PIPA: an update while you wait

Bermuda’s Personal Information Protection Act 2016 (PIPA) will, when fully operative, represent a significant change in informational privacy law in Bermuda. While it envisages a comparatively “light regulatory environment” for informational privacy, the act will require a number of practical changes for many organisations.

At the time of writing, only those sections relating to the establishment and operation of the office of the Privacy Commissioner are in force. In many respects, Bermudian organizations remain in suspense as they eagerly await guidance on the interpretation and application PIPA.

Following the appointment of Bermuda’s first Privacy Commissioner in January 2020, the expectation was that PIPA would be on track for roll-out by the end of 2020. COVID-19, not surprisingly, is believed to have contributed to the delay in the implementation of PIPA. There is a general expectation that there will be movement within Q1 of 2021, including other provisions of PIPA coming into force. It is envisioned that PIPA will come into force in stages. This is a welcome strategy for businesses as the impact will be less immediate and disruptive to operations.

What provisions of PIPA will next be brought into force is not known, although it can be expected to be those provisions relating to the adoption of measures and policies, including security, responding to access and other requests of individuals and the appointment of a privacy officer. Privacy notices can be expected to follow in a second phase once organizations have had an opportunity to identify what information they use, how they use it and for what purposes.

In anticipation of the coming into full force of PIPA, some business have begun to examine what personal information they use. Some have adopted their first privacy policies and notices while others, in particular global players, have embarked on amendments to their existing privacy policies and notices to comply with PIPA. Others have chosen to wait until guidance is in place, so as to avoid the fine-tuning of policies, re-circulation of revised notices and changing practices and training that may be required. Whichever approach an organization has taken, the Privacy Commissioner has signalled there will be considerable advance notice before the enforcement of any provisions of PIPA, including information sessions and the issuance of a guidance. And so, for now, Bermuda waits for that sign to be given.

Kennedys' privacy offering

We are poised to help clients devise, implement and/or fine-tune, depending on their needs, their policies procedures in the course of remaining months leading up to the date on which the substantive provisions of PIPA will become operative.

We are particularly adept at advising entities registered under the Insurance Act 1978 on PIPA compliance.

Our lawyers have expertise in helping at all stages of the life cycle of an organisation’s use of personal information, covering:

  • Assessment and audit: we can help you identify what information you have, how you use that information and for what purposes, and what processes and mechanisms you employ for the protection of personal information and whether your organisation is following good practices for the protection of personal information.
  • Compliance: we can review your policies and assist in producing a comprehensive and effective privacy compliance framework to support your compliance obligations.
  • Training: provide training to employees of your organisation on the requirements of PIPA as an organisation’s ability to comply with PIPA will be dependent on the knowledge and actions of each and every one of its employees.
  • Security strategy: we can recommend steps to be taken to ensure the protection of personal information and avoid privacy breaches occurring or minimise their impact.
  • GDPR/PIPA gap analysis: many Bermuda organisations are compliant with the European Union’s General Data Privacy Regulation (Regulation (EU) 2016/679) (GDPR). We can advise on the GDPR/PIPA differential and identify the most efficient ways of adapting your GDPR-compliant policies and procedures for compliance with PIPA.

Our advice is pragmatic, straight-forward and commercially-focused, always with the long-term objectives and health of your business in mind.