Milestone for South Asia: Sri Lanka introduces Personal Data Protection Act

Pandectes GDPR Compliance app for Shopify stores - Comparing basic and advanced versions of Google Consent Mode v2 - Milestone for South Asia_ Sri Lanka introduces Personal Data Protection Act - cover

Table of Contents


Personal data protection has become increasingly important in our digital age, as it is vital to ensure the privacy and security of individuals’ information and maintain trust in online transactions. Sri Lanka has made a significant stride in this direction by enacting the Personal Data Protection Act, representing a significant milestone in data protection legislation for South Asia.

This comprehensive legislation is designed to govern the collection, processing, and storage of personal data, establish regulatory authorities to oversee data protection and enforce stringent data protection standards across various industries and sectors within the country.

Overview of the Personal Data Protection Act

The Personal Data Protection Act (PDPA) serves as the cornerstone of data protection in Sri Lanka, establishing a robust legal framework to safeguard individuals’ privacy and regulate the processing of personal data. This legislation encompasses various key aspects:

  1. Definition of personal data: The PDPA clearly defines personal data as any information relating to an identified or identifiable natural person.

  2. Data protection principles: It outlines fundamental principles governing the processing of personal data, including lawfulness, fairness, and transparency in data processing activities.

  3. Rights of data subjects: The PDPA delineates the rights of data subjects, empowering individuals to exercise control over their personal data. These rights may include the right to access, rectify, and erase personal data held by data controllers.

  4. Responsibilities of data controllers: It imposes obligations on data controllers to ensure compliance with data protection principles and uphold the rights of data subjects. Data controllers are tasked with implementing appropriate security measures to protect personal data from unauthorized access or disclosure.

  5. Data Protection Authority: The PDPA establishes a dedicated authority responsible for enforcing data protection regulations and addressing data protection-related issues.

  6. Enforcement and penalties: It sets out mechanisms for enforcement and penalties for non-compliance with data protection provisions, including administrative fines for data breaches.

The PDPA is pivotal in promoting trust in electronic transactions, fostering innovation in the digital economy, and safeguarding individuals’ personal data in Sri Lanka’s developing digital landscape.

Key provisions of the PDPA

Sri Lanka’s Personal Data Protection Act (PDPA) addresses various aspects of personal data processing activities and imposes essential obligations on entities handling personal data. Here are the key provisions:

  1. Data processing activities: The PDPA regulates all stages of data processing, from collection to disclosure, ensuring that personal data is handled lawfully and ethically.

  2. Data Protection Impact Assessments (DPIAs): It mandates the conduct of DPIAs to assess the potential risks and impacts of data processing activities on individuals’ privacy rights.

  3. Obligations of data controllers: The PDPA imposes obligations on data controllers to implement appropriate technical and organizational measures to ensure the security and confidentiality of personal data.

  4. Rights of data subjects: It outlines the rights of data subjects, including the right to access, rectify, and erase their personal data held by data controllers.

  5. Compliance and enforcement: The PDPA establishes compliance monitoring and enforcement mechanisms, empowering the Data Protection Authority to investigate violations and impose penalties for non-compliance.

  6. Data security measures: It requires entities handling personal data to implement robust data security measures to prevent unauthorized access, disclosure, or alteration of personal data.

  7. Confidentiality obligations: The PDPA emphasizes the importance of maintaining the confidentiality of personal data and prohibits its unauthorized disclosure.

  8. Consent requirements: It sets out requirements for obtaining valid consent from data subjects to process their personal data, ensuring transparency and accountability in data processing activities.

These provisions collectively aim to establish a comprehensive framework for personal data protection in Sri Lanka, promoting transparency, accountability, and respect for individuals’ privacy rights.

Pandectes GDPR Compliance app for Shopify stores - Comparing basic and advanced versions of Google Consent Mode v2 - Milestone for South Asia_ Sri Lanka introduces Personal Data Protection Act - flag

Establishment of the Personal Data Protection Authority

The Personal Data Protection Authority, established under the PDPA, assumes a pivotal role in overseeing the enforcement of data protection regulations in Sri Lanka. With its establishment, the authority has several key responsibilities to safeguard individuals’ privacy rights and promote data protection standards across various sectors.

One of its primary functions involves monitoring compliance with federal data protection laws and regulations, ensuring that organizations adhere to prescribed standards for handling personal data. Additionally, the authority is tasked with investigating instances of data breaches or violations of data protection laws. Through thorough investigations, it seeks to determine the cause and extent of breaches, taking appropriate measures to mitigate harm and prevent future incidents.

Moreover, the authority has the power to impose penalties, fines, or sanctions on entities found to be violating data protection laws. This enforcement mechanism upholds accountability and deterrence, thereby reinforcing the importance of adherence to data protection principles.

Furthermore, the authority plays a proactive role in educating the public and guiding organizations on best practices for data protection. By fostering awareness and understanding of privacy rights and obligations, it aims to promote a data protection culture and ensure the effective implementation of data protection measures in Sri Lanka’s digital landscape.

Role of Data Protection Officers

Data Protection Officers (DPOs) are pivotal in organizations under the PDPA. Their primary responsibility is to ensure compliance with data protection laws and regulations. DPOs are tasked with implementing robust data protection measures, including developing and enforcing policies and procedures to safeguard personal data.

Moreover, DPOs serve as the point of contact for data protection authorities and individuals regarding data protection matters. They are responsible for handling inquiries, complaints, and requests related to data protection rights, such as access to personal data or the exercise of data subject rights.

In the event of a data breach, DPOs play a critical role in responding promptly and effectively. They oversee incident response procedures, coordinate with relevant stakeholders, and ensure appropriate remedial actions are taken to mitigate the breach’s impact and prevent future occurrences.

Overall, data protection officers serve as champions of data privacy within organizations, promoting a culture of compliance and accountability to uphold individuals’ rights to data protection.

Safeguarding critical information infrastructure

The Personal Data Protection Act (PDPA) acknowledges the importance of critical information infrastructure and imposes stringent obligations to protect it from cyber threats. Organizations are mandated to implement robust security measures tailored to safeguard critical systems from potential vulnerabilities and cyber attacks. These measures may include robust encryption protocols, access controls, computer systems, regular security assessments, and adoption of industry best practices in cybersecurity.

Furthermore, the PDPA emphasizes the importance of promptly reporting security incidents involving critical information infrastructure. Organizations are required to have mechanisms in place for detecting, analyzing, and responding to security breaches effectively. This proactive approach ensures that any breaches or security incidents are addressed promptly, minimizing their impact and preventing further exploitation of vulnerabilities.

Pandectes GDPR Compliance app for Shopify stores - Comparing basic and advanced versions of Google Consent Mode v2 - Milestone for South Asia_ Sri Lanka introduces Personal Data Protection Act - man

Integration with existing legislation

The Personal Data Protection Act (PDPA) of Sri Lanka works in tandem with established laws like the Electronic Transactions Act and the Computer Crimes Act. This collaborative approach creates a robust legal framework that addresses various aspects of data protection, serious cyber security threats, and data breaches. By integrating with existing legislation, the PDPA ensures consistency and coherence in safeguarding personal data and combating cyber threats, thereby enhancing the overall effectiveness of data protection measures in Sri Lanka.

Collaboration with international bodies

Sri Lanka’s adoption of the PDPA reflects its commitment to international data protection standards and cooperation with global entities such as the Global Privacy Enforcement Network. This collaboration strengthens the country’s position in the global digital economy and promotes international cooperation and cross-border data protection initiatives.

This collaboration underscores Sