Bermuda Privacy Update: New Guidance on International Data Transfers

Bermuda Privacy Update: New Guidance on International Data Transfers

If your organization operates in Bermuda, here’s something you’ll want to be aware of: The Office of the Privacy Commissioner for Bermuda (PrivCom) has recently released specific guidance on transfer risk assessments. While the Bermuda Personal Information Protection Act 2017 (PIPA) will officially come into effect on January 1, 2025, the law’s provisions around international data transfers have been relatively vague. The release of this new guidance should provide much-needed clarity for businesses managing cross-border data flows.

Here’s a breakdown of the key points:

1. Requirements for Exporting Personal Data

To legally export personal data from Bermuda, organizations must either:

  • Ensure comparable protections: Determine that the laws of the destination jurisdiction and the protections provided by the data recipient are equivalent to those under PIPA, or
  • Use additional safeguards: Implement extra measures to protect the data, or
  • Rely on a legal exception: Find a valid legal exception that justifies the transfer.

These lessons demonstrate that effective risk management requires both strong technical controls and proactive contractual governance.

2. Mapping Data Transfers

Like the GDPR, which requires businesses to take a detailed approach to international data transfers, PIPA also calls for a similar mapping of exports. Data transfers should be tracked and flagged through specific questionnaires, ensuring that any international transfer is assessed for its compliance with the law.

3. Assessing Adequacy of Protections

Organizations are now encouraged to follow a template assessment provided in the new guidance to assess whether the protection mechanisms in the destination country are adequate. This means revisiting your current Transfer Risk Assessment (TRA) practices and ensuring they align with the PIPA requirements. The guidance includes specific risk criteria, so make sure to update your existing TRA questionnaires and processes as needed.

4. Mapping to PrivCom Guidance

As you conduct these assessments, it’s a good idea to map your TRA questionnaires directly against the PrivCom guidance. This will provide a clear record of compliance, offering evidence that you are taking the necessary steps to meet PIPA’s international transfer requirements. It’s essential to keep detailed records of this analysis to maintain a proper compliance trail.

5. Compliance Checklist

PrivCom has also released a non-mandatory compliance checklist that can be used. However, this may be of limited benefit where the substance is already reflected in your organization’s Records of Processing Activities (ROPA) and transfer risk assessment framework.

What Does This Mean for Your Organization?

PrivCom has also released a non-mandatory compliance checklist that can be used. However, this may be of limited benefit where the substance is already reflected in your organization’s Records of Processing Activities (ROPA) and transfer risk assessment framework.

Need Help Navigating PIPA Compliance?

At Bortstein Legal Group, we’re here to help guide you through the complexities of Bermuda’s data protection laws. If you have any questions or need further assistance, don’t hesitate to reach out.

Related Posts
About Us
BLG Bortstein Legal Group company logo
We are a noted leader in the areas of technology, market data, digital content, privacy, cyber-security, outsourcing, and vendor contracts.

Let’s Socialize

Popular Post