1. Develop and Adopt Administrative Compliance Measures and Policies

    Many organizations in Bermuda, especially those with international operations, have posted a form of privacy compliance notice on-line that is often titled “Privacy Policy”. Although those notices tend to provide information for consumers about how that organization collects and uses personal information, they don’t satisfy the “measures and policies” requirements of PIPA. As well, those “policies” often drafted to satisfy the data protection laws of many different jurisdictions so they often don’t use PIPA relevant terminology. Also, many of those published notices don’t technically comply with the privacy notice provisions of PIPA. PIPA’s requirement for organizations to adopt “suitable measures and policies” directs organizations to formulate and adopt a broad range of internal administrative measures, practices, operational procedures and policies that describe, with reasonable operational detail, how the organization will, for example: collect any required individual consents; cull their existing ( pre 1 January 2025 ) data bases of all personal information that is not relevant to their business purposes; avoid collecting excessive personal information; avoid collecting personal information that is not reasonably relevant to their business; manage the ongoing accuracy and currency all of the personal information that it has in its possession; expunge personal information that it no longer necessary for its use; how it will manage the requests it will receive from individuals to view, augment, update or even delete their personal information from the organization’s records; as a matter of governance, how it will ensure that its decisions related to PIPA compliance are lawful, fair, and reasonable; and, how they will procedurally manage any complaints or disputes concerning their compliance with PIPA as they arise.

    Those are the types of suitable internal measures and policies that PIPA expressly requires each organization to formulate, adopt and implement. As for the so-called “privacy notices” that many organizations have published, all PIPA requires an organization’s privacy notice to include are the following six things: the fact that personal information is being used; the purposes of its use ( often there is more than one purpose ); the identity ( yes, PIPA stipulates the identity ) and types of individuals and organizations to whom personal information is or might be disclosed ( emphasis added ); your organization’s identity, location and how to contact it about its handling of personal information; the contact information of the privacy officer; and, the choices and means that the organization provides to individuals to limit the use of, and for accessing, rectifying, blocking, erasing and destroying their personal information. Arguably, the latter cannot be fully described until the aforenoted “measures and policies” are formulated and adopted by the organization.

  2. The Impact of Third Party Service Agreements

    Many organizations have retained, or will retain, third parties to run or process parts of their business operations and data, whether as a cloud, SaaS or outsourcing service. Where any organization’s data is used by a third party service provider ( whether an arms-length provider or an affiliated provider ) contains personal information, then there are two important implications for organizations under PIPA. First, under PIPA the organization who provides personal information to that third party remains fully responsible and liable for that data’s protection and use in full compliance with PIPA. Therefore, as a matter of governance and risk management, organizations should ensure that all of their upstream compliance obligations under PIPA are contractually flowed down to their service providers. Second, any such transfer of personal information to overseas third parties must comply with the transfer provisions of PIPA. One ground of possible allowance to export that data from Bermuda is where the organization employs “contractual mechanisms, corporate codes of conduct including binding corporate rules, or other means to ensure that the overseas third party provides a comparable level of protection”.

  3. BMA Regulatory Overlap with PIPA

    Organizations who are regulated by the BMA must remain cognizant of the regulatory intersection of PIPA with the BMA’s outsourcing and cyber risk management prescriptions. First, both PIPA and the BMA’s regulations necessitate the creation of third party service agreements to flow a registrant’s regulatory up-stream obligations down to such service providers since ( under both regimes ) organizations remain responsible and liable for legal compliance that cannot be delegated to any third parties. As well, both PIPA and the BMA prescribe risk management security requirements and reporting obligations in the event of certain security breaches. Third, the BMA requires that the processing of all personal information that financial service registrants undertake “must be in accordance with data protection/privacy laws” that are relevant to each jurisdiction where that registrant has operations. Furthermore, the BMA requires that registrants “must perform an assessment of their compliance against applicable data protection requirements”. Therefore, for most BMA registrants, their breach of a PIPA obligation may also constitute a breach of their related BMA regulatory obligations.

There is a lot to unravel as organizations prepare to become fully compliant with the requirements of PIPA, and those are good examples of important pitfalls to avoid along that journey.

First Published in the Bermuda Chamber of Commerce Newsletter (Chamber Insider), February 2024

Share
X.com LinkedIn Email Save as PDF
More Publications
Employment-and-Immigration
30 Apr 2025

The End of the Digital Nomad Visa: How Else Can Individuals Reside in Bermuda?

As of 28 February 2025, Bermuda officially discontinued its popular “Work from Bermuda” (WFB) Ce...

Appleby-Website-Private-Client-and-Trusts-Practice
25 Apr 2025

Compliance with Pipa for trustees

The Personal Information Protection Act 2016, the island’s data protection legislation, applies to...

Appleby-Website-Privacy-and-Data-Protection
14 Apr 2025

M&A transactions under PIPA (Bermuda)

Mergers and business acquisitions are among the many different types of business transactions that r...

Appleby-Website-Insurance-and-Reinsurance
1 Apr 2025

Bermuda: With everything growing, all of the ILS world will rise together

It’s been an exceptionally busy and record start to the year for the catastrophe bond sector, and ...

Appleby-Website-Employment-and-Immigration
27 Mar 2025

Entering and Exiting Bermuda for Visa-Controlled Nationals

As it stands, with direct commercial flights to and from Bermuda only going from the United Kingdom,...

Appleby-Website-Corporate-Practice
27 Mar 2025

How foreign companies become Bermuda companies

Bermuda, renowned as a global business hub, offers a robust legal and regulatory framework that attr...

Appleby-Website-Insurance-and-Reinsurance
24 Mar 2025

Bridging the USD51 trillion gap: asset-intensive reinsurance in Bermuda

In this article we examine the rise and regulatory landscape of Asset-Intensive Reinsurance (AIR) in...

Appleby-Website-Privacy-and-Data-Protection
20 Mar 2025

PIPA Guidance on Financial Services (Bermuda)

This month, the Privacy Commissioner of Bermuda released his Financial Services Guidance Notes: Fin...

IWD Grid Capture
8 Mar 2025

International Women’s Day 2025 roundtable: Rights. Equality. Empowerment.

As we recognise International Women’s Day 2025, we are reminded that gender equality is not just a...

Corporate
28 Feb 2025

Bermuda Monetary Authority’s proposed resilience code

The Bermuda Monetary Authority, which well understands the operational risks associated with financi...