Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Bermuda: Privcom publishes blog on PIPA and the GDPR
On July 8, 2024, the Bermuda Office of the Privacy Commissioner (PrivCom) published a blog post detailing the main provisions of the Personal Information Protection Act (PIPA) 2016, and the differences between PIPA and the EU's General Data Protection Regulation (GDPR).
The blog explains that PIPA, which will be fully implemented on January 1, 2025, mandates that all organizations in Bermuda handle personal information securely and responsibly, extending obligations to third-party contractors, including those overseas.
What are the main provisions of PIPA?
The blog explains that PIPA broadly defines 'personal information' as any data about identifiable individuals and requires organizations to obtain and manage consent for collecting, using, or disclosing this information, with some exceptions. Specifically, the blog states that under PIPA:
- organizations are required to implement appropriate security measures to protect personal information against loss, unauthorized access, misuse, and other risks;
- individuals are granted several rights, including the right to access their personal information, request corrections, and demand the blocking, erasure, or destruction of their data; and
- organizations must notify affected individuals and the Privacy Commissioner if a data breach occurs which could result in significant adverse effects.
The blog highlights the implications of PIPA for organizations and advises them to:
- review and update their data handling practices to meet PIPA standards;
- implement comprehensive privacy policies and protocols;
- educate staff on PIPA requirements and data protection best practices; and
- designate a privacy officer to oversee compliance and conduct regular audits to identify and mitigate privacy risks.
What are the differences between PIPA and the GDPR?
The blog also clarifies that while PIPA is specific to Bermuda, GDPR applies more broadly, including to organizations outside the EU that process the personal data of EU residents. Further, the blog notes that PIPA's penalties for non-compliance are tailored to the Bermuda context, with fines of up to BMD 250,000 (approx. $250,000) and imprisonment for up to two years. In contrast, the blog notes that the GDPR imposes higher fines for non-compliance, potentially up to 4% of global annual turnover or €20 million whichever is higher.
You can read the blog here.