Advice to Small Businesses
Data privacy laws and regulations, such as Bermuda’s Personal Information Protection Act (PIPA) 2016, as amended, set legal standards for the lawful and fair use of individuals’ personal information.
Data privacy laws and regulations ensure that organisations cannot misuse individuals’ personal information. In particular, this concerns situations where individuals’ personal information is accessed by unauthorised third parties or gets lost, damaged, stolen, or misused for unintended purposes.
When personal information – and especially sensitive personal information – lands in the wrong hands, individuals are likely to be exposed to risk and harm. In some instances, they can become the victims of identity theft, physical or psychological harm, and violations of their fundamental human rights.
As people are becoming more aware of their personal information rights and empowered to understand how their personal information is being used, organisations that value customer trust will need to take steps to ensure that they get data privacy management right. Keeping personal information safe is vital to building trust with your clients: that is, individuals who use your products or services and who you do business with.
Small businesses and data privacy in Bermuda (PIPA)
Good data privacy makes good economic sense because it saves time and money and positions your organisation as one that cares about individuals' personal information. Good data privacy measures, policies, and procedures can genuinely help to build trust, boost your organisation's reputation, and open doors to more opportunities.
As of 1 January 2025, PIPA will apply to all organisations irrespective of type and size (small businesses, clubs, societies, community groups, charities, start-ups etc).
You’re responsible for protecting the personal information of individuals that come into contact with your organisation (clients, suppliers, or team members) irrespective of
whether you're a small business, a sole enterpreneur, or self-employed,
whether you work for yourself or you’re an owner or director,
whether you have a small team of employees or you don’t have any staff at all.
The rules are the same whether you operate a one-person startup or a global enterprise. The reason is simple: if personal information falls into the wrong hands, it makes no difference where the error came from. The only thing that matters is that people could be harmed. You will have to build a strong defence for your organisation if a data breach occurs.
Remember! As of 1 January 2025, PIPA will be in full operation. PrivCom will have the power to take action for non-compliance. However, our office is committed to supporting organisations with data privacy best practices awareness. Our office is here to help you with each step of the way.
Why am I responsible for protecting the personal information of the individuals that come into contact with my organisation?
Small businesses, clubs, societies, community groups, charities, and start-ups may need personal information to provide services and deliver goods.
Small businesses are likely to have personal information about staff, customers, and clients, i.e., names, addresses, contact details. You might even collect, use, and store sensitive personal information such as medical information or details regarding their ethnicity.
Therefore, it is important for small businesses to take steps to comply with data privacy laws, both locally (i.e., PIPA) and globally (e.g., GDPR, PIPEDA etc.).
When it comes to providing data privacy advice, there is no one-size-fits-all approach. As you know your business best, you are in the best position to identify and manage the personal information that you hold.
Remember! You may also have details of appointments or other notes. If you can identify someone personally from something you have stored, it’s personal information and you need to account for it in line with PIPA.
Information exempt from PIPA
For your information, some types of information are exempt from PIPA compliance. These include the following:
business information such as your company’s email addresses: make sure they don’t include someone’s name, e.g., Charles@abc.bm;
your organisation’s financial statements;
paper records that aren’t intended to be kept as part of a filing system; and
information that you use for purely personal or domestic purposes.
PIPA doesn’t apply when you’re using personal information for purely personal or domestic purposes. This means that you don’t have to worry about things like your family photo album and personal calendar.
Note that PIPA refers to information collected, used, and stored for business purposes or in a business context.
For more details, check our Guide to PIPA!
How can I remain compliant?
Compliance with PIPA is an everyday activity. That is why a privacy programme is the best tool to keep everything related to privacy on track. The following steps will help you monitor compliance with PIPA.
Conducting an inventory and classifying (or, "mapping") what personal information is used;
Documenting personal information use practices in policies and procedures;
Providing appropriate training and awareness to staff or others with access to data;
Analysing the privacy risk in context, utilising tools such as "Privacy Impact Assessments," and identifying protective measures;
Developing an action plan to respond to incidents or potential breach of security;
Developing procedures to respond to access requests.
Some additional tips and steps:
Transparency is key
Your use of individuals’ personal information must always be fair, lawful, and transparent. It is crucial for your organisation to explain to individuals:
why you hold their personal information,
what you'll do with it, and
how long you'll keep it before disposing of it.
You should record this information in a document, describing your approach to information privacy and protection. This is known as a privacy notice.
Remember! Prior to collecting any personal information from anyone, you need to have a privacy notice in place, including on your website.
Security of personal information is your alpha and omega
Your security measures need to line up with the sensitivity of the personal information you hold. This means putting in place stronger security measures if the personal information is sensitive or poses a higher risk. The measures you choose are up to you: for personal information that you hold electronically, they may include encryption or putting strong passwords on your devices; for the personal information that you hold physically, they may include locking filing cabinets, for example.
Be ready for access requests
As of 1 January 2025, under PIPA, individuals will have the right to know what personal information you hold about them. There are other rights, too, but one of the most commonly asked questions is how to deal with a request for this personal information, which is known as an access request.
Prepare for the worst
If, after 1 January 2025, you lose personal information – such as in a cyber-attack, flood, fire, or theft – it could be a potential data breach. If it is likely to result in a risk to the individuals affected, you will need to report it to us.
We are here to help. In the meantime, if you have questions, contact Investigations at 543-7748.
Remember: If you obtained individuals' personal information through means that are deceitful or misleading, then everything you do after that – irrespective of whether you think it is lawful or not – is unlikely to be fair and/or lawful. You also need a valid reason or condition for using the personal information.
We update our website regularly to help you take simple steps towards improving your PIPA compliance. Remember to set regular reminders to check for new advice and guidance.
Be sure to check our Guide to PIPA!