Measures for Data Protection in Sri Lanka

Photo by Towfiqu barbhuiya on Unsplash

Data- being the currency of the digital world, and with the increasing amounts of data created and stored each day, protecting personal data has become essential.

Global Data Protection Act was enacted by the European Union concerning this matter, ensuring the protection of personally identifiable information of the citizens of the EU region. However, South Asians did not seems to pay much attention to data protection until recent years although many of the IT back offices of the reputed companies are located there.

With the Data Protection Act certified in Sri Lanka on the 19th of March 2022 (cited as the Personal Data Protection Act, No. 9 of 2022), it has become the first South Asian country to enact data protection legislation and the pervasive effects of data protection.

The Personal Data Protection Act (PDPA)is the first of its type in Sri Lanka, and it sets a comprehensive legislative framework for the protection of personal data. It aims to define and improve data subjects’ rights, as well as provide for the Authority’s designation. This act also includes measures such as the requirement to design a data protection management program and limitations on the use of personal data for direct marketing. Furthermore, a number of laws controlling cross-border data transfers, which have data localization implications for all controllers and processors processing personal data outside of Sri Lanka is also included here.

PDPA applies to?

• Any organization that processes personal data wholly or partly within Sri Lanka

OR

Any organization or a person that processes and/or controls personal data who is:

• A resident in Sri Lanka.
• Incorporated or established under any written law in Sri Lanka.
• Processing data of the citizens of Sri Lanka.
• Monitoring and profiling the behaviour of the citizens of Sri Lanka.

Part I of the act specifies several principles with which the data controllers and processors should comply.

Data protection obligations to comply with?

1. Lawfulness— processing of personal data should be carried out in a lawful manner as specified in the PDPA.
2. A defined purpose for data processing — personal data shall be processed only for a specified, explicit and legitimate purpose. Care should be taken to refrain from further processing the data for any other purpose that is not specified.
3. Data minimization — only the adequate amount of data relevant to the specified purpose shall be utilized in the data processing. The data should be proportionate to the extent necessary for the purpose.
4. Ensure accuracy — data controllers and processors should ensure that the processed data is accurate and up-to-date. Any inaccurate or outdated personal data should be erased or corrected immediately.
5. Storage limitations — personal data of the data subjects should only be kept for a duration as is necessary or required for the specified purpose.
6. Integrity and confidentiality of data — integrity and confidentiality of personal data that is collected and stored should be ensured by taking the appropriate technical and organizational measures(such as; encryption, pseudonymization, anonymization or controlling unauthorized access etc).
7. Transparency of data — personal data should be collected and processed with transparency. The methods employed and the decisions made using such data should be concise and easily accessible via written or electronic means.
8. Accountability of data — the data controller must implement internal controls and procedures within the organization to comply with the PDPA.

In case a data controller or processor fails to abide by the aforementioned principles, it may result in the authority issuing a directive, followed by a penalty of up to 10 million Sri Lankan rupees.

Additional penalties can be charged for each subsequent matter of compliance.

To sum up, the PDPA concentrates on the basic structure of the regulatory regime, leaving the specifics to be determined later.

Hope you’ve got a basic idea of PDPA No.9 of 2022 from this article. Stay tuned for more summarized content on the PDPA.