PIPA is the first specific data protection law introduced in Bermuda.  Based on a set of internationally recognised privacy principles, the legislation regulates the processing of all personal data in Bermuda.  The law provides a framework of rights and duties designed to give individuals greater control over their personal information.  ‘Personal information’ is defined as any information about an identified or identifiable individual.

Whilst parts of PIPA have already come into force, the substantive provisions have been in limbo pending the appointment of a Data Privacy Commissioner.  In December 2019, the Governor announced that a Commissioner had been appointed and will take office on 20 January 2020.  We are now expecting a date to be set when PIPA will become fully operational.  Based on previous information from the Government, this date may be up to 12 months after the Commissioner takes office, to give businesses plenty of time to prepare.  We are also expecting the Commissioner to publish guidance in the coming months, aimed at helping organisations that use personal data understand and comply with their obligations.

Key features of the legislation include:

  • Data Protection Officer (DPO). PIPA requires organisations that use personal information to appoint a designated “privacy officer” who will have primary responsibility for communicating with the Commissioner.
  • Data Security. Organisations must put in place “appropriate” technical and organisational measures to prevent unauthorised access or unlawful processing of personal data, and against accidental loss, destruction or damage to personal data.
  • Proportionality and purpose limitation. Organisations shall ensure that the personal information it uses is not excessive and that it is only used for the specific purpose for which it was collected.
  • Transparency. Organisations are required to provide a significant amount of information to individuals at the time their data is collected, in the form of a “privacy notice”, including the purpose(s) for which the data is used, the identity of any third parties to whom the data may be disclosed and the name of the organisations DPO.
  • Data Breach Notification. In the event of a personal data breach, the organisation must notify the Commissioner and any affected data subjects of the breach without undue delay.
  • Data Access Rights. PIPA gives data subjects the right to obtain confirmation from an organisation that their personal information is being processed and to access that personal information.

Although it may be some time before the obligation to comply with PIPA becomes law, employers should in any event start to prepare for compliance.  A good first step is to undertake an internal data audit, to help understand exactly what personal information the organisation uses, where that data is held, the purpose(s) for which that data is used and where that data is transferred to and from.  It is also advisable to consider updating template employment contracts and internal policies in good time before the new law comes into force.

PIPA shares many similar features with the EU General Data Protection Regulation (GDPR).  This means that achieving compliance with one regime puts an organisation well on the way to achieving compliance with the other.  Some organisations in Bermuda may already be required to comply with the GDPR, or could be part of a group that does, so may be able to take advantage of work which has already been done.  Those organisations starting from scratch should not underestimate the burden of compliance and would be well-advised to start their preparations as soon as possible.

As much personal information used by an organisation is likely to relate to its employees, it would be prudent for HR practitioners to ensure they are involved in their organisation’s efforts to implement PIPA.  It is also advisable to keep an eye out for the further information and guidance which we expect the Commissioner to issue throughout the year.

Locations

Bermuda

Services

Employment & Immigration, Regulatory Advice

Type

Insight

Share
X.com LinkedIn Email Save as PDF
More Publications
Bermuda-1024x576-1
11 Sep 2025

A guide to selling your Bermuda home

Bermuda homeowners should protect their interests by enlisting expert advice when they decide to sel...

Neil Molyneux
Neil Molyneux
Bermuda-1024x576-1
10 Sep 2025

Discipline Now Key as Pressures on Reinsurers Mount

The reinsurance market is in a strong position after two years of profits and covering its cost of c...

Brad Adderley
Brad Adderley
Appleby-Website-Insurance-and-Reinsurance
10 Sep 2025

Education and Acceptance Fuel Wave of New Sponsors in Cat Bond Market

With the catastrophe bond market seeing eleven new sponsors enter the space so far this year, the tr...

Brad Adderley
Brad Adderley
Appleby-Website-Insurance-and-Reinsurance
9 Sep 2025

Built on Governance, Driven by Innovation: The Bermuda Advantage

Holding 85% of the cat bond market, Bermuda’s edge in alternative capital is no accident. “Re...

Brad Adderley
Brad Adderley
Appleby-Website-Employment-and-Immigration
26 Aug 2025

Walking the Tightrope of Restrictive Covenants

Restrictive covenants in employment agreements can often be a tightrope for employers. Ideally, thos...

Anna Markiewicz
Anna Markiewicz
ICLG Fintech 21 cover
26 Aug 2025

Insights from the BMA’s Discussion Paper on Responsible Use of Artificial Intelligence in Bermuda’s Financial Sector

The Bermuda Monetary Authority (BMA) recently published a discussion paper on 30 July, 2025: The Res...

Brad Adderley
Aleisha Hollis
Brad Adderley, Aleisha Hollis
Appleby-Website-Insurance-and-Reinsurance
25 Aug 2025

Bermuda – Influential Women in Hamilton: Melinda Mayne

Insurance companies in Bermuda are more open to discussions on diversity and inclusion, though there...

Melinda Mayne
Melinda Mayne
Appleby-Website-Privacy-and-Data-Protection
28 Jul 2025

Insights from the BMA’s Second Consultation Paper on Digital Identity Service Providers

As jurisdictions around the world grapple with the complexities of authenticating digital identities...

Richard Collis
Richard Collis
Technology and Innovation
24 Jul 2025

Contracts to Manage AI Risk: Part Two (Bermuda)

In part one of this two-part series about artificial intelligence contracts, I discussed the ways th...

Duncan Card
Duncan Card
Technology and Innovation
22 Jul 2025

Contracts to Manage AI Risk (Bermuda)

This is the first of a two-part article on how artificial intelligence contracts can be used to mana...

Duncan Card
Duncan Card