With potential fines of BD$250,000 and imprisonment for up to two years in the event of a breach, organisations in Bermuda need to get it right – reputations and criminal liability will soon be at stake.
What Personal Information do you Hold?
Every organisation, regardless of its size, uses personal information; data from which the identity of an individual can be ascertained. The first step towards achieving compliance under the new law is to understand exactly what personal information the business uses, where that data is held, the purposes for which that data is used and where that data is transferred to and from.
For consumer facing businesses, personal information is often held in customer databases. In the era of mobile devices and cloud computing however, identifying the full extent of an organisation’s customer data holdings can be difficult, as the databases may not always be clearly marked out as such and may be distributed widely within an organisation or held by third party processors. Attention needs to be given to whether data is being collected online, via mobile handsets, through CCTV footage, telephone calls or in paper form and whether that collection is being done directly or through third parties. Engaging with HR, business development and technology teams is critical to successfully auditing all customer data holdings.
The PIPA defines “personal information” widely to mean any information about an identified or identifiable individual. Data that has been anonymised or aggregated may not strictly be personal information but should still be included as part of any audit. With the rise of social media and online public data sources the ability to re-identify individuals from anonymised datasets is now easier than ever and is becoming increasingly common through the use of “big data” analytics.
Employee data almost always includes “sensitive personal information” – which includes information about an individual’s health, religion and ethnic background. Sensitive personal information is a separate class of personal information and is subject to enhanced protection under the PIPA before it can be processed.
Protection of employee personal data will also be critical under the new law. Employers are required to set out the purposes for which employee personal data is being collected and details of whom that data may be shared with. Employees must also be informed of any countries or territories outside Bermuda to which their personal data may be transferred. Recommended best practice would be for this information to be set out in a separate privacy notice which can be provided to the employee with their employment contract.
A data protection policy should be tailored to an employer’s business to take account of the structure of its organisation, resources and particular personal data which it may process. The policy must be communicated to employees and monitored over time to ensure compliance. Ideally, the policy should identify a compliance manager who is responsible for reviewing, implementing and monitoring compliance with the policy.
Other Personal Information
Many organisations will also hold personal information about individuals who may not be their direct customers, such as directors, company officers and shareholders, as well as family members and other individuals who are connected to customers or employees. Any personal information that has not been directly obtained from a customer of the business will still be regulated by the new law. It is therefore essential to identify data holdings of this type as the business may not have any direct contractual relationship with these individuals.
Determine the Purposes of Processing
Once all personal information holdings have been identified, the organisation needs to assess how the data was obtained and the purposes for which each group of data is being processed. One of the fundamental rights for individuals under the new law is that personal information is only processed for purposes that the individual has been notified of in advance and has consented to. As part of this assessment, organisations should also consider their business plans to ensure that the collection and processing of personal information for any future initiatives or new technology deployments is also understood.
Map Data Transfers
In an age where highly sensitive personal information can be exchanged at the touch of a button, understanding where personal information is being transferred to from its different points of collection is vital. Data transfers can broadly be of two types – (i) third party processor scenarios in which the recipient simply processes the data in accordance with the transferor’s instructions but has no right to process that data for any new purposes; and (ii) group transfers, which are transfers within the organisation, to business partners or to affiliated companies who collaborate in determining the purposes for data processing. Both types of transfer will be relevant, although the compliance requirements will differ in each case.
Data Access, Correction, Retention and Deletion
The PIPA gives individuals the right to request access to personal information held about them by an organisation and to ask that any inaccurate data is corrected or deleted. Businesses will need to have procedures in place to manage and action these requests in a timely manner. Businesses will also be obliged to cease processing personal information once the purposes for which that data has been collected have been exhausted. Prescribed data retention periods are not set out but an analysis will need to be undertaken to determine how long data should be kept for. Similarly, it will be important to evaluate how personal information can be securely purged once the purposes for holding it have been fulfilled by the organisation.
In early June, the Cayman Islands gazetted the Data Protection Law 2017. Drafted around a similar set of EU style privacy principles, it is expected that the new will be fully in force in Cayman by the second half of 2018, a similar timeframe to the PIPA in Bermuda. The BVI Government has also pledged that comprehensive data protection legislation, based on similar standards, will be enacted there in the near future. Other jurisdictions are likely to follow. Once both laws are fully in force in 2018, Cayman and Bermuda will have the most comprehensive data protection laws in this region. For organisations that have offices in Bermuda and also in the Caribbean, there is now a strong business case for levelling-up policies and procedures to these new higher standards across their network.
Protecting personal data is now business critical. Even if monetary losses are not sustained as a result of personal data being mishandled, the reputational damage to an organisation following a breach of the new laws could be devastating.