Veeam Completes Acquisition of Securiti AI to Create the Industry’s First Trusted Data Platform for Accelerating Safe AI at Scale

View
Contact Us See a demo

Sri Lanka’s Personal Data Protection Act (2022)

Operationalize Sri Lanka’s Personal Data Protection Act Compliance with the most comprehensive PrivacyOps platform

Last Updated on June 16, 2025

Schedule Your
Personal Demo

Learn how you can leverage Securiti’s Data Command Center to address data security, privacy, governance, and compliance.

See a demo
Schedule your demo today

The Parliament of Sri Lanka recently passed the Personal Data Protection Act, No. 9 of 2022, on 19 March 2022. With its passing, Sri Lanka has joined a burgeoning list of countries with data protection regulations in place. 

The Personal Data Protection Act (PDPA) protects Sri Lankan residents’ data while regulating how organizations collect, process, store, and maintain this data. The PDPA  also grants users a wide range of data subject rights, meant to give them more control over their data. 

The PDPA explicitly states the appropriate responsibilities of all organizations related to data collection. Additionally, it lays down the penalties in case an organization is non-compliant with any of the PDPA’s provisions. The PDPA applies to all forms of personal data collection being carried out in Sri Lanka by organizations based in Sri Lanka or outside Sri Lanka.

The Solution

Thanks to its plethora of features such as PI data discovery, DSR automation, documented accountability, and AI-process automation, among others, Securiti offers you a seamless PDPA compliance opportunity.

 

Sri Lanka PDPA compliance solution

Securiti can help your data governance and compliance efforts with state-of-the-art artificial intelligence and machine-learning-based tools at its disposal.

Request a demo today and learn more about what Securiti has to offer.

Customize a data subject rights request portal for seamless customer care

SriLanka PDPA DSR Handling

Assess Sri Lanka PDPA Readiness

Articles: 2, 4-11, 20; Schedule I

Carry out regular personal information impact assessments to assess how compliant your data collection practices are with the PDPA provisions. Extend these impact assessments to all vendors and third parties that have access to your database to ensure complete compliance throughout your organisational functions. Identify and address any potential risks and gaps.

Automate Consumer Data Request Handling

Articles: 17, 18 19

By automating the process of generating and delivering DSR requests, you’ll be able to curate the entire process more seamlessly while reducing any chances of non-compliance. Additionally, automation frees up human resources to be used in other critical areas.

SriLanka PDPA Data Access Request
SriLanka PDPA data rectify request

Secure Fulfillment of Data Access Requests

Articles: 13(1), 17

By setting up a centralized portal, you can keep a better track of all data access requests being made and ensure such requests are fulfilled within the timeframe stipulated by the PDPA.

Automate Processing of Rectification Requests

Articles: 15, 17

The centralized portal can also help consolidate all data if a rectification request is made.

SriLanka PDPA Data Erasure Request
processing request

Automate Erasure Requests

Articles: 16, 17

An automated workflow can be established on top of the centralized database to ensure prompt fulfillment of all data erasure requests while also maintaining a record of such requests.

Automate Objection & Restriction Of Processing Requests

Articles: 14(2), 17, 18 ; Schedule I(e)(f), II(f)

Using the same automated workflows fulfill objections and restriction of processing requests more efficiently.

SriLanka PDPA personal data monitoring tracking
SriLanka PDPA People Data Graph

Automate Data Protection Impact Assessment (DPIA)

Articles: 24, 25

Automate the data protection impact assessment (DPIA) process by identifying the risks early on and mitigating them proactively to ensure adequate data security and compliance with the PDPA.

Map Data Flows & Generate RoPA Reports

Articles: 26, 11

Monitor and track all incoming and outgoing data from your organisation to ensure all data collection practices are in line with the PDPA’s provisions related to cross-border transfers of data and the sharing/selling of any such data with third parties.

SriLanka PDPA Cookie Consent Compliance Management
SriLanka PDPA Universal Consent Management

Monitor & Track Consent

Articles: 14(1), 17, 27 ; Schedule I(a), II(a), III

By consistently monitoring and tracking data being collected, analyze this data against data subject rights and other provisions of the PDPA to ensure non-compliance is eliminated as soon as possible.

