Bermuda Privacy Law Compliance: Pitfalls To Avoid – Privacy Protection

To print this article, all you need is to be registered or login on

Although members of the Chamber are aware that Bermuda’s
Personal Information Protection Act, 2016 ( PIPA ) will come into
full force on 1 January 2025, many members may not appreciate some
of the more challenging compliance requirements of PIPA. In an
effort to help members avoid some common pitfalls associated with
PIPA compliance, the following is a brief review of three of
PIPA’s compliance requirements that many organizations should
devote particular attention to.


    Many organizations in Bermuda, especially those with international
    operations, have posted a form of privacy compliance notice on-line
    that is often titled “Privacy Policy”. Although those
    notices tend to provide information for consumers about how that
    organization collects and uses personal information, they
    don’t satisfy the “measures and policies”
    requirements of PIPA. As well, those “policies” often
    drafted to satisfy the data protection laws of many different
    jurisdictions so they often don’t use PIPA relevant
    terminology. Also, many of those published notices don’t
    technically comply with the privacy notice provisions of PIPA.
    PIPA’s requirement for organizations to adopt “suitable
    measures and policies” directs organizations to formulate and
    adopt a broad range of internal administrative measures, practices,
    operational procedures and policies that describe, with reasonable
    operational detail, how the organization will, for example: collect
    any required individual consents; cull their existing ( pre 1
    January 2025 ) data bases of all personal information that is not
    relevant to their business purposes; avoid collecting excessive
    personal information; avoid collecting personal information that is
    not reasonably relevant to their business; manage the ongoing
    accuracy and currency all of the personal information that it has
    in its possession; expunge personal information that it no longer
    necessary for its use; how it will manage the requests it will
    receive from individuals to view, augment, update or even delete
    their personal information from the organization’s records;
    as a matter of governance, how it will ensure that its decisions
    related to PIPA compliance are lawful, fair, and reasonable; and,
    how they will procedurally manage any complaints or disputes
    concerning their compliance with PIPA as they arise.

    Those are the types of suitable internal measures and policies
    that PIPA expressly requires each organization to formulate, adopt
    and implement. As for the so-called “privacy notices”
    that many organizations have published, all PIPA requires an
    organization’s privacy notice to include are the following
    six things: the fact that personal information is being used; the
    purposes of its use ( often there is more than one purpose ); the
    identity ( yes, PIPA stipulates the identity ) and types of
    individuals and organizations to whom personal information is or
    might be disclosed ( emphasis added ); your organization’s
    identity, location and how to contact it about its handling of
    personal information; the contact information of the privacy
    officer; and, the choices and means that the organization provides
    to individuals to limit the use of, and for accessing, rectifying,
    blocking, erasing and destroying their personal information.
    Arguably, the latter cannot be fully described until the aforenoted
    “measures and policies” are formulated and adopted by
    the organization.


    Many organizations have retained, or will retain, third parties to
    run or process parts of their business operations and data, whether
    as a cloud, SaaS or outsourcing service. Where any
    organization’s data is used by a third party service provider
    ( whether an arms-length provider or an affiliated provider )
    contains personal information, then there are two important
    implications for organizations under PIPA. First, under PIPA the
    organization who provides personal information to that third party
    remains fully responsible and liable for that data’s
    protection and use in full compliance with PIPA. Therefore, as a
    matter of governance and risk management, organizations should
    ensure that all of their upstream compliance obligations under PIPA
    are contractually flowed down to their service providers. Second,
    any such transfer of personal information to overseas third parties
    must comply with the transfer provisions of PIPA. One ground of
    possible allowance to export that data from Bermuda is where the
    organization employs “contractual mechanisms, corporate codes
    of conduct including binding corporate rules, or other means to
    ensure that the overseas third party provides a comparable level of


    Organizations who are regulated by the BMA must remain cognizant of
    the regulatory intersection of PIPA with the BMA’s
    outsourcing and cyber risk management prescriptions. First, both
    PIPA and the BMA’s regulations necessitate the creation of
    third party service agreements to flow a registrant’s
    regulatory up-stream obligations down to such service providers
    since ( under both regimes ) organizations remain responsible and
    liable for legal compliance that cannot be delegated to any third
    parties. As well, both PIPA and the BMA prescribe risk management
    security requirements and reporting obligations in the event of
    certain security breaches. Third, the BMA requires that the
    processing of all personal information that financial service
    registrants undertake “must be in accordance with data
    protection/privacy laws” that are relevant to each
    jurisdiction where that registrant has operations. Furthermore, the
    BMA requires that registrants “must perform an assessment of
    their compliance against applicable data protection
    requirements”. Therefore, for most BMA registrants, their
    breach of a PIPA obligation may also constitute a breach of their
    related BMA regulatory obligations.

There is a lot to unravel as organizations prepare to become
fully compliant with the requirements of PIPA, and those are good
examples of important pitfalls to avoid along that journey.

First Published in the Bermuda Chamber of Commerce
Newsletter (Chamber Insider), February 2024

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from Bermuda


Leave a Comment

Your email address will not be published. Required fields are marked *