Bermuda: data breaches and the new Personal Information Protection Act (comparisons with the GDPR)

On 1 January 2025, Bermuda’s long awaited Personal Information Protection Act 2016 (PIPA) came into force.

The PIPA introduces a comprehensive data protection regime that will be highly impactful both for organisations in Bermuda and for organisations doing business in Bermuda. The PIPA is capable of having extraterritorial application, and can apply where an organisation uses personal information in Bermuda.

The PIPA draws upon key concepts shared in other jurisdictions, such as ‘sensitive’ personal information, but it is distinct in key ways and should not be considered identical to other data protection laws. Our short overview will examine some of the key areas of consideration, drawing on a comparison with the UK/EU GDPR where similarities and differences can be seen.

Data breaches

The PIPA includes a requirement to notify data breaches to the Office of the Privacy Commissioner for Bermuda (PrivCom) and to affected individuals. The PIPA does not specifically define a ‘data breach’, although a description of a data breach is found in the data breach notification requirement in Section 14 of the PIPA.

The data breach wording in PIPA is slightly different to that found in the GDPR, but the guidance issued by PrivCom uses the definition provided in the GDPR. That definition is as follows: “A personal information breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just losing personal information.”

We consider that PrivCom therefore intends to interpret the PIPA through a wide lens. We urge any organisation considering its obligations under the PIPA to refer to the PrivCom’s guidance, which addresses both the spirit and the letter of the law.

Notifications to PrivCom

The PIPA requires organisations to notify both PrivCom and individuals without undue delay in the event of a data breach which is likely to adversely affect an individual. This is on the face of it a lower threshold for notifications to individuals than as set out under the GDPR (which necessitates notification to individuals where a ‘high risk’ arises). Organisations that determine a breach is unlikely to adversely affect an individual should document this decision.

The PrivCom’s guidance suggests that organisations are expected to notify PrivCom as soon as possible, and that any delay must be explained. However, organisations can make ‘interim’ notifications where complete information is not immediately available, with details to follow later. Again, this is slightly different to the GDPR, which requires notification to the regulator within 72 hours of awareness the relevant threshold has been met.

Organisations are expected to provide PrivCom with information when making a notification, and this should include the nature of the breach, the likely consequences for individuals, and the measures the organisation has taken and will take to address the breach. These requirements will be familiar to organisations with experience with the GDPR.

Notifications to individuals

PrivCom’s guidance states that a notification to individuals should include a description in clear and plain language of the nature of the data breach and, at least:

the name and contact details of a data privacy officer or another contact point where more information can be obtained;
a description of the likely consequences of the data breach; and
a description of the measures taken or proposed to deal with the data breach and, where appropriate, a description of the measures taken to mitigate any possible adverse effects.

PrivCom’s guidance also recognises the role that organisations should play in helping to keep their stakeholders safe in the event of a data breach. Organisations should give individuals specific and clear advice on the steps they can take to protect themselves, and what the organisation is willing to do to help them.

Notifications to other authorities and organisations

As the scope of digital regulation expands, organisations should be mindful that they may have other legal and contractual reporting obligations in the event of a cyber incident.

Aside from data regulators such as PrivCom, organisations may need to notify industry specific regulators, law enforcement, insurers, professional bodies, financial institutions, customers, and suppliers.

Organisations should build a careful understanding of their obligations to stakeholders in the event of a data breach, and operate with the support of their legal advisers.