IDC Names Securiti a Worldwide Leader in Data Privacy


Sri Lanka’s Personal Data Protection Act (2022)

Operationalize Sri Lanka’s Personal Data Protection Act Compliance with the most comprehensive PrivacyOps platform

Last Updated on November 19, 2023

Privacy Center
Fully Functional In Minutes

Elegant Consumer Frontend, Fully Automated Backend, Privacy Regulation Intelligent Everywhere.


The Parliament of Sri Lanka recently passed the Personal Data Protection Act, No. 9 of 2022, on 19 March 2022. With its passing, Sri Lanka has joined a burgeoning list of countries with data protection regulations in place.

The Personal Data Protection Act (PDPA) protects Sri Lankan residents’ data while regulating how organizations collect, process, store, and maintain this data. The PDPA also grants users a wide range of data subject rights, meant to give them more control over their data.

The PDPA explicitly states the appropriate responsibilities of all organizations related to data collection. Additionally, it lays down the penalties in case an organization is non-compliant with any of the PDPA’s provisions. The PDPA applies to all forms of personal data collection being carried out in Sri Lanka by organizations based in Sri Lanka or outside Sri Lanka.

The Solution

Thanks to its plethora of features such as PI data discovery, DSR automation, documented accountability, and AI-process automation, among others, Securiti offers you a seamless PDPA compliance opportunity.


Sri Lanka PDPA compliance solution

Securiti can help your data governance and compliance efforts with state-of-the-art artificial intelligence and machine-learning-based tools at its disposal.

Request a demo today and learn more about what Securiti has to offer. Customize a data subject rights request portal for seamless customer care

PDPA DSR Handling

Automate Data Subject Request Handling

Articles: 17, 19

By automating the process of generating and delivering DSR requests, you’ll be able to curate the entire process more seamlessly while reducing any chances of non-compliance. Additionally, automation frees up human resources to be used in other critical areas.

Secure Fulfillment of Data Access Requests

Articles: 13(1), 17

By setting up a centralized portal, you can keep a better track of all data access requests being made and ensure such requests are fulfilled within the timeframe stipulated by the PDPA.

PDPA Data Access Request
data rectify request

Automate Processing of Rectification Requests

Articles: 15, 17

The centralized portal can also help consolidate all data if a rectification request is made.

Automate Erasure Requests

Articles: 16, 17

An automated workflow can be established on top of the centralized database to ensure prompt fulfillment of all data erasure requests while also maintaining a record of such requests.

PDPA Data Erasure Request
processing request

Automate Objection & Restriction Of Processing Requests

Articles: 14(2), 17, 18 ; Schedule I(e)(f), II(f)

Using the same automated workflows fulfill objection and restriction of processing requests more efficiently.

Continuous Monitoring & Tracking

Articles: 14(1), 17, 27 ; Schedule I(a), II(a), III

By consistently monitoring and tracking data being collected, analyze this data against data subject rights and other provisions of the PDPA to ensure non-compliance is eliminated as soon as possible.

personal data monitoring tracking
PDPA People Data Graph

Automate People Data Graph

Article: 12

Using automation, scan both on-site and cloud storage for all data that may have been stored on a unique data subject. By linking this sprawled data together, identify any non-compliance risks easily and take appropriate measures accordingly.

Meet Cookie Compliance

Articles: 14(1), 17, 27 ; Schedule I(a), II(a), III

Using automation, track web properties across the web and cookies being used. Take appropriate measures in case non-compliance is discovered.

Sri Lanka PDPA Cookie Consent Compliance Management
Universal Consent Management

Monitor & Track Consent

Articles: 14(1), 17, 27 ; Schedule I(a), II(a), III

Monitor and track consent from each data subject by centralizing their appropriate permissions. As a result, avoid any unnecessary non-compliance issues related to wrongful transfers, sharing, or selling of data not consented to by the data subject.

Assess Sri Lankan PDPA readiness

Articles: 2, 4-11, 20; Schedule I

Carry out regular personal information impact assessments to assess how compliant your data collection practices are with the PDPA provisions. Extend these impact assessments to all vendors and third parties that have access to your database to ensure complete compliance throughout your organisational functions. Identify and address any potential risks and gaps.

Sri Lanka PDPA Readiness Assessment
PDPA Data Flow Mapping

Map Data Flows

Articles: 26, 11

Monitor and track all incoming and outgoing data from your organisation to ensure all data collection practices are in line with the PDPA’s provisions related to cross-border transfers of data and the sharing/selling of any such data with third parties.

