Law: Personal Information Protection Act 2016 ('PIPA')

Regulator: Office of the Privacy Commissioner for Bermuda ('PrivCom')

Summary: Currently the legislative data protection framework in Bermuda is comprised of a complex set of sectoral laws, regulatory guidance, and common law precedents. Key sector-specific regulations address the banking, FinTech, and telecommunications sectors. PIPA would become the overarching, central piece of legislation regulating personal data protection. On 20 January 2020, the appointment of Bermuda's first Privacy Commissioner, Mr. Alexander McD White, became effective. This appointment allowed for the establishment of the new independent supervisory authority, PrivCom. 

Notably, PIPA sets out the obligations on organizations, including statutory requirements to adhere to the principles of fairness, purpose limitation, proportionality, and maintaining the integrity of personal information, as well as employing security safeguards in relation to data subject to processing. PIPA further provides for requirements on organizations to appoint a data protection officer, and to notify the Privacy Commissioner and data subjects in the event of a personal data breach. Importantly, PIPA also provides for an overarching requirement for organizations to adopt suitable measures and policies to give effect to the rights of individuals, which include the right to be informed, access, rectify, erase, and object to the processing of their personal data.