16 June 2023
In a joint press conference yesterday, the Bermuda Government and the Office of the Privacy Commissioner for Bermuda (PrivCom) announced the official date when the Personal Information Protection Act (PIPA) 2016 will be implemented.
At the moment, the following administrative provisions are in force, enabling the appointment of the Privacy Commissioner and the creation of PrivCom: sections 1, 2, 26, 27, 28, 29, 35, 36, 51 and 52. The commencement date for the remaining clauses of PIPA will be 1 January 2025.
The law will be brought into full effect on 1 January 2025. This means that organisations in Bermuda that use personal information have 18 months to prepare for the full implementation of Bermuda’s data privacy law.
Many organisations already comply with similar provisions, due to the European Union (EU)’s General Data Protection Regulation (GDPR), which came into force 25 May 2018, and the global pandemic, which saw many aspects of our work and lives move online. Many jurisdictions similar to Bermuda already have data protection and privacy provisions, including small jurisdictions such Gibraltar, Isle of Man, Jersey, Cayman, and others.
With an 18-month window, PrivCom will guide organisations with a phased action plan. Commissioner White said: “We now have an 18-month window for organisations to prepare for PIPA. This course of action has my support, and we have worked closely with our Government colleagues to determine this implementation window. With a single fixed, universal date we can provide legal certainty and avoid confusion about deadline.”
PrivCom will continue to work across the community with organisations to help them understand the requirements and to ensure the adoption of PIPA and a smooth transition. Our office will be working with all kinds of businesses, small and large, to help ensure a smooth transition.
At PrivCom, we have a variety of resources available, including video training, such as on the basics of “Privacy & PIPA” and more detailed written explainers on key topics, such as:
the elements of a privacy programme,
what a privacy officer (PO) is, what they do for an organisation, and how people can pursue privacy compliance and ethics as a career,
what organisations need to consider when sharing information with third parties (in Bermuda and abroad),
basic cybersecurity tips,
guidance on privacy harms, particularly for children or vulnerable groups,
and even the return on investment of a privacy programme.
PrivCom is continuing to produce guidance and will shortly publish a comprehensive “Guide to PIPA” that has dozens of pages of tips, checklists, and other pieces of advice. Even more guidance is coming, on specific topics such as what privacy means in the employment context and detailed guides for individuals on their rights.
PrivCom works closely with our regulatory partners both here in Bermuda and in jurisdictions around the world, such as the UK, Canada, and US, to ensure consistency and interoperability with their requirements.
PrivCom’s outreach in 2024 will be dedicated to guiding organisations in the community through the steps they need to meet the privacy rules of PIPA. Starting on Data Privacy Week in January 2024, we will provide the community with specific goals and actions to take each month as part of a phased action plan that puts the process of privacy compliance in bite-sized proportions.
Organisations need time to plan, so providing these sorts of concrete action steps will allow the community to progress together.
Commissioner White concluded: “I’ve often said that privacy is a journey, not a destination. We as a community are all on the Road to PIPA together, and I hope the public takes away from this discussion an understanding that they will have our office’s support each and every step of the way.”