The Impact of Bermuda Data Privacy Protection on Business: Changes in Contracts

In my last blog on the new Bermuda Personal Information Protection Act (PIPA), I looked at the definition of the regulation. In this follow up I want to examine some of the potential impacts of the act on businesses. If you ”use” your customer’s personal data then your contracts need to be reviewed to ensure compliance with PIPA.

For starters, there will be an impact on insurance policy and bank account applications.

If you ”use” personal data on behalf of your clients then you need to review the contracts you have with your clients to ensure they are PIPA compliant. Expect your Bermuda based clients to be asking for this too.

For example, any contract that requires your organization to use personal data on behalf of your client.

Your organization’s policies will need to updated (or created) to comply with PIPA. Examples include:

• Data Privacy Policy  
• Information Security Policy  
• Business Continuity Policy  
• Data Retention Policy  
• Vendor Selection and  Management Policy  

Your organization’s business processes will need to reflect the changes in your policies and the requirements of PIPA.

So review your processes for dealing with Applicants’ request for their personal information or dealing with their request for data corrections.  

Changes in Business Systems are another critical area to consider.

Your organization’s business systems should be helping and ensuring compliance with PIPA. Have you considered automated adherence with data retention policies?  Are you collecting only the data required?  Breach monitoring and detection processes must be updated while you also need to consider appropriate user access rights and management.  

Who’s affected the Most? Based on Fifth Step’s experience in helping organization in the EU and the USA implement data privacy regulation over the last 7 years, we believe that insurers, brokers, reinsurers, and banks  are most at risk. Then consider the potential impact on law firms, online retailers and healthcare providers. Internal departments need to audit their exposures to data privacy risks. That means a root and branch review of HR and Marketing departments, in-house Legal, IT, Finance and Procurement departments. 

Next, consider supplier selection and management. If a supplier is responsible for misuse or a data breach, your company remains liable under PIPA. So ensure that your vendor management systems and processes are PIPA fit for purpose.
In my final blog on this subject, I will look at breach readiness. How can you ensure that you have a breach process and plan?

Darren Wray

Tags: Personal Information Protection Act, GDPR, Data Protection, General Data Protection Regulation, Regulation, PIPA, Bermuda data protection