Automate Data Breach Response Notifications

Articles: 23

Using the centralized database along with the necessary workflow, automate all data breach notifications that alert all the concerned parties, such as the regulatory authorities and affected data subjects, as soon as possible, as well as setting a response plan in action.

SriLanka PDPA Readiness Assessment
SriLanka PDPA Data Flow Mapping

Manage Vendor Risk

Articles: 21(1), 22

Consolidate all your third parties’ compliance with the PDPA by keeping track of their practices. Furthermore, ensure that the data subjects’ rights to erasure, access, and rectification of their data extends to the data shared/sold to third parties.

Meet Cookie Compliance

Articles: 14(1), 17, 27 ; Schedule I(a), II(a), III

Using automation, track web properties across the web and cookies being used. Take appropriate measures in case non-compliance is discovered.

SriLanka PDPA Third Party Compliance Assessment
SriLanka PDPA breach response notification

​Privacy Policy & Notice Management

Articles: 11, 27; Schedule V

Securiti provides you with access to several pre-designed privacy policy templates. These are fully compliant with the PDPA’s privacy policy requirements. Additionally, a centralized management portal lets you monitor these policies in real-time and adjust them per your compliance needs.

Data Classification

Articles: 12

Using automation, scan both on-site and cloud storage for all data that may have been stored on a unique data subject. By linking this sprawled data together, identify any non-compliance risks easily and take appropriate measures accordingly.

PDPA Privacy Notice Managment
SriLanka PDPA breach response notification

​Safeguard Against Loss

Article: 10(b)

Leverage Securiti’s access intelligence to ensure all data assets are only accessible by personnel and integrations that have the appropriate permissions and credentials, thereby preventing any chances of loss, destruction, or damage of personal data.

Key Rights Under PDPA

The Sri Lankan PDPA affords all users a set of rights known as data subject rights. Here’s what each of those entail:

Right to Access : Data subjects have the right to request access to all the data that has been collected on them by a data controller/processor.

Right of Withdrawal of Consent : Data subjects have the right to withdraw given consent to data collection at any time upon a written request. Moreover, every data subject shall have the right to request a controller in writing, to refrain from further processing of personal data relating to such data subject, in this case.

Right to Rectification : Data subjects have the right to request rectification of data collected on them if it is outdated, incorrect, or obsolete and the controller is to rectify or complete the personal data without undue delayHowever there lies an exception whereby when a controller is required to maintain personal data for the evidentiary purposes under any written law or on an order of a competent court, the controller shall refrain from further processing such personal data without rectifying.

Right to Erasure : All data subjects have the right to request that all data collected on them by a data controller/processor be erased under the circumstances where the processing of personal data is carried out in contravention of the obligations referred to in the law, or when the data subject withdraws their consent upon which processing is based, or the requirement to erase personal data is required by any written law or on an order of a competent court to which the data subject or controller is subject to.Once this request is made, the data controller/processor cannot continue processing any data on the data subject.

Right to Appeal : All data subjects have the availability of the right of appeal to their request of rectification, completion, erasure or refrain from further proceeding, in respect of the refusal by the controller to grant such request.

Right of Appeal to the Authority : Data subjects have a right to appeal to the Data Protection Authority against a controller’s decision of refusal, to rectify, complete, erase, review its decision based solely on automated processing or has not refrained from further processing of personal data. Moreover, any data subject or controller aggrieved by the decision of the Authority, may prefer an appeal to the Court of Appeal not later than thirty days from the date of such decision.

Right to Object to Automated Decision Making : D

Data subjects have the right to inform the data controller/processor of their objection to automated processing and decision-making that is likely to create an irreversible and continuous impact on their rights and freedoms.

However, it is to be noted that the the controller may, refuse to act on a data subject request made under this Act, in case of

  • the national security;
  • public order;
  • any inquiry conducted, investigation or procedure carried out under any written law;
  • the prevention, detection, investigation or prosecution of criminal offences;
  • the rights and freedoms of other persons under any written law;
  • the technical and operational feasibility of the controller to act on such request;
  • the inability of the controller to establish the identity of the data subject;
  • the requirement to process personal data under any written law.

