Data Protection - Starts with Data Discovery and Data Classification
Bermuda's Personal Information Protection Act (PIPA) received Royal Assent on 27 July 2016.
When does PIPA come into effect?
The Privacy Commissioner is working closely with the Government on a timeline and procedure for bringing the law into effect, but specific dates have not yet been set. Advance notice will be provided but it is recommended that organizations ready themselves for when the provisions relating to specific rights and responsibilities are entered into effect.
The Personal Information Protection Act (PIPA), section 5, "Responsibility and compliance" contains the following requirements:
(1) Every organisation shall adopt suitable measures and policies to give effect to its obligations and to the rights of individuals set out in this Act.
(2) The measures and policies in subsection (1) shall be designed to take into account the nature, scope, context and purposes of the use of personal information and the risk to individuals by the use of the personal information.
(7) In meeting its responsibilities under this Act, an organisation shall act in a reasonable manner.
These provisions contain a great deal of flexibility. This flexibility is useful because every organization is different. Personal information may be used in many different ways and for many different purposes. These varying circumstances create a variety of potential risks to individuals.