Securiti Named a 2022 Cool Vendor in Data Security by GartnerDownload Now
The past couple of years have seen data privacy gain a significant degree of importance. Due to several political, social, and ethical factors, data protection now occupies a highly critical place in any country's strategic lawmaking related to its citizens. Hence, it is no surprise that most countries have been incredibly active in drafting data protection laws.
Sri Lanka is another such country, with its Personal Data Protection Act (PDPA), No. 9 Of 2022, passed on 19 March 2022. It covers all the bases that a data protection regulation is expected to cover related to data subject rights. Additionally, it states the responsibilities of data processors/controllers and penalties for those that fail to comply with the PDPA.
So, to make compliance more accessible and the finer details of the regulation more comprehensible, here's a rundown of all the significant bits to know about the Personal Data Protection Act:
Here's how the PDPA shall apply to organisations in terms of their geographical location as well as the sort of data they processor on residents in Sri Lanka:
As far as the material scope of the PDPA is concerned, the law explicitly states that it shall apply to the processing of personal data. However, any data collected by an individual for personal, domestic, or household use or any other data apart from personal data,is also not subject to the PDPA.
The PDPA also lays down exemptions which are necessary and proportionate measures where the PDPA sections will not apply:
The PDPA shall apply to all organisations that fall under the following categories:
The Sri Lankan PDPA, like all other major data protection laws, places several obligations upon all data controllers/processors. These obligations ensure that the organisation adheres to strict rules and regulations in its data collection. These obligations include:
Every controller shall ensure that personal data is processed in a manner that is compatible with the PDPA such that:
As per Schedule I of the PDPA, explicit conditions are set for the lawful processing of data.
These include the following:
The PDPA follows a run-of-the-mill attitude towards consent. Organisations can only begin collecting data on their users once the user has explicitly consented to the collection. Additionally, users will have the right to withdraw this consent at any moment.
However, the most noteworthy part of the PDPA regarding consent requirements is undoubtedly Section 27, which deals with unsolicited messages. It stipulates that organisations sending out messages, usually for marketing purposes, by electronic means or through the post, need the consent of the data subject to receive them.
Moreover, when obtaining consent the controller shall, at the time of collecting contact information and each time where a message is sent, provide to the data subject details on how to opt-out of receiving solicited messages free of charge.
In case of a personal data breach, the data controller/processor must inform the Authority in such form, manner and within such period of time as per the rules made under PDPA.
The Authority will determine the circumstances it has to be notified of a data breach, as well as circumstances where data subjects are to be notified of a data breach and the manner and medium of this communication.
Every data controller and processor subject to the PDPA has to ensure the appointment of a Data Protection Officer (DPO). The DPO must have the relevant academic qualifications and other necessary requirements to ensure their professional competency for the job.
In instances where the controller is a group of entities, such controllers may appoint a single Data Protection Officer who is easily accessible by each entity. Likewise, where a controller or a processor is a Public Authority, a single Data Protection Officer may be designated for several such public authorities, taking into account their organizational structures.
The data controller and processor must ensure they properly publish the contact details of the DPO on their website while communicating these details to the regulatory authorities as soon as the appointment of the DPO is finalised.
Data controllers are required to carry out extensive personal data protection impact assessments. These will be required when there is processing involving:
The personal data protection impact assessment shall contain such information and particulars including any measures and safeguards taken by the controller to mitigate any risk of harm caused to the data subject by the processing. The controller must seek assistance from the DPO when carrying out assessments. Additionally, a new assessment must be carried out at every instance the data controller decides to alter any kind of their data collection, storage, and protection methodologies. The controller must also submit to the Authority the assessment, and also oblige any written requests made by the Authority for further information on compliance of the processing and of any risks of harm associated with the protection of personal data of the data subject.
Where a personal data protection impact assessment carried out, indicates that the processing is likely to result in a risk of harm to the rights of the data subjects guaranteed under this Act or any written law, a controller shall take such measures to mitigate such risk of harm, prior to any processing of personal data. In case of not being able to mitigate such risks, the controller can consult the Authority for further guidance.
All data controllers/processors must keep a detailed record of their data collection and processing activities in writing or by electronic means and in a concise, transparent, intelligible, and easily accessible form that can be made available to a data subject whenever they request access to this data.
