The BVI Data Protection Act (DPA)
The BVI’s Data Protection Act was first proposed in 2019 with the intent to bring the archipelago’s privacy in line with U.K. and EU standards. It was formally passed in April 2021 and came into force on July 9 of the same year.
Based on the EU’s General Data Protection Regulation (GDPR), it follows many of the same data protection principles and uses similar definitions as the landmark European law. Its main purpose is to protect the sensitive personal data of individuals living in the BVI, as well as manage the collecting and processing of personal data by BVI data processors.
Under the data protection principles of the DPA, a data controller must request access before processing a data subject’s personal data. A data access request must be clearly worded and the data subject must provide express consent to the processing of data.
Throughout this article, we’ll be using some jargon that you’re probably unfamiliar with (unless you’ve read our GDPR article), so let’s define some of the terms that the DPA uses:
- Personal data — Any data that can identify you as an individual, either directly or indirectly, when combined with other data
- Data subject — Any person having their personal data processed
- Data user or data controller — Any company, organization or other public or private body that collects and stores personal data and processes it themselves or with the aid of a separate data processor
- Data processor — Any company, organization or other entity that processes personal data (an entity can be a processor and controller at the same time)
- Sensitive personal data — Any personal data relating to a data subject’s physical or mental health, sexual orientation, political opinions, religious beliefs and committed, or allegedly committed, criminal offenses
What Is the DPA For?
The DPA is meant to protect the personal data of BVI data subjects from unauthorized and unethical processing. It also prevents companies based in the BVI from gaining unauthorized or accidental access to their data subjects’ personal data, no matter where those subjects are.
Like the GDPR, the DPA regulates data processors to both uphold the right to privacy and to promote increased transparency and accountability for companies using data unethically.
What Data Does the DPA Cover?
The DPA covers all identifiable personal data, meaning data that can be used to identify an individual. This includes directly identifying information such as your name, home address, email address, ID number and so on. It also includes indirectly identifying information, like your date of birth, postal code, IP address, license plate information and geolocation data.
Personal data, such as the data covered by the “sensitive data” category we described above, is also covered. Our article on data anonymization has more information about how personally identifying data can be used to harm you and why its protection is so crucial.
The BVI Data Protection Act protects all personal data that could be used to identify you.
It’s important to note that the law speaks of these terms as relating to commercial transactions. It defines commercial transactions as “any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing and insurance.”
Thus, the data collected must have a lawful purpose directly related to the service provided by the data controller, especially if they’re processing sensitive personal data.
Who Is Covered by the DPA?
The DPA protects people residing within the BVI whose data is processed by a data controller that’s incorporated in the BVI or any other country. It also explicitly states that data subjects not residing in the BVI, but whose data is processed by a BVI-based data controller, are also protected by the law.
This means that BVI-based companies, like ExpressVPN, must abide by the law and handle your data in a responsible and transparent manner. You can read our ExpressVPN review if you’re interested in learning more about the best VPN service.
What Are the Consequences For Breaking the DPA?
The penalties for breaching the DPA can vary, depending on the severity of the breach. The Information Commissioner’s Office (ICO) is responsible for overseeing how the DPA is implemented and determines the penalties.
If a company fails to meet its legal obligation under the DPA, the ICO first issues a notice of compliance. Failure to comply will lead to prosecution. If convicted, a data controller might face penalties of up to $100,000, up to five years imprisonment or both.
For sensitive data processed without a lawful basis, the data controller could face a maximum penalty of up to $200,000, imprisonment of up to two years or both.
In cases where a corporate entity is found to be in breach, a director, company secretary or similar officer may also be held liable. The corporate body could also face fines of up to $500,000.