Bermuda is a small island with some 64,000 population, but is home to some of the largest international companies worldwide. There are approximately 16,000 registered companies such as Yahoo, Apple, Mitel, and Google, to name a few. In addition, Bermuda participates in some 40 per cent of the insurance and reinsurance written worldwide, with over $300 billion in losses paid out since 1997. As an international finance centre, local jurisdictional legislation has been required to keep pace with international standards in order to compete globally. The Proceeds of Crime Act in 2008, Anti-Terrorist Financing Act 2008 and International Sanctions Act 2003 (and its regulations) raised awareness among local companies about the importance of meeting international standards and introduced a culture of compliance within Bermuda.Most recently, the enactment of the European Union’s General Data Protection Regulation (GDPR) and Bermuda’s Personal Information Protection Act (PIPA) added to the privacy regulatory regime, affecting all individuals, businesses, non-profit, charities, and Government. From a compliance perspective, these privacy laws are a continuation of previous regulations.PIPA was first introduced in 2016 and was regularly reported in the media and most recently the appointment of Alexander White as the privacy commissioner in January 2020. Press releases continued to be reported regarding the enforcement of PIPA that was forthcoming. Bermuda was put on “notice” that compliance is required. The Anti-Money Laundering and Anti-Terrorist Financing, (AML/ATF) legislation did not only impact the business community but individuals who were customers of local financial institutions. All business owners and private individuals were asked for personal documents to open or to continue using financial services such as banking, investments and health insurance. This development had a positive effect of introducing most individuals on the island — including retail, business, charities, and Government — to compliance, and to a degree, privacy issues. The financial and business community are well on their way to data privacy compliance as they have complied with AML/ATF and cyber policies. Bermuda’s corporate culture is known to be an “informal” business environment: everything from Bermuda shorts for men, flexible time schedules, and social and business familiarity with each other. If an individual wanted to ask about someone, it would not be difficult to phone your “cousin” who works at an office to confirm an e-mail address and other personal information. This familiarity is coupled with a generally kind and polite mindset of “opening the door, holding the elevator, or helping the ‘Fed Ex’ person” — all part of Bermuda’s friendly culture.However, from a business perspective, we need to gain buy-in for personal data privacy and protection. This starts with the individual employee, a common exposure for a small community such as Bermuda. The risks of many privacy or cybersecurity disaster scenarios are exposure of private data, whether electronic or physical data. These unintended breaches could lead to more serious breaches where personal, private data is in fact stolen or, worse, leaked, as happened with the Paradise Papers. This sort of privacy breach of the company’s database could negatively impact the business’s staff, customers and third parties. Senior management and owners of local companies in Bermuda will need to ensure their staff and colleagues embrace data privacy and security as they did when AML/ATF was first introduced. Appointing a Privacy Champion, Ambassador or Data Privacy Officer (DPO) can help to initiate a PIPA compliance programme. These individuals should obtain the buy-in from many stakeholders, such as directors, senior managers, head of operations, shared service team leaders, heads of legal and human resources. These endorsements have been shown to promote compliance with PIPA and support of a privacy programme. Once you secure the leadership’s buy-in then staff, customers and third-party vendors will follow suit. The tone starts from the top and is particularly true for our local community. The DPO can reiterate the benefits of PIPA programme such as: 1) reduced risk of failure to meet data privacy & protection compliance, 2) increased awareness of privacy and data protection culturally within the organisation, and 3) early identification of potential risks reducing the time and money to remediate issues. Here are a few steps privacy officers can take to get buy-in and ultimately to create a culture of data privacy towards PIPA compliance:1, What constitutes private personal data;2, Discuss repercussions and consequences of non-compliance which includes fines, penalties and sanctions to all employees including the board; 3, Provide for training and awareness at all levels, including employees, business owners, leadership, officers, employees, and vendors. Training would include: i. Relevant privacy lawsii. Identify potential violations iii. Highlight privacy complaints and misconduct including proper reporting proceduresiv. Any company specific, legal, financial, and reputational consequences for violating privacy laws and polices.4, Require staff to read and sign a code of conduct statement that outlines their responsibilities as part of the data privacy and protection policy; 5, Treat data privacy and security as a process rather than a goal and reasonable compliance (PIPA and otherwise) will come about as a result; 6, Monitor and audit compliance efforts against industry best practices and; 7, Evaluate and revise compliance protocols as and when needed. In conclusion, organisations that emphasise training to create a culture where each employee and individual gives pause to consider the privacy implications of their actions will succeed in changing the mindset of both the employees and the community. • Nicole Rozon, CPA, CA, ARMS, CAMS is VP of risk and compliance for Dyna Management Services Ltd. She has recently completed her Data Privacy Practitioner course sponsored by The TLC Group of Companies UK Ltd. www.thetlcgroup.pro. For further information regarding data privacy laws in Bermuda, visit the Office of the Privacy Commissioner’s website at www.privacy.bm, or you call the office at 543-7748, or e-mail at PrivCom@privacy.bm