Moreover it is the duty of every controller to implement internal controls and procedures referred to as the Data Protection Management Programme ( in line with the guidelines issued by the Authority) that:
In special circumstances, where processing is done by a vendor or any third party, there are some requirements on that front as well.
Firstly, the third party must have demonstrated that they have adequate technical and organisational measures in place to ensure compliance with the PDPA within their data collection practices.
Secondly, their contract with the data controller must set out details such as the duration of the processing, the nature and purpose of the processing, the type of personal data, categories of the data subjects, and the obligations of the controller.
The third-party or processor also has more obligations in case of data processing activities including to:
A data controller/processor that collects or processes data in Sri Lanka cannot be transferred to any third country unless the regulatory authority makes an adequacy decision.
An adequacy decision by the regulatory authority will be made in consultation with the Minister of Communication, subject to periodic monitoring of the safeguards and privacy mechanisms in place in the third country.
However, the need for an adequacy decision may not be necessary if;
Like almost any other major data protection regulation, the Sri Lankan PDPA also lays down the rights of users online, better known as data subject rights. These rights are not only essential to ensure users online retain control over their data but ensure that data controllers and processors cannot employ excessive tactics to collect users' data. These rights include:
Where a controller receives a written request from a data subject, such controller shall inform the data subject in writing, within twenty-one (21) working days from the date of such request. However, it is to be noted that the controller may, refuse to act on a data subject request made under this Act, in case of
The Sri Lankan PDPA establishes the Data Protection Authority of Sri Lanka (referred to as the Authority within the legislation). This Authority will exercise, perform, and discharge the powers, duties, and functions prescribed by the PDPA.
The Authority will be led by a Board of Directors, consisting of no less than five members and no more than seven persons. Each of these members will be appointed by the President of Sri Lanka, having experience and knowledge in regulatory matters, privacy and data protection, information security or related fields The President will appoint a Chairperson responsible for leading the regulatory body among these members. All members must have the necessary qualifications and credentials to be fit for the role.
The Sri Lankan PDPA is comparatively strict when it comes to imposing penalties related to non-compliance. In case of non-compliance, the Authority shall take into consideration the following:
Any organisation found in non-compliance with any of the PDPA's provisions can be fined for up to 10 million rupees for each instance of non-compliance. In the case of repeat offenders, the offender in addition to the penalty amount for the current non-compliance will also be liable to pay an additional penalty consisting of twice the amount imposed as a penalty on the second and for each subsequent non-compliance. After making appropriate compensation to the affected data subjects, the Authority will collect these fines and deposit them in the Consolidated Fund.
In the case of an organisation failing to pay the fine within the time frame stipulated by the Authority, it may face legal action by the Authority before the Magistrate Court of Colombo. The offender can also be subjected to the suspension of its commercial activities within Sri Lanka.
Moreover, a controller or processor who is aggrieved by the imposition of an administrative penalty under PDPA, may appeal against such decision to the Court of Appeal within twenty-one working days, from the date of the notice of the imposition of such administrative penalty was communicated to such person.
Like all data protection regulations, the Sri Lankan PDPA aims to evolve the way both organisations collect data and provide users with an unprecedented degree of privacy related to their data in the country.
However, a major roadblock in successfully implementing this legislation is likely to be the fact that organisations may not know where to begin. After all, compliance with data protection regulations needs to be thorough, leaving no room for half-measures.
Fortunately, some steps can prove to be helpful in laying a proper foundation for the compliance efforts related to the Sri Lanka PDPA. Some of these include the following:
There was a time, not so long ago, when data collection was considered one of the easier parts of an organisation's digital strategy. And why not. Legislations related to online data protection were scarce and, in most cases, terribly outdated to deal with just how much the internet and data collection techniques had evolved.
That is no longer the case. The past few years have seen data privacy become a highly controversial topic, with legislations being drafted in almost all countries to ensure organisations can only collect only the most essential data, and that too with the explicit, informed consent of the users. Such a paradigm shift has required organisations to turn towards automation to meet their data compliance requirements.
Securiti is a market leader in providing enterprise solutions related to data governance, data privacy, and data compliance. Its artificial intelligence and machine-learning-based tools ensure that organisations can meet their due obligations under any data protection regulation effectively without compromising on their users' browsing experience.
Request a demo today to see how Securiti can help your organisation's compliance efforts related to the PDPA.