just one in nine are fully compliant with the Personal Information Protection Act 2016.

Appleby-Website-Privacy-and-Data-Protection
26 May 2026

Transparency is a legal requirement under Pipa

Major companies across the European Union have faced substantial fines between 2019 and 2024, estimated at a total of €930 million (about $1.08 billion), not only for cyberattacks or data breaches, but also for issues such as noncompliant privacy notices. A common theme in many cases has been a lack of transparency.