![](https://static.wixstatic.com/media/d05dce_ab8a3b79b3ff4a31be2b1d0a2ef2e5d2~mv2.jpg/v1/fill/w_1920,h_1279,al_c,q_90,usm_0.66_1.00_0.01,enc_avif,quality_auto/d05dce_ab8a3b79b3ff4a31be2b1d0a2ef2e5d2~mv2.jpg)
![](https://static.wixstatic.com/media/f70f79_7000c31a9f124b02aa8f90d047b92dd5f000.jpg/v1/fill/w_980,h_138,al_c,q_80,usm_0.66_1.00_0.01,enc_avif,quality_auto/f70f79_7000c31a9f124b02aa8f90d047b92dd5f000.jpg)
![conyers_2019.jpg](https://static.wixstatic.com/media/f70f79_d962a92dec9a48a1b4a708d17d5abad8~mv2.jpg/v1/fill/w_331,h_46,al_c,q_80,usm_0.66_1.00_0.01,enc_avif,quality_auto/f70f79_d962a92dec9a48a1b4a708d17d5abad8~mv2.jpg)
Conyers –Privacy and Data Protection Services
The Personal Information Protection Act 2016 (“PIPA”) will be fully implemented on 1 January 2025 and will apply to any organisation that uses personal information in Bermuda. The Conyers team is here to assist your organisation with privacy and data protection matters for the purpose of ensuring your organisation’s compliance with PIPA to meet the upcoming deadline. We can help you develop a compliance programme suitable for your organisation, large and small with a focus on ensuring that it works for your business. How can Conyers assist your organisation? 1. Preparing a personal information inventory and data mapping Conyers can assist with the preparation of personal information inventories and data maps, for example by identifying what personal information is collected and used by the organisation, where it is stored and/or accessed and whether it is transferred to third parties (in Bermuda or overseas). If required, this service can also include Conyers working with the organisation’s IT department or chosen third-party IT/software provider to do more formal data mapping. 2. Establishing a PIPA compliant privacy programme Once a personal information inventory and data map are in place, Conyers can advise on the establishment of a PIPA compliant privacy programme by undertaking a gap analysis to determine what steps the organisation needs to take to meet its obligations under PIPA. 3. Preparing and assisting with suitable policies and procedures Conyers can assist with the preparation of privacy and data protection policies, privacy notices, individual rights policies, data retention policies and procedures tailored for the organisation. If your organisation already has an existing group privacy policy, Conyers can assist in reviewing and modifying as appropriate to ensure such policy is PIPA compliant. We can also advise on third party transfers and vendor contracts to help your organisation put in place suitable protections. 4. Privacy Officer Services Where Conyers has been engaged to either assist with preparing the organisation’s privacy programme or has reviewed and is comfortable with the organisation’s existing privacy policies and procedures, Conyers Regulatory Services (Bermuda) Limited (“CRS”) can be engaged to act as an organisation’s Privacy Officer. Where we act as Privacy Officer for an organisation and such organisation experiences a breach of security that is likely to adversely affect an individual, Conyers can help with preparing the required notifications to the affected individuals and the Privacy Commissioner pursuant to PIPA. Alternatively, if an organization has a Privacy Officer in place CRS can be engaged to provide support as needed. 5. Training on PIPA and its requirements Conyers can provide training to directors and management in respect of PIPA and its requirements. General on-line training for staff (if any) can also be provided. Beyond helping your organisation develop a compliant privacy programme, Conyers’ privacy team provides both commercial and contentious regulatory advice. For example, advising on access requests and enquiries from the Office of the Privacy Commission and, in the unfortunate event of a data breach, can help you identify your legal obligations and what steps need to be taken to reduce your legal risks. Please contact us for specific legal advice on how your Bermuda organisation can prepare for PIPA. Julie E. McLean Director +1 441 299 4925 julie.mclean@conyers.com Andrew Barnes Senior Associate +1 441 278 8054 andrew.barnes@conyers.com Sarah Blair Senior Associate +1 441 279 5335 sarah.blair@conyers.com
Erica Martin - EM Business Development
Privacy Officer - A requirement of PIPA is that organisations shall designate a representative (“privacy officer”) for the purposes of compliance with PIPA, who will have primary responsibility for communicating with Bermuda's Privacy Commissioner and developing the organisation's privacy programme and ensuring the organisation develops appropriate measures and policies to give effect to its obligations and to the rights of individuals under PIPA. The privacy officer must be able to effectively ensure organisational compliance with PIPA. Privacy Compliance Audit - Meet with organisation stakeholders to assess current data privacy policies and procedures and determine an overall privacy and protection position. Draft a report outlining areas of compliance, near compliance and non-compliance, prioritising areas of risk. This will Include recommendations to improve privacy. Privacy Impact Assessments - Undertake a Data Protection Impact Assessment (DPIA) - undertake a review of business processes to identify risks or gaps in compliance with PIPA. Identify what protective controls will need to be implemented to attain compliance. Record of Processing Activities - Undertake a Record of Processing Activities (ROPA) to inventory and classify all personal information used, and to demonstrate compliance with privacy legislation. Identify the legal basis for processing all personal information and track the flow of information within the organisation. Document all the information that is collected, how it is processed, who has access to it, who it is shared with and when it is deleted. Privacy Policies - Develop necessary personal information policies for compliance with PIPA / undertake documentation of personal information use practices in policies and procedures, including but not limited to: Privacy Notice; Personal Data Protection Policy; Data Retention Policy; Website Privacy Policy; Cookie Policy. Provide clear information about an organisations data processing and legal justification in the privacy policy. Create an internal security policy for employees, volunteers and Board members. Data Breach Procedures - Develop and implement incident response procedures and action plans in case of a data incident or breach, including notification of the Bermuda Office of the Privacy Commissioner. Subject Access Requests - Draft and implement procedures to respond to subject access requests (SARs). PIPA grants individuals the right to contact organisations to request access to their personal information. Individuals may also request correction or destruction of their data, or block its use, in certain circumstances. Organisations need to have proedures in place to respond to these requests. Employee Training - Introduce and train staff on privacy and security policies to ensure that they understand expectations, liabilities and reporting best practices to enhance the privacy and security culture of the organization. Under PIPA, organisations need to povide appropriate training to staff or others with access to personal information. Contact: 441 537 4614 | erica@emartinbd.com