The Office of the Privacy Commissioner and the Bermuda Police Service signed an intent statement on the implementation of personal information protection legislation yesterday.

The Personal Information Protection Act, which comes into force on January 1, 2025, will transform the use of data on the island.

Road to Pipa, the intent statement, was signed by Sherwin Joseph, Acting Superintendent for the BPS, and Alexander White, the Privacy Commissioner.

Angie Farquharson, the Deputy Privacy Commissioner, and Gretchen Tucker, the chief risk officer at BeesMont Group, witnessed the signing of the statement.

“So, as part of this kick-off, we are very excited to have a couple of organisations who are signing the road to Pipa intent statement. So, thank you very much to the Bermuda Police Service,” said Mr White.

The legislation will set out the rights and responsibilities relating to data privacy in Bermuda.

“Pipa applies to every organisation in Bermuda, so it’s something every organisation needs to think about” Mr White said.

“I imagine that the Road to Pipa will probably be more useful to those smaller businesses.

“But in fact, I think this programme will be useful for everyone because part of what we are doing is putting in resources for further examination for diving deeper and understanding the complexity a bit more.”

From now until the implementation of the act, the Office of the Privacy Commissioner will guide individuals and organisations in the adoption of the law, holding events that will help in the development of a privacy programme.

Privacy ambassadors will be appointed, such as Ms Tucker, an advocate for privacy.

“For me, speaking in my individual capacity being a privacy ambassador is really about speaking up and speaking out about why privacy is important,” Ms Tucker said.

“We have not been as readily aware as we should be about our own information and the fact that in today’s modern world data is the currency of the economy.”

Some organisations have been managing the process on their own. Some organisations are working with consultants.

“Part of this event is to make sure the community well aware that January 1, 2025 is that deadline,” said Mr White.

Organisations as a whole must be involved, the chief executive should issue an intent statement and a privacy officer should be assigned, he said.

“Then we get into conducting an inventory or mapping exercise, where you evaluate all your data systems to learn where your data resides. That way you can understand what controls you need to put in place and from that point we identify the risks, the purpose for why you are collecting information and that’s what we call the Pipa requests response,” he added.

The intent statement can be accessed on the Privacy Commission’s website for those organisations wishing to sign it.

Data Privacy Week will also include a data privacy compliance seminar hosted by Digicel and a virtual Bermuda KnowledgeNet meeting, which is organised by the International Association of Privacy Professionals.