Bermuda’s Personal Information Protection Act, 2016 will add a significant degree of complexity and management diligence to ensure that the use of personal information in Bermuda is legally compliant. Appleby has already assisted many dozens of domestic and international clients with their PIPA compliance preparations, policy and procedure formulations, governance oversight, and organizational compliance education and training.
Appleby can assist private and public sector organizations with formulating their data protection policies and compliance practices, preparing all consents and privacy notices, by undertaking compliance audits and assessments, providing full staff training for privacy compliance (including Board level seminars and Privacy Officer training), and assistance with all processes related to how to respond to individual privacy enquiries, as well as the resolution of complaints and disputes. Responding to personal information access requests requires advanced planning, and we can help you prepare and respond in a timely and efficient manner. See below for a full description of our privacy law and data protection services.
PRIVACY LAW & DATA PROTECTION SERVICES
Our specialized privacy law and data protection team assisted with drafting Bermuda’s Personal Information Protection Act, 2016, which is heavily based on Canadian law with some influences from Europe’s GDPR data protection regime. With Canadian trained legal counsel on our team, we have over 20 years of privacy law and regulation compliance with the privacy law regimes that PIPA is primarily based on. Having already assisted many dozens of domestic and international clients, in both the private and public sectors, to comply with PIPA when it comes into full force and effect on 1 January 2025, we can provide your organization with the following privacy law and data protection services:
- Assistance with structuring your privacy compliance program: We can provide a turn-key analysis of your enterprise’s privacy laws obligations and requirements from start to finish, as well as advise on discrete aspects of your current approach to the privacy compliance program that has already commenced.
- Privacy Compliance Program Audit and Assessments: We can review your existing compliance policies, procedures, forms of notices and consents, operational practices, security protection practices, and proposed governance oversight regime to identify any gaps or shortfalls that may exist, and to recommend any improvements that may be required.
- Privacy Compliance Policy & Practices Staff Education and Training: Whether as training seminars, presentations or instructional sessions, we can provide privacy compliance training for Privacy Officers, general staff, organizational managers and C-Suite executives, as well as for Board of Directors. We will tailor those instructional sessions to address the nuances of your organization that you feel are unique and important for sustainable compliance with PIPA.
- General Counsel Consultation: We provide an ongoing service to provide highly specialized privacy law and compliance advice and guidance to all levels of in-house counsel, including to serve as a resource and compliance sounding-board as well as offering assistance with complex compliance and corporate governance issues as they may arise.
- The Availability and Invocation of PIPA’s Grounds of Compliance Exemption: We offer private and public sector organizations with understanding and implementing the policies, procedures and operational activities to take full advantage of PIPA’s express, but highly qualified, grounds of compliance exemption.
- Privacy Security Standards Requirements: Given the proportional nature of PIPA compliance duties, we can assist your enterprise to determine the quality and nature of privacy security standards and requirements that are specifically demanded of your organization under PIPA. Our cyber-security compliance experience allows us to also assist with consolidating multiple processes for security incident reporting where organizations are so regulated in addition to PIPA.
- Processes for Individual Access and Correction Requests: We can develop the required policies and processes for organizations to comply with their obligations to allow, facilitate and respond to personal information access, use purposes, correction and deletion requests, including all organization responses, permitted refusals, and related compliance undertakings. Given the scrutiny that such privacy rights policies and procedures will receive from the Privacy Commissioner over time, we will design those access regimes to comply with PIPA’s related requirements and stipulations.
- Complaints and Dispute Resolution: Internal processes to handle complaints and to resolve disputes is encouraged under PIPA, and the existence of such practices may influence when the Privacy Commissioner may decide to become involved in such matters. We can design and structure those internal complaints and dispute management processes for the purpose of mitigating, if not avoiding, the escalation of such matters: for consideration, investigation or action by the Privacy Commissioner; or, as a matter of possible civil litigation before a Court of competent jurisdiction; or, as a matter of prosecutorial investigation or action by the Crown.