Skip to Content

The PIPA Question - Why We Asked It And How We Answered It

July 13, 2026 by
The PIPA Question - Why We Asked It And How We Answered It
Mike Serebrennik
| No comments yet

We Are a Healthcare Business. We Had to Ask Ourselves This Question Too.

We handle medical equipment. We service diagnostic and therapeutic devices for clinics and labs across Bermuda. We work with prescriptions, patient-adjacent records, and service histories tied to real people's health. So when we sat down to look honestly at our own privacy compliance, we did not get to treat it as someone else's problem.

We had named a Privacy Officer. Of course we had. Most businesses did, once PIPA came into force. But when we asked what that person had actually been trained to do, the honest answer was: not much. A title on a page. Not a job anyone had been walked through, tested on, or certified in.

We are a physician-founded company. We know what it means to take patient information seriously in a clinical setting. That made the gap harder to ignore, not easier. If we had not closed it properly, who had?

Healthcare Data Carries More Weight

Personal information is personal information under the law. But health-related data carries a different weight in practice. A leaked email list is bad. A leaked record tying a person's name to a health condition, a device they use, or a prescription they fill is a different case entirely. It follows someone. It cannot be recalled.

That is the standard to which we hold our own equipment and service work. We could not hold our data practices to a lower one.

The Regulator Is Watching Now, Not Later

For the first few years after PIPA passed, Bermuda's Office of the Privacy Commissioner spent its time on outreach and education. That period is over. The office has now published its first full annual report since the law came into full force on January 1, 2025, and the message in it is direct: organizations should expect a shift toward real enforcement, not just awareness campaigns.

A new Commissioner, Gretchen Tucker, took office this past March. Her report describes a full year of complaints, breach reports, and review requests already logged, and it names enforcement as the office's core priority going forward.

A separate review of privacy notices from businesses across Bermuda found that fewer than one in nine were fully compliant with the law. Nearly half had no privacy notice at all. Most gave the public no way to reach their own Privacy Officer, and almost none gave the public the Commissioner's contact details, which the law requires.

We do not say this to point fingers. We say it because on our own journey to PIPA compliance, we had to take care of all the same things. The difference is we checked, before someone else checked for us. Under PIPA, willful noncompliance can carry fines of up to $250,000, alongside enforcement orders and public findings that damage a small company's name far past the cost of the fine itself.

What We Did About It

We did not think a copied template or a name on a webpage was good enough for a healthcare business to stand behind. So we went looking for a proper course. Something built specifically for PIPA, specifically for the Privacy Officer role, with real training behind it and a credential at the end that meant something.

What we found was not quite it. There are options out there - boot-camp style courses run through the professional services world, the occasional workshop, PrivCom's own Guide to PIPA. All useful in their own way. None of them quite fit what a small or mid-size business actually needs day to day. Something on-demand, to be completed at one's own pace, not tied to a scheduled session you might miss and then wait months to see offered again. Something that gives an actual test, not just fills a seat. Something built for the person who has to live in this role, not just sit through one day of it.

So we built it. PIPA for Privacy Officers is the first course live on Adherio, a Bermuda-based training and credentialing platform, available now at adherio.com. It walks a Privacy Officer through the Act in plain language, covering what counts as personal information, how long it can be held, what to do in the first hour of a breach, and how to write a privacy notice that actually holds up. Included are a study guide, a set of checklists, vignettes, and quizzes. It ends with a credential - a certificate of completion earned by passing a test, not just a record of attendance. Adherio also keeps track of training credentials, so they are impossible to misplace.

We built it because we needed it ourselves first. A healthcare business does not get to treat data protection as an afterthought, and neither should any business handling information that matters to the people behind it.

The enforcement era in Bermuda has started. We would rather be ready for it than explain, after the fact, why we weren't.

Skills confirmed. Risks removed. Trust earned.


The PIPA Question - Why We Asked It And How We Answered It
Mike Serebrennik July 13, 2026
Share this post
Tags
Archive
Sign in to leave a comment
Do Not Wait For A Breakdown!