Skip Ribbon Commands
Skip to main content

 Content Editor



Rules are changing around the world, in particular with updated data protection requirements from the EU coming into effect. Butterfield wants to ensure that we comply fully with global expectations, as well as the requirements of the legislation and regulations in the jurisdictions in which we operate and the countries where our clients are based. GDPR also introduces significantly higher fines for breaches of data privacy. Butterfield has opted to adhere to the higher standards arising for the various legislative changes occurring in the locations in which we operate; likely to be GDPR in most instances.
[ back to top ]
General Data Protection Regulation (“GDPR”) which comes into effect in the European Union on 25 May, 2018.
[ back to top
PI is defined broadly and includes and comprises data in relation to any living individual who can be identified from that data, and PI includes:

• names;
• addresses;
• social security numbers or local equivalent;
• telephone numbers and e-mail addresses; and
• health and financial information,
The aim of this legislation is to ensure there are good information handling practices in place. For example, identity theft, stolen credit cards and violated privacy policies may result in fraud, theft and deception. Abuse of health data, financial data or children's data can have an adverse impact on insurance, credit, jobs or parental control.
[ back to top ]
We have done the following:

• appointed a Chief Data Protection Officer (for the Group);
• appointed Local Information Officers in each jurisdiction;
• published an internal policy to assist our staff;
• created a privacy statement which is included our website;
• continue to ensure third parties we deal with and to whom we pass information uphold our data protection standards; and
• we have adjusted, where necessary, our terms and conditions for clients, to properly reflect new requirements.
The CDPO will provide the knowledge, expertise, day-to-day commitment and independence to properly advise the Group of its duties and conduct compliance activities in relation to the GDPR and applicable data protection requirements. He or she will be supported in his or her work by Local Information Officers based in each of our offices, as well as being supported by our Group Chief Risk Officer, Group Head of Compliance and General Counsel and Group Chief Legal Officer. The CDPO will be responsible for ensuring timely notification to the Group Executive Committee and to the Group Board of material breaches and ensuring prompt liaison regulators, including the parent regulator (the Bermuda Monetary Authority).
[ back to top ]
The LIO will have responsibility for a specific jurisdiction with accountability to ensure that local management, the local board(s) and the CDPO are made aware of any issues arising. They will be required to handle local reporting to regulators of breaches (in conjunction with local management and Compliance as required,) as well as ensuring material breaches are escalated promptly to the CDPO for timely notification to Group Exco, Group Board and parent lead regulator.
[ back to top ]
There are a variety of breaches that can occur, from sending one client’s information (or certain information) to a wrong address, to not ensuring client data is protected from an IT or cyber security perspective, to not seeking client consent to process their data appropriately, etc. Whilst the CDPO, assisted by the LIO, will be primarily responsible for breach reporting, all of our employees are directed to be vigilant and draw potential breaches to the attention of the LIO as soon as possible. Where appropriate, impacted clients will also be promptly notified.
[ back to top ]
Yes. You may make a Subject Data Access Request for a copy of data held we hold about you. All such requests must go through the LIO in the first instance. There is certain data held by the Group in compliance with our regulatory obligations for Anti-Money Laundering and Anti-Terrorist Financing (together “Financial Crime”) which does not need to be disclosed to clients, nor may it be destroyed.
[ back to top ]
Yes. Clients are permitted to ask for data to be erased, subject to any local laws that require certain data, such as regulatory Financial Crime data, for example, to be retained. Any request for data to be erased must be provided to the LIO in the first instance who will liaise as required. Should data be erased, the LIO will ensure a formal notification of confirmation is provided to you.
[ back to top ]
We have put in place appropriate inter-Group data transfer agreements to allow for certain data to be shared among Butterfield entities. This will be for the purposes of ensuring customers receive the correct product or service from Butterfield. We will be mindful of those clients who have expressly objected to this kind of sharing.
[ back to top ]
Please see our Privacy Statement for contact information within each jurisdiction.
[ back to top ]



Visit Our Other Sites