Two current hot topics in the office are data protection and cybersecurity. Not only are they areas that we advise our clients on, but they also directly affect our day-to-day habits in the office.

Gone are the days when a lawyer’s desk and office would be covered with piles of paper and folders. In recent months, all of us at Appleby have gone through extensive security awareness training. We have also become subject to various compliance policies and procedures that ensure that we have a strong and secure data/cyber environment.

The drive for increased data protection in Bermuda is due to several factors, such as:

• The coming into force of the EU General Data Protection Regulation (GDPR) in May 2018

• The upcoming Personal Information Protection Act (Pipa) that will be coming into force later this year and

• New York State’s introduction of Cybersecurity Regulations in March 2017

GDPR is designed to protect all European Union citizens from privacy and data breaches in an increasingly data-driven world.

The GDPR regime imposes new and enhanced responsibilities on businesses for safeguarding the data that they process. GDPR applies to all organisations holding and processing EU residents’ personal data, regardless of geographical location, so just by merely offering goods and services to an EU resident, GDPR compliance requirements must be met.

Potential fines for non-compliance are phenomenal, being up to €20 million or 4 per cent of annual global revenues, whichever is higher.

Pipa is anticipated to come into full effect in December and will regulate the future processing of all personal data in Bermuda. Pipa was drafted in parallel with GDPR with the goal of enabling the unhindered transfer of personal information between Bermuda and any EU member state, and between the increasing number of other countries that have been or will be deemed adequate by the EU Commission.

This is particularly useful considering the current market environment where Bermuda is actively seeking to attract digital asset businesses and ICO activity by creating a regulatory environment for these businesses.

Pipa will further cement Bermuda’s reputation as a leading international offshore centre. Under Pipa, refusal to comply or failure to comply with an order issued by the Commissioner is an offence. A corporate entity is liable on conviction to a fine of up to $250,000. Individuals found in breach may be subject to a fine of up to $25,000, or imprisonment for a term of two years, or both.

In March 2017 New York State introduced Cybersecurity Regulations that require financial services organisations to formally assess their cybersecurity risks and establish a programme to address those risks. The regulations include a requirement to establish minimum cybersecurity practices that their suppliers and service providers must meet.

These new regulations have enforced security requirements upon the supply chain of American financial institutions. So, even though an organisation may not be directly regulated, if the organisation has American clients that are bound by such regulations, they must be prepared to be on the receiving end of their client’s cybersecurity requirements.

With all these regulations in place, businesses globally and locally alike will feel increased pressure to ensure that they are ready for the authorities. Ignoring the regulations and their potential impact on your business in the event of a data breach or non-compliance simply isn’t an option. Compliance will cost money and time, but avoidance will cost far more should the penalties hit.

Actions to consider as soon as possible:

• Review and seek advice on what these regulations might mean to you and your business

• Assess the level of privacy and cybersecurity risk to which your business is exposed

• Based on your company’s policies, draft appropriate personal information collection statements, customer terms and conditions, website privacy policies, and employment terms and conditions

• Invest in cybersecurity and put in place appropriate technical safeguards to protect personal information from loss, destruction or unlawful access

• Prepare policies to govern how your company’s human resources department will deal with job applicant data, retention of and access to employee files, employee monitoring, management of sensitive employee data and the use of external vendors for functions such as payroll

• Attorney Stephanie Shih is a member of the Corporate Team at Appleby. A copy of this column is available on the firm’s web site at www.applebyglobal.com. This column should not be used as a substitute for professional legal advice. Before proceeding with any matters discussed here, persons are advised to consult with a lawyer