The BVI Data Protection Act, 2021 (DPA) came into force on 9 July 2021.
Drafted around a set of EU-style data protection principles (the General Data Protection Regulation 2016/679 (GDPR)) to which BVI data controllers must adhere, personal data must be collected in a fair and transparent manner and only be used and disclosed for purposes properly understood and agreed to by data subjects. Any personal data collected must be adequate, kept up-to-date and should not be retained for longer than is necessary to fulfil the collection purposes.
Importantly, the DPA provides a standard framework for both public and private entities in the management of the personal data they use. Internationally active organisations will find many similarities between the DPA and data protection laws of other jurisdictions where they are active but there are some key differences. The DPA provides a lighter touch approach to data protection regulation than other jurisdictions in the region.
With the introduction of the DPA, businesses in the BVI should take steps now to achieve compliance. With fines of up to $500,000 and possible imprisonment for up to 5 years, organisations need to get it right – reputations and criminal liability are at stake.
APPLICATION OF THE DPA (AND GDPR)
The DPA applies to BVI public / governmental bodies, private bodies including all BVI companies and limited partnerships and to persons not established in the BVI but which may have equipment located in the BVI for processing personal data. In circumstances where a BVI DPA Subject processes personal data or has control over or authorises the processing of personal data relating to commercial transactions, the DPA will apply. This has particular importance to managers of BVI funds and investment vehicles.
All organisations that process or control personal data of EU data subjects irrespective of where they are established must comply with GDPR. This means that many BVI-based businesses are already within scope of the GDPR.
CONDUCT A PERSONAL DATA AUDIT
Every organisation, regardless of its size, uses personal data; data from which the identity of an individual can be ascertained. As an increasingly valuable business asset and potential business and reputational risk in the event of a data leak or hack, personal data needs to be carefully managed and protected. The first step towards achieving compliance under the new law is to understand exactly what personal data the business uses, where that data is held, the purposes for which that data is used and where that data is transferred to and from.
For consumer facing businesses, personal data is often held in customer databases. In the era of cloud computing however, identifying the full extent of an organisation's customer data holdings can be difficult, as the databases may not always be clearly marked out as such and may be distributed widely within an organisation or held by third party processors. Attention needs to be given to whether data is being collected online, via mobile handsets, through CCTV footage, telephone calls or in paper form and whether that collection is being done directly or through third parties.
The new law defines "personal data" widely to catch any data relating to a living individual who can be identified directly or indirectly from that data. Data that has been anonymised or aggregated may not strictly be personal data but should still be included as part of any audit. With the rise of social media and online public data sources the ability to re-identify individuals from anonymised datasets is now easier than ever and is becoming increasingly common through the use of big data analytics.
Employee data almost always includes "sensitive personal data" – which includes information about an individual's health. Sensitive personal data is a separate class of personal data under the law and is subject to enhanced protection before it can be processed.
Other Personal Data
Many organisations will also hold personal data about individuals who may not be their direct customers, such as directors, company officers and shareholders, as well as family members and other individuals who are connected to customers or employees. Any personal data that has not been directly obtained from a customer of the business will still be regulated by the new law. It is therefore essential to identify data holdings of this type as the business may not have any direct contractual relationship with these individuals.
DETERMINE THE PURPOSES OF PROCESSING
Once all personal data holdings have been identified, the organisation needs to assess how the data was obtained and the purposes for which each group of data is being processed. One of the fundamental rights for individuals under the new law is that personal data is only processed for purposes that the individual has been notified of in advance and has consented to. As part of this assessment, organisations should also consider their business plans to ensure that the collection and processing of data for any future initiatives or new technology deployments is also understood.
MAP DATA TRANSFERS
In an age where data can be exchanged at the touch of a button, understanding where personal data is being transferred to from its different points of collection is vital. Data transfers can broadly be of two types:
- third party processor scenarios in which the recipient simply processes the data in accordance with the transferor's instructions but has no right to process that data for any new purposes; and
- group transfers, which are transfers within the organisation, to business partners or to affiliated companies who collaborate in determining the purposes for data processing.
Both types of transfer will be relevant, although the compliance requirements under the new law will differ in each case.
DATA ACCESS, CORRECTION, RETENTION AND DELETION
The new law gives individuals the right to request access to personal data held about them by an organisation and to ask that any inaccurate data is corrected or deleted. Businesses will need to have procedures in place to manage and action these requests in a timely manner. Businesses will also be obliged to cease processing personal data once the purposes for which that data has been collected have been exhausted. Prescribed data retention periods are not set out in the law but an analysis will need to be undertaken to determine how long data should be kept. Similarly, it will be important to evaluate how personal data can be securely purged once the purposes for holding it have been fulfilled by the organisation.
A TOP-DOWN COMPLIANCE PROGRAMME
Implementing a data protection compliance programme involves engagement with the right stakeholders across the organisation and creating an effective governance regime for approving, overseeing, implementing and reviewing the various policies. Written reporting procedures and protocols should be developed. The appointment of official roles such as a data protection officer is not mandated under the law but is recommended.
Compliance training will be required for personnel at all levels, including key external service providers. Serious misconduct should be addressed with appropriate disciplinary action. The compliance programme should be reviewed regularly to take into account changes in the law, changes in the types of data being collected and the purposes for which that data is being used, and new technologies and operating procedures.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.