Assess Third Parties Compliance

Articles: 21(1), 22

Consolidate all your third parties’ compliance with the PDPA by keeping track of their practices. Furthermore, ensure that the data subjects’ rights to erasure, access, and rectification of their data extends to the data shared/sold to third parties.

PDPA Third Party Compliance Assessment
breach response notification

Automate Breach Response Notification

Article: 23

Using the centralized database along with the necessary workflow, automate all data breach notifications that alert all the concerned parties, such as the regulatory authorities and affected data subjects, as soon as possible, as well as setting a response plan in action.

Privacy Policy & Notice Management

Articles: 11, 27; Schedule V

Securiti provides you with access to several pre-designed privacy policy templates. These are fully compliant with the PDPA’s privacy policy requirements. Additionally, a centralized management portal lets you monitor these policies in real-time and adjust them per your compliance needs.

PDPA Privacy Notice Managment

Key Rights Under PDPA

The Sri Lankan PDPA affords all users a set of rights known as data subject rights. Here’s what each of those entail:

Right to Access : Data subjects have the right to request access to all the data that has been collected on them by a data controller/processor.

Right of Withdrawal of Consent : Data subjects have the right to withdraw given consent to data collection at any time upon a written request. Moreover, every data subject shall have the right to request a controller in writing, to refrain from further processing of personal data relating to such data subject, in this case.

Right to Rectification : Data subjects have the right to request rectification of data collected on them if it is outdated, incorrect, or obsolete and the controller is to rectify or complete the personal data without undue delayHowever there lies an exception whereby when a controller is required to maintain personal data for the evidentiary purposes under any written law or on an order of a competent court, the controller shall refrain from further processing such personal data without rectifying.

Right to Erasure : All data subjects have the right to request that all data collected on them by a data controller/processor be erased under the circumstances where the processing of personal data is carried out in contravention of the obligations referred to in the law, or when the data subject withdraws their consent upon which processing is based, or the requirement to erase personal data is required by any written law or on an order of a competent court to which the data subject or controller is subject to.Once this request is made, the data controller/processor cannot continue processing any data on the data subject.

Right to Appeal : All data subjects have the availability of the right of appeal to their request of rectification, completion, erasure or refrain from further proceeding, in respect of the refusal by the controller to grant such request.

Right of Appeal to the Authority : Data subjects have a right to appeal to the Data Protection Authority against a controller’s decision of refusal, to rectify, complete, erase, review its decision based solely on automated processing or has not refrained from further processing of personal data. Moreover, any data subject or controller aggrieved by the decision of the Authority, may prefer an appeal to the Court of Appeal not later than thirty days from the date of such decision.

Right to Object to Automated Decision Making : Data subjects have the right to inform the data controller/processor of their objection to automated processing and decision-making that is likely to create an irreversible and continuous impact on their rights and freedoms.

However, it is to be noted that the the controller may, refuse to act on a data subject request made under this Act, in case of

  • the national security;
  • public order;
  • any inquiry conducted, investigation or procedure carried out under any written law;
  • the prevention, detection, investigation or prosecution of criminal offences;
  • the rights and freedoms of other persons under any written law;
  • the technical and operational feasibility of the controller to act on such request;
  • the inability of the controller to establish the identity of the data subject;
  • the requirement to process personal data under any written law.

Facts Related to Sri Lanka’s PDPA


The Sri Lankan PDPA establishes the Data Protection Authority of Sri Lanka as the primary regulatory authority enforcing the PDPA. It will comprise 5-7 members, with the President of Sri Lanka choosing a Chairperson from these memberships based on merit.


Organisations can be fined for up to 10 million rupees for each instance of non-compliance. In case of repeat offenses, this sum will keep doubling. At the end of the fiscal year, the regulatory authority will deposit the collected sum in the Consolidated Fund.


The PDPA explicitly states that it shall not apply to any form of data apart from personal data.


Organisations sending out messages, usually for marketing purposes, by electronic means or through the post, need the consent of the addressees and provide them with opt-out options.


Every data controller has a duty to implement internal controls and procedures, referred to as the “Data Protection Management Programme in the Law.


Under certain conditions of processing, a processor or controller must appoint a data protection officer.


In case of a data breach, organisations must notify the DPA and data subjects according to requirements under the PDPA.


To determine data transfer compliance, the PDPA establishes an “adequacy” analysis relating to the protection of personal data in a third country which shall be subject to periodic monitoring by the Minister in consultation with the Authority.

IDC MarketScape

Securiti named a Leader in the IDC MarketScape for Data Privacy Compliance Software

Read the Report