I rise today to announce that the Office of the Privacy Commissioner (PrivCom) has officially launched its 2024 Road to PIPA implementation plan in a public press conference on Monday, 29th January 2024 in celebration of Data Privacy Week.
The overall objective of the Road to PIPA plan is to offer guidance to Bermuda’s organizations and individuals in the year preceding the full enactment of the Personal Information Protection Act 2016, known as PIPA, and I encourage Bermuda to be ready when this legislation comes into force on 1st January 2025.
Throughout the year, the Road to PIPA campaign will offer a weekly, step-by-step process for organizations to follow to meet the requirements of the PIPA. The information will be updated regularly with downloadable resources available on PrivCom’s web site. Some of the relevant topics to be introduced include:
- the Appointment of a Privacy Officer, including how a group of organisations under common ownership or control can share a privacy officer, and that the privacy officer may delegate their duties.
- Data Mapping and Inventory
- Identification of Sensitive Personal Information
- Secure Storage and Deletion of Information
- Mitigating Organizational Risks
- Incident Response Plans
- Individual Rights Requests; and
- Privacy Notices.
The benefits to the Bermuda public of this well thought out strategy should result in a strong foundation on which to continue to build once the legislation is in effect. Throughout 2024, the Road to PIPA will:
- Provide tools, such as templates, to organizations to aid in building their privacy programmes.
- Improve general understanding of the potential risks related to collecting and storing of personal information;
- Identify actions needed to retain competitive advantages in the global business arena;
- Enhance training and development opportunities for Bermudians to pursue careers related to data privacy, cybersecurity, and governance;
- Prepare organizations and individuals for PIPA implementation on 1st January 2025.
Data Privacy Week also included an event hosted by the Chamber of Commerce to “Get Ready for PIPA!” The Commissioner provided a history and overview of data privacy law and PIPA, and experts from Digicel Business and Symptai Consulting from Jamaica spoke about cyber security best practices and how risk management is key to protecting personal information.
PrivCom and the Government’s PATI/PIPA Unit (PPU) are working hand in hand to ensure that not only are island businesses prepared, but the public sector offices are also in compliance.
The implementation of PIPA will be a long and involved journey. But this journey will be worth it. It will help the jurisdiction, and particularly the Government, evolve its culture into one that advocates for and embeds privacy in its day-to-day operations and interactions.
Significant progress has been made in the development of the Government’s own Privacy Program and related tools. The Privacy Program has been influenced by PrivCom’s November 2020 guidance on “What is a Privacy Programme” and leverages the US National Institute of Standards and Technology (NIST) Privacy Framework. The PPU has begun promotion and awareness of PIPA and the Privacy Program with the Public Service Executive and Department Heads. In addition, monthly training sessions on PIPA and PIPA compliance are offered via the Government’s training program.
The PPU has also had focused interactions with select Ministries and Departments. This has enabled the Unit to customize elements of the Privacy Program to reflect
- the context of the operation of a Government,
- the nature of Bermuda as a jurisdiction, and
- the requirements of PIPA.
These pilots are ongoing as each step of the plan is tested before rollout. We are currently piloting our PIPA Readiness Assessment step, a questionnaire with a series of questions against PIPA requirements that will be used for gap analysis. The intention is to roll it out across the Government shortly.
To that end, in the coming week I shall submit a signed “Road to PIPA Intent Statement” on behalf of the Cabinet Office. I invite other leaders of Bermuda’s organizations to do so as well, and they can find the statement on the Commissioner’s web site (www.privacy.bm).
The Road to PIPA may seem like a daunting journey to some. I encourage everyone to look at this journey not as a check box exercise, but as the addition of a core value to all our organizations, infusing responsibility and vigilance in the protection of the personal information in our care. Complying with PIPA should shape every organization’s and every employee's actions and decisions. It also promotes Bermuda as a jurisdiction that meets data privacy and data protection requirements from a global perspective.
In October 2023, Bermuda was able to demonstrate to the world the significant role our small jurisdiction can play in the global arena of technology and data protection, when we served as hosts of the 45th Global Privacy Assembly. I had the pleasure of addressing the assembly and can confidently say that the conference delegates represented all corners of the world, with officials and business representatives from countries in every inhabited continent, including the United States, Canada, Mexico, Brazil, Colombia, Argentina, the United Kingdom, Ireland, Portugal, France, Spain, Germany, Morocco, Kenya, Ghana, South Africa, United Arab Emirates, Japan, South Korea, Australia, and New Zealand, among others.
Adopting privacy centric principles in our business operations is a critical factor in protecting personal information, preventing security breaches, and maintaining customers' trust. Remember, we all have rights under PIPA and therefore we all want the implementation of PIPA to be a success.
I urge my fellow Bermudians to seize this moment and again set an example for the world. Let us rise to the occasion of the full enactment of our country’s first privacy rights law – and continue onwards in our eternal quest to forge a more fair and ethical economy and society.
Before closing Mr. Speaker, I would like to take this opportunity to thank the teams in the Privacy Commissioner’s Office and the PATI/PIPA Unit.
Thank you, Mr. Speaker.