Aug 2024
The Personal Information Protection Act 2016 (“PIPA”) will be fully implemented on 1 January 2025 and will apply to any organisation that uses personal information in Bermuda. Conyers is here to assist you with privacy and data protection matters to ensure your organisation’s compliance with PIPA in advance of this deadline. We can help you develop a compliance programme suitable for your organisation, whether large or small, and ensure that it works for your business.
How Can Conyers Assist your Organisation?
1. Preparing a Personal Information Inventory and Data Mapping
Conyers can assist with the preparation of personal information inventories and data maps, for example by identifying what personal information is collected and used by the organisation, where it is stored and/or accessed and whether it is transferred to third parties (in Bermuda or overseas). If required, this service can also include Conyers working with the organisation’s IT department or chosen third-party IT/software provider to do more formal data mapping.
2. Establishing a PIPA Compliant Privacy Programme
Once a personal information inventory and data map are in place, Conyers can advise on the establishment of a PIPA compliant privacy programme by undertaking a gap analysis to determine what steps the organisation needs to take to meet its obligations under PIPA.
3. Preparing and Assisting with Suitable Policies and Procedures
Conyers can assist with the preparation of privacy and data protection policies, privacy notices, individual rights policies, data retention policies and procedures tailored for the organisation. If your organisation already has an existing group privacy policy, Conyers can assist in reviewing and modifying as appropriate to ensure such policy is PIPA compliant. We can also advise on third party transfers and vendor contracts to help your organisation put in place suitable protections.
4. Privacy Officer Services
Where Conyers has been engaged to either assist with preparing the organisation’s privacy programme or has reviewed and is comfortable with the organisation’s existing privacy policies and procedures, Conyers Regulatory Services (Bermuda) Limited (“CRS”) can be engaged to act as an organisation’s Privacy Officer. Where we act as Privacy Officer for an organisation and such organisation experiences a breach of security that is likely to adversely affect an individual, Conyers can help with preparing the required notifications to the affected individuals and the Privacy Commissioner pursuant to PIPA. Alternatively, if an organization has a Privacy Officer in place CRS can be engaged to provide support as needed.
5. Training on PIPA and its Requirements
Conyers can provide training to directors and management in respect of PIPA and its requirements. General on-line training for staff (if any) can also be provided.
Beyond helping your organisation develop a compliant privacy programme, Conyers’ privacy team provides both commercial and contentious regulatory advice. For example, advising on access requests and enquiries from the Office of the Privacy Commission and, in the unfortunate event of a data breach, helping you identify your legal obligations and what steps need to be taken to reduce your legal risks.
Please contact us for specific legal advice on how your Bermuda organisation can prepare for PIPA.