Facts Related to Sri Lanka’s PDPA

1

The Sri Lankan PDPA establishes the Data Protection Authority of Sri Lanka as the primary regulatory authority enforcing the PDPA. It will comprise 5-7 members, with the President of Sri Lanka choosing a Chairperson from these memberships based on merit.

2

Organisations can be fined for up to 10 million rupees for each instance of non-compliance. In case of repeat offenses, this sum will keep doubling. At the end of the fiscal year, the regulatory authority will deposit the collected sum in the Consolidated Fund.

3

The PDPA explicitly states that it shall not apply to any form of data apart from personal data.

4

Organisations sending out messages, usually for marketing purposes, by electronic means or through the post, need the consent of the addressees and provide them with opt-out options.

5

Every data controller has a duty to implement internal controls and procedures, referred to as the “Data Protection Management Programme in the Law.

6

Under certain conditions of processing, a processor or controller must appoint a data protection officer.

7

In case of a data breach, organisations must notify the DPA and data subjects according to requirements under the PDPA.

8

To determine data transfer compliance, the PDPA establishes an “adequacy” analysis relating to the protection of personal data in a third country which shall be subject to periodic monitoring by the Minister in consultation with the Authority.

Analyze this article with AI

ChatGPT Claude Perplexity Grok
Prompts open in third-party AI tools.
IDC MarketScape

Securiti named a Leader in the IDC MarketScape for Data Privacy Compliance Software

Read the Report
Please enter a minimum of 3 characters to begin your search.

Type

Videos
View More
January 20, 2025
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
January 15, 2025
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
January 2, 2025
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
December 24, 2024
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
November 1, 2024
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
October 29, 2024
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
August 12, 2024
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
June 3, 2024
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
January 29, 2024
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
October 17, 2023
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 50:52
From Data to Deployment: Safeguarding Enterprise AI with Security and Governance
Watch Now View
Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Latest
View More
December 3, 2025
DataAI Security: Why Healthcare Organizations Choose Securiti
Discover why healthcare organizations trust Securiti for Data & AI Security. Learn key blockers, five proven advantages, and what safe data innovation makes possible.
View More
November 25, 2025
The Anthropic Exploit: Welcome to the Era of AI Agent Attacks
Explore the first AI agent attack, why it changes everything, and how DataAI Security pillars like Intelligence, CommandGraph, and Firewalls protect sensitive data.
Network Security: Definition, Challenges, & Best Practices View More
December 22, 2025
Network Security: Definition, Challenges, & Best Practices
Discover what network security is, how it works, types, benefits, and best practices. Learn why network security is core to having a strong data...
View More
December 22, 2025
What is Cybersecurity Management?
Discover what cybersecurity management is, its importance, the CISO’s role, types, and best practices for effective cybersecurity management. Learn more.
Montana Privacy Amendment on Notices: What to Change by Oct 1 View More
December 28, 2025
Montana Privacy Amendment on Notices: What to Change by Oct 1
Download the whitepaper to learn about the Montana Privacy Amendment on Notices and what to change by Oct 1. Learn how Securiti helps.
2026 Privacy Law Updates: Key Developments You Need to Know View More
December 28, 2025
2026 Privacy Law Updates: Key Developments You Need to Know
Access the whitepaper to learn about key privacy law updates in 2026. Discover key developments you need to know. Learn how Securiti can help.
View More
January 1, 2026
The Future of Privacy: Top Emerging Privacy Trends in 2026
Access the infographic to discover the top emerging privacy trends in 2026. Learn what organizations must do to thrive in 2026 and beyond.
India’s DPDPA Rules View More
December 22, 2025
India’s DPDPA Rules
Access the infographic to learn about India’s DPDPA 2025 basics. Discover phased timelines, what the rules require, when they apply, key obligations, and much...
View More
December 22, 2025
Navigating HITRUST: A Guide to Certification
Securiti's eBook is a practical guide to HITRUST certification, covering everything from choosing i1 vs r2 and scope systems to managing CAPs & planning...
The DSPM Architect’s Handbook View More
June 16, 2025
The DSPM Architect’s Handbook: Building an Enterprise-Ready Data+AI Security Program
Get certified in DSPM. Learn to architect a DSPM solution, operationalize data and AI security, apply enterprise best practices, and enable secure AI adoption...
What's
New