Is Your Organisation PIPA Ready?

• Law Firm: Carey Olsen
• Subject Matter: Privacy, Data Protection, Privacy Protection
• Author: Mr Jay Webster, Bradley Houlston and Marcus Symonds
• Published date: 17 January 2023

Bermuda's Privacy Commissioner has recently announced that the island's first data privacy legislation, the Personal Information Protection Act 2016 (PIPA), may soon be coming into effect, at least for some businesses.

This briefing sets out the key requirements of PIPA and the steps that your organisation can take to prepare for its implementation.

PIPA COMING INTO FORCE

PIPA was enacted in 2016 to regulate the use of personal information in Bermuda by individuals, companies, public authorities and other organisations. Although some of PIPA's provisions came into effect shortly after enactment, including those which established Bermuda's Privacy Commissioner, PIPA's operative provisions, which set out the responsibilities of data users and the specific rights of data subjects, have yet to come into force.

It has recently been reported that the government now aims to bring PIPA's main provisions into effect from Spring 2023. The Privacy Commissioner has stated that these provisions could be implemented in phases, with certain rules enforced for some organisations before others. The Privacy Commissioner has suggested, for example, that exempt undertakings, which may already comply with data protection regimes in other jurisdictions due to the international nature of their businesses, could be the first organisations required to comply with PIPA.

The Privacy Commissioner has also confirmed that his office plans to publish guidance, including checklists and templates, to assist organisations prepare for PIPA compliance. Notably, the Commissioner's office has received funding to double its headcount this year.

This long-anticipated implementation of PIPA's key provisions would set the scene for Bermuda's hosting of the 2023 Global Privacy Assembly in October, an event which could bring hundreds of international privacy officers and technology executives to the island.

PREPARING YOUR ORGANISATION FOR PIPA

Under PIPA, your organisation will need to adopt suitable measures and policies to give effect to its obligations and the rights of individuals. These measures and policies should be reasonable, taking into account the nature, scope, context and purposes of the use of personal information as well as the potential risk to individuals due to the use of their personal information.

As we set out below, there are various steps that your organisation can take in anticipation of PIPA's enforcement.

Determine whether your organisation is already PIPA compliant

...