On 9 July 2021, the Data Protection Act, 2021 (the DPA) came into force in the British Virgin Islands (the BVI). The DPA applies to all BVI companies, limited partnerships and other entities that process, have control over or authorise, the processing of, personal data anywhere in the world (such an entity, a “data controller”). It also applies to non-BVI entities that use equipment in the BVI for processing personal data otherwise than for the purposes of transit of data through the BVI.
1. Practical impact
- BVI entities that are not data controllers do not need to take any action.
- BVI entities that are data controllers need to take certain limited steps – such as preparing a privacy notice, obtaining consents and getting third party data processor confirmations.
- As the DPA is similar to the GDPR, the practical implications should be minimal for groups that are already familiar with GDPR compliance.
2. Data protection principles
Data controllers must now comply with the data protection principles set out in the DPA including:
- not processing personal data except with the express consent of the data subject (being the natural person, whether living or deceased, whose data is being processed) or where it is necessary for certain specified reasons, such as the performance of a contract to which the data subject is a party. Additional conditions apply in respect of “sensitive personal data” (examples of which include political opinions, religious beliefs, health, sexual orientation and offences). However, processing will be permitted if it is for a lawful purpose directly related to an activity of the data controller, the processing is necessary for, or directly related to that purpose and the personal data are adequate but not excessive in relation to that purpose. Personal data must not be transferred outside the BVI unless there is proof of adequate protection safeguards or consent from the data subject;
- informing a data subject of the purposes for processing, the source of the personal data, the rights to request access to and correction of personal data, the class of third parties to whom the personal data will be disclosed, whether the data subject is obliged to supply the personal data and the consequences of non-compliance;
- taking practical steps to protect the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction; and
- giving data subjects the right to request access to their personal data and correction of that data where they are inaccurate, incomplete, misleading or not up-to-date.
For the purposes of the DPA, “personal data” means any information in respect of commercial transactions1 that relates directly or indirectly to a data subject, who is identified or identifiable from that information, or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject.
3. Rights of data subjects
The DPA also grants to data subjects specific rights in relation to their personal data including:
- the right, on written request, to require that processing of their personal data for the purpose of direct marketing ceases or does notbegin;
- the right to bring civil proceedings in the BVI High Court for damage or distress caused by contravention of the DPA; and
- the right to complain to the Information Commissioner regarding alleged contraventions of the DPA.
There are potential exemptions from the obligations under the DPA where personal data is processed for the prevention or detection of crime or for the purpose of investigations, the apprehension or prosecution of offenders, the assessment or collection of taxes, preparing statistics or carrying out research, necessary compliance with any court order or judgment or the discharge of regulatory functions.
The Information Commissioner is the regulator responsible for the proper functioning and enforcement of the DPA.
The functions of the Information Commissioner include:
- monitoring compliance by public and private bodies with the requirements of the DPA;
- providing advice to public and private bodies on their obligations under the DPA;
- investigating complaints about alleged violations of the data protection principles; and
- managing technical co-operation and exchange of information with foreign data protection authorities.
The Information Commissioner has wide powers under the DPA to, among other things, require the provision of information, enter and search premises under warrant and require data controllers to rectify or erase data.
Offences under the DPA include:
- processing sensitive personal data in contravention of the DPA;
- wilfully obstructing the Information Commissioner or an authorised officer in the conduct of his or her duties and functions;
- wilfully disclosing personal information in contravention of the DPA; and
- collecting, storing or disposing of personal information in a manner that contravenes the DPA.
7. Next steps for in-scope entities
- Prepare a privacy notice to provide to data subjects which explains how the entity collects, uses, retains and otherwise processestheir personal data.
- If you use the services of data processors (e.g. for pay-roll processing), ensure that the data processor (a) provides sufficientguarantees in respect of the technical and organisational security measures governing the processing to be carried out and (b)takes reasonable steps to ensure compliance with those measures.
The new data protection regime is a much-anticipated addition to the BVI’s legislative framework, bringing the BVI in line with UK and EU standards of data protection, in particular the EU’s General Data Protection Regulation (GDPR).
1 These are defined as “any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance”.