Major companies across the European Union have faced substantial fines between 2019 and 2024, estimated at a total of €930 million (about $1.08 billion), not only for cyberattacks or data breaches, but also for issues such as noncompliant privacy notices. A common theme in many cases has been a lack of transparency.

With the Personal Information Protection Act 2016 becoming fully effective on January 1, 2025, transparency has transitioned from a best practice to a legal requirement for organisations using personal information in Bermuda.

At the heart of this transparency are privacy notices. Under section nine of Pipa, a “Privacy Notice” is a clear and easily accessible statement about an organisation’s practices and policies with respect to personal information. It should be provided before or at the time personal information is collected, and include the mandatory disclosures set out in section nine in order to ensure full compliance.

Simply put, it is a document designed to inform individuals about how their personal information is being used.

A compliant privacy notice will include six elements:

• A clear statement that personal information is being used

• The purposes for which personal information might be used

• The identity and types of individuals or organisations personal information may be shared with

• The identity and location of the organisation

• The contact details of the privacy officer

• The ways in which an organisation offers individuals to limit the use of and for accessing, correcting, blocking, erasing or destroying their information

There are two scenarios where a privacy notice is not required.

First, where personal information held by an organisation is already publicly available. For example, information shared in a newspaper article.

Second, where use of the personal information is within the reasonable expectations of the individual.

When determining whether your privacy notice is compliant, it is important to distinguish between the EU’s General Data Protection Regulation and Pipa. Both provide a framework of rights and duties designed to give individuals greater control over their personal information.

However, although the compliance frameworks of the GDPR and Pipa are substantially aligned in principle, Pipa introduces distinct jurisdictional nuances, including some specific, stricter requirements.

Organisations should recognise that, while it is important to align data protection standards across their overseas companies, they should be cautious of the “global policy” adoption trap. A unified framework provides a strong foundation but cannot override the statutory requirements unique to Pipa.

Although the terms “policy” and “notice” are frequently used interchangeably, Pipa distinguishes between transparency obligations, which are addressed through a privacy Notice, and internal governance requirements, which are typically addressed through policies and procedures.

The primary audience for privacy notices is the general public whom an organisation may collect personal information from. For example, organisations operating online must provide a privacy notice informing users of data collection during their visit, particularly when users voluntarily submit details for account creation or newsletters.

Privacy policies are internal documents designed for employees, that serve as an organisation’s “suitable measures policy” to give effect to its obligations and the rights of individuals, as set out under section five of Pipa. These measures and policies should be designed to consider the nature, scope, context, purpose, and risk of the organisation’s information use.

Privacy policies require a more tailored approach than privacy notices.

The Privacy Commission’s Guide to Pipa states that internal privacy policies should include:

• Data mapping and inventory

• Documenting personal information use practices

• Staff training and awareness

• Security safeguards

• Breach/incident response plan

• Response to access requests

In a future column, I will dive into the details of the implications of a noncompliant privacy notice.

• Akira McDonald is an associate in Appleby’s Corporate practice in Bermuda. A copy of this column can be obtained on the firm’s website at www.applebyglobal.com. This column should not be used as a substitute for professional legal advice. Before proceeding with any matters discussed here, persons are advised to consult with a lawyer