AppleBy published an article on November 5th, 2020, on the Data Protection Authority Registration and Data Protection Officer Requirements for Data Controllers for Bermuda.
The details are coming from a Q&A session that discussed the obligations for private-sector data controllers in Bermuda and the requirements for data controllers under the Data Protection Law.
Key points:
- The supervisory authority responsible for data protection is the Bermuda Privacy Commissioner. Before processing personal data, a data controller is not required to notify, register, or seek authorization with the Privacy Commissioner as it relates to Bermuda’s Personal Information Protection Act 2016 (PIPA).
- PIPA does not require the Privacy Commissioner to authorize cross-border data transfers. Data controllers should determine whether a third party provides the level of protection required by PIPA before transferring data outside Bermuda.
- If the organization cannot rely on the overseas third party’s level of protection it must employ contractual mechanisms, corporate codes of conduct, or other means to ensure a comparable level of protection as required by PIPA.
- The Privacy Commissioner has the discretion to allow a cross-border transfer that does not comply with PIPA’s requirements if, both: 1) The organization reasonably demonstrates that it cannot comply and 2) The transfer does not undermine the individual’s rights.
- Data controllers are also required to appoint a Data Protection Officer (DPO), and the DPO may delegate its duties to one or more individuals. The DPO’s details would also not be required by the Privacy Commissioner.
Reference: applebyglobal.com
Contributed by: Jason Jacobs from Guyana. Jason is a member of the CCST Discord group from the G5 Cyber Security Foundation Ltd. Learn more about CCST (Caribbean Cyber Support Team) by visiting caribbeancst.org. CCST is a collaborative group on the Discord platform for Caribbean people in IT, from beginners to experts.