Column: ‘Create A Culture Of Data Privacy’

August 25, 2020

[Opinion column written by Nicole Rozon]

Bermuda’s Culture

Bermuda is a small island with some 64,000 population but is home to some of the largest international companies worldwide. There are approximately 16,000 registered companies, and in addition, Bermuda participates in some 40% of the insurance and reinsurance written worldwide, with over $300 billion in losses paid out since 1997.

As an international finance centre, local jurisdictional legislation has been required to keep pace with international standards in order to compete globally. The Proceeds of Crime Act in 2008, Anti-Terrorist Financing Act 2008 and International Sanctions Act 2003 [and its regulations] raised awareness among local companies about the importance of meeting international standards and introduced a culture of compliance within Bermuda. Most recently, the enactment of the European Union’s General Data Protection Regulation [“GDPR”] and Bermuda’s Personal Information Protection Act [“PIPA”] added to the privacy regulatory regime, affecting all individuals, businesses, nonprofits, charities, and Government. From a compliance perspective, these privacy laws are a continuation of previous regulations.

PIPA was first introduced in 2016 and was regularly reported in the media and most recently the appointment of Mr. Alexander White as the Privacy Commissioner in January 2020. Press releases continued to be reported regarding the enforcement of PIPA that was forthcoming. Bermuda was put on “notice” that compliance is required.

Buy-In

The Anti-Money Laundering and Anti-Terrorist Financing, [“AML /ATF”] legislation did not only impact the business community but individuals who were customers of local financial institutions. All business owners and private individuals were asked for personal documents to open or to continue using financial services such as banking, investments and health insurance.

This development had a positive effect of introducing most individuals on the island – including retail, business, charities, and Government – to compliance, and to a degree, privacy issues. The financial and business community are well on their way to data privacy compliance as they have complied with AML/ATF and cyber policies.

Bermuda’s corporate culture is known to be an “informal” business environment: everything from Bermuda shorts for men, flexible time schedules, and social and business familiarity with each other. If an individual wanted to ask about someone, it would not be difficult to phone your “cousin” who works at an office to confirm an email address and other personal information. This familiarity is coupled with a generally kind and polite mind-set of “opening the door, holding the elevator, or helping the ‘Fed Ex’ person” – all part of Bermuda’s friendly culture.

However, from a business perspective, we need to gain buy-in for personal data privacy and protection. This starts with the individual employee, a common exposure for a small community such as Bermuda.

The risks of many privacy or cybersecurity disaster scenarios are exposure of private data, whether electronic or physical data. These unintended breaches could lead to more serious breaches where personal, private data is in fact stolen or, worse, leaked, as happened with the Paradise Papers. This sort of privacy breach of the company’s database could negatively impact the business’s staff, customers and third parties.

Senior management and owners of local companies in Bermuda will need to ensure their staff and colleagues embrace data privacy and security as they did when AML/ATF was first introduced. Appointing a Privacy Champion, Ambassador or Data Privacy Officer [“DPO”] can help to initiate a PIPA compliance program. These individuals should obtain the buy-in from many stakeholders, such as directors, senior managers, head of operations, shared service team leaders, heads of legal and human resources. These endorsements have been shown to promote compliance with PIPA and support of a privacy program. Once you secure the leadership’s buy-in then staff, customers and third-party vendors will follow suit. The tone starts from the top and is particularly true for our local community.

The DPO can re-iterate the benefits of PIPA program such as: 1] reduced risk of failure to meet data privacy & protection compliance, 2] increased awareness of privacy and data protection culturally within the organization and 3] early identification of potential risks reducing the time and money to remediate issues.

Here are a few steps Privacy Officers can take to get buy-in and ultimately to create a culture of data privacy towards PIPA compliance:

  • 1. What constitutes private personal data;
  • 2. Discuss repercussions and consequences of NON-Compliance which includes fines, penalties and sanctions to all employees including the Board;
  • 3. Provide for training and awareness at all levels, including employees, business owners, leadership, officers, employees, and vendors
    • a. Training would include
      • i. Relevant privacy laws
      • ii. Identify potential violations
      • iii. Highlight privacy complaints and misconduct including proper reporting procedures
      • iv. Any company specific, legal, financial, and reputational consequences for violating privacy laws and polices;
  • 4. Require staff to read and sign a Code of Conduct statement that outlines their responsibilities as part of the Data Privacy and Protection policy;
  • 5. Treat data privacy and security as a process rather than a goal and reasonable compliance [PIPA and otherwise] will come about as a result;
  • 6. Monitor and audit compliance efforts against industry best practices and;
  • 7. Evaluate and revise compliance protocols as and when needed.

In conclusion, organizations that emphasize training to create a culture where each employee and individual gives pause to consider the privacy implications of their actions will succeed in changing the mindset of both the employees and the community.

- Nicole Rozon, CPA, CA, ARMS, CAMS is VP of Risk and Compliance for Dyna Management Services Ltd. She has recently completed her Data Privacy Practitioner course sponsored by The TLC Group of Companies UK Ltd. www.thetlcgroup.pro. For further information regarding Data Privacy laws in Bermuda, please visit the Office of the Privacy Commissioner’s web site at www.privacy.bm, or you can call the office at 441-543-7748 and email at PrivCom@privacy.bm

testimonial-divider

20 Most Recent Opinion Columns

Opinion columns reflect the views of the writer, and not those of Bernews Ltd. To submit an Opinion Column/Letter to the Editor, please email info@bernews.com. Bernews welcomes submissions, and while there are no length restrictions, all columns must be signed by the writer’s real name.

-
click here banner technology 7

Read More About

Category: All, technology

Comments (1)

Trackback URL | Comments RSS Feed

  1. Grakoos says:

    Good article and all valid points. There have been some unintended consequences however from PIPA. The additional administrative burden has been particularly onerous on small local charities. These are the charities that are all volunteer with no paid staff, and in many cases they provide unique and much needed services to the community. As someone that occasionally assists them in technical or accounting matters, I’ve seen first hand how they have struggled to meet the standards of compliance.

    At the same time many face a loss of funding from government and a reduction or total loss of their corporate funding – and that was before Covid-19. PIPA is obviously necessary, but some of these charities will be forced to shut down as they simply don’t have the resources to continue.

    I’m not offering a solution, I honestly don’t have one. It is something for us all to be aware of however. One day we might need their services, but they will no longer be there.