PIPA legislation will come into force on January 1, 2025. Are you ready?
As a business in Bermuda, you will know that the privacy legislation, designed to protect personal data and information is expected to come into force on January 1, 2025.
Since the Personal Information Protection Act (PIPA) was enacted in 2016, the Government of Bermuda and the Privacy Commissioner have been busy developing governance operations, organising administration resources and educating the public and businesses who collect and use personal information of their respective rights and obligations under PIPA.
PIPA aims to make sure that individuals have control of how their personal information is used and Bermuda organisations will have to review all of their business processes with a view to possibly revising many of them into PIPA-compliant practices. Failure to comply with the key principles and detailed provisions of PIPA may leave you open to investigation, enforcement, and/or prosecution for an offence.
Why is PIPA important?
PIPA outlines the requirements for organisations that use personal information, as well as the rights that individuals have regarding the use of their personal information by organisations. This legislation, which follows international best practice, applies to all organisations, businesses and the government that use personal information in Bermuda.
Data protection legislation like PIPA shows compliance with global standards, such as the General Data Protection Regulation (GDPR) in the European Union which is important for international business relationships. Countries with strong data protection laws are often viewed as more attractive for international business, fostering a competitive environment. Adherence to high data protection standards can be a selling point for businesses operating in or dealing with Bermuda.
How can I comply and demonstrate compliance ?
A partnership between PrivCom and IASME
In order to give organisations a way to implement and demonstrate that they are compliant with the PIPA regulations, The Office of the Privacy Commissioner (PrivCom) and its Innovation Unit have been working with the IASME Consortium. IASME is a UK based organisation that is committed to helping businesses improve their cyber security, risk management, and good governance through an effective and accessible range of certifications. Their flagship cyber security standard, IASME Cyber Assurance is a comprehensive but affordable cyber security certification scheme that can demonstrate an organisation is taking good steps to properly protect their customers’ information. Many of the organisations in Bermuda that process or store data from around the world are expected to certify to the IASME Cyber Assurance standard in order to demonstrate compliance with PIPA. A pre-requisite to the certification is IASME Cyber Baseline which is a basic but critical cyber hygiene certification scheme designed to protect an organisation against mass automated attacks from the internet.
About the IASME Cyber Assurance certification
IASME Cyber Assurance is an extensive yet flexible, risk-based information assurance standard, which is an affordable alternative to ISO27001. Organised under 13 cyber security themes, certification provides assurance that an organisation has put in practice a range of important cyber security, privacy, and data protection measures. As an internationally recognised certification, IASME Cyber Assurance can help demonstrate compliance to PIPA as well as other Privacy and Data Protection legislation such as GDPR.
The IASME Cyber Assurance standard is an effective way to demonstrate compliance with the Personal Information Protection Act.
Find out more about IASME Cyber Assurance
Find out more about IASME Cyber Baseline