With the enactment of the Personal Data Protection Act (PDPA), Sri Lanka joins a growing cohort of countries formalising data privacy as a regulatory priority. The law introduces a comprehensive framework for the collection, processing, retention, and disclosure of personal data, placing new obligations on both domestic and foreign entities operating within its jurisdiction. Leadership, says Hiranthi Fonseka, Partner, Assurance at EY Sri Lanka, must now prioritise the development of robust systems that ensure compliance from the outset.
Rethinking Personal Data Management
The legislation demands a fundamental reassessment of personal data management. As Fonseka notes, organisations must now interrogate the necessity of data collection, clarify its intended use, set clear retention periods, and establish permissible conditions for sharing data with third parties.
Crucially, the PDPA grants individuals enforceable rights over their personal information, shifting the dynamic from organisational control to individual autonomy. This tilt toward transparency and accountability will drive cultural change across sectors. “While multinational organisations may already be applying best practices due to exposure to global regulations like the GDPR, the shift will be particularly significant for local organisations that may not yet have formalised data privacy frameworks. The PDPA will help instil consistent standards across industries,” Fonseka says.
Legal Grounds, Avoiding Missteps
The PDPA permits data processing only on specific legal bases, such as fulfilling a contractual obligation, pursuing a legitimate interest, complying with legal requirements, or securing the data subject’s consent. Fonseka cautions that organisations must avoid missteps that stem from inadequate internal safeguards or a lack of awareness.
Ensuring compliance requires integrating privacy into the organisation’s operations at every level. Personnel handling personal data must understand both their responsibilities and the risks involved. Organisations must design policies and procedures to enable compliance, not just exist on paper. Annual audits of data privacy practices are a key requirement, enabling the timely identification of weaknesses and corrective action. “Importantly, if your organisation engages third-party data processors, they must also be held to the same standard. They should be subject to audits and other compliance procedures to ensure controllers fulfil their responsibilities,” Fonseka says.
Controllers and Processors
According to her, under the PDPA, controllers bear primary responsibility for ensuring personal data is processed lawfully and ethically. Their obligations include establishing a lawful basis for processing, clearly defining and adhering to the stated purpose, ensuring data accuracy, limiting data retention periods, maintaining data integrity and confidentiality, and acting in a transparent and accountable manner.
If controllers engage processors to process personal data, processors are bound contractually by the controllers to comply with the PDPA. They must adhere to the controller’s instructions, permit compliance audits and inspections upon request, and meet all relevant obligations under the PDPA as specified by the controller. Controllers must ensure that all contractual arrangements with processors include these provisions and provide oversight accordingly.
Oversight and Enforcement
The newly constituted Data Protection Authority (DPA) will monitor compliance, investigate breaches, and issue directives where necessary. Its enforcement powers are not merely symbolic. Failure to comply with its directives may result in penalties of up to Rs 10 million per offence, subject to aggravating or mitigating factors. Such provisions highlight the cost of non-compliance. “This demonstrates the serious enforcement power of the Act and the importance of early compliance,” Fonseka notes.
Priorities for Readiness
To ensure readiness for PDPA enforcement, organisations should take a structured and proactive approach. For Fonseka, key immediate priorities include diagnosing existing gaps in processes, policies, and procedures against PDPA requirements and undergoing a transformation process to align with regulatory expectations.
The priorities also include strengthening policy frameworks to support privacy governance, building internal Hiranthi Fonseka capacity through training and awareness initiatives, and adopting industry best practices and standards in information security. “This transformation is not a one time compliance exercise, but rather a long-term commitment to data governance, transparency, and customer trust,” Fonseka says.
“The PDPA sets a new benchmark for personal data protection in Sri Lanka, aligning the country with global privacy standards. By embedding privacy into the organisational DNA, through legal, operational, and technological measures, organisations can not only meet compliance requirements but also strengthen stakeholder confidence and long-term resilience.” For those still in the early stages of preparation, the window for inaction is narrowing. The regulatory framework is now in place. What follows is enforcement.