Are you “PIPA-prepared”?

The Personal Information Protection Amendment Act 2023 was introduced to harmonize the Personal Information Protection Act 2016, the Public Access to Information Act 2010 and the PATI Regulations 2014. Bermuda’s Personal Information Protection Act 2016 (PIPA) sets out a regime to protect personal information.

PIPA applies to any entity managing personal data within Bermuda, affecting both residents and non-residents whose data is processed in Bermuda.

Implementation is expected to be phased. Larger organizations already subject to privacy regimes in other jurisdictions will be expected to demonstrate compliance first with smaller organizations following. Mandatory reporting of breaches will commence on 1 January 2025.

As PIPA was prepared with the aim of enabling the free flow of personal data between EU member states and Bermuda, its key principles are based on internationally recognized Fair Information practices (FIPs) and the General Data Protection Regulation (GDPR).

The differences between GDPR and PIPA primarily revolve around jurisdiction specific requirements. The GDPR is more stringent on consent, data protection by design, and rights like the right to be forgotten. PIPA, while also focusing on the protection of personal information, has different thresholds for compliance, exemptions from some of the rights and obligations in certain circumstances (for example: national security, communication providers, etc.), and includes localized enforcement approaches tailored to Bermuda’s context. 

While both frameworks have significant overlap, companies must review PIPA's distinct aspects to ensure full compliance, even if they are already GDPR compliant.

If you are an organization processing personal information in Bermuda, now is the time to start preparing for PIPA.

How should you start your compliance journey?

Analyze the 12 PIPA key principles added and determine what personal information you hold, how you use, share, retain and delete and destroy it.

The ORSA, particularly the use of scenarios, is a key tool for (re)insurers to take a forward-looking perspective of how they will identify, manage, mitigate and respond to material climate change risks as they evolve and materialise.

For material risks (re) insurers should ensure that the scenario analysis is sufficiently comprehensive to enable the setting of strategy, understanding the future business model and understanding the impact on investments, pricing, underwriting, reserving and capital.

Principles

• Responsibility and compliance: have you adopted suitable measures and policies to give effect to the obligations and to the rights of individuals?
• Conditions for using personal information: have you mapped the personal information your organisation processes and identified the correct legal basis?
• Sensitive personal information: are you using sensitive personal information lawfully?
• Fairness: have you identified the valid, lawful grounds under PIPA for using personal information?
• Privacy notices: have you informed people clearly, openly, and honestly from the start about how you will use their personal information?
• Purpose limitation: have you identified, recorded, and communicated to individuals the purposes for use of personal information, and conducted the ‘compatibility test’ when you want to use personal information for a new purpose?
• Proportionality: is personal information you collected adequate (sufficient to properly fulfil your stated purposes), relevant (it has a rational, justifiable link to the purposes) and not excessive in relation to the purposes for which it is used?
• Integrity of personal information: have you taken all reasonable steps to ensure the personal information you hold is not incorrect or misleading, that it is properly updated, and you have appropriate security measures in place to protect the integrity and maintain the consistency, accuracy, and trustworthiness of the personal information you hold?
• Security safeguards: have you implemented appropriate safeguards against potential risk (loss, unauthorized access, destruction, modification, or disclosure, etc.) that the personal information you hold may be exposed to, and assessed the proportionality of such safeguards to the likelihood and severity of the harm threatened by the loss, access or misuse of the personal information?
• Breach of security: do you have in place a robust breach-reporting process to ensure you detect and notify breaches on time, to provide the necessary details, and if you decide you don’t need to report the breach, are you able to justify your decision?
• Transfer of personal information to an overseas third party: do you have in place the third-party management procedure that encompass due diligence (including the methodology to assess the level of protection provided by the overseas third party for that personal information), onboarding, risks’ monitoring and offboarding?
• Personal information about children in the information society: does your organisation use children’s personal information about an individual under the age of 14 in provision of a service delivered by means of digital or electronic communications (“information society service”)?

What non-compliance means to your business?

Monetary fines and criminal sanctions are in scope.

Upon conviction of an offense, PIPA provides the possibility of administrative fines and penalty to be issued by regulators, including:

• a fine not exceeding BM$25,000 or imprisonment not exceeding two years, or both for individuals;
• a fine not exceeding BM$250,000 for entities.

In addition, legal action can be taken against directors, managers, secretaries, other officers, and shareholders of corporate entities in their personal capacity if the offense was committed with their connivance, consent, or as a result of their negligence.

How can Grant Thornton help you?

Drawing on our team's extensive expertise in data protection and compliance across different jurisdictions, we offer specialized methodologies and training programs, ensuring an accelerated understanding and implementation of PIPA and other data protection standards. 

We're committed to constant improvement, enriching our dedicated data protection team with top talents from various industries and disciplines to deliver pragmatic and effective solutions. With a team of specialists in data protection and cybersecurity, we offer unparalleled support to clients both in Bermuda and globally. 

Additionally, the team's deep subject matter expertise enables us to tackle complex challenges, leveraging a network of senior SMEs across the full digital risk landscape including IT Audit, Risk and Compliance, IT security, legal and project management when necessary. 

Driven by a pragmatic and solution-focused approach, we prioritize enabling smooth business operations while ensuring compliance, understanding, and addressing the unique challenges faced by our clients.

Grant Thornton excels in providing comprehensive data protection solutions tailored to our clients' diverse needs. 

We can support your journey to compliance with PIPA by: 

• Assessing your data protection maturity level and providing advice on closing any gaps.
• Updating or drafting data protection policies, procedures, and notices.
• Identifying and documenting the lifecycle of personal information in your organization.
• Conducting a Personal Information Assessment where sensitive personal information is processed.
• Delivering data protection training for your staff.
• Managing Personal Data Breaches and Data Access Requests.
• Assessing the technical controls protecting personal data.
• Identifying data protection risks in your third parties.
• Provision of Privacy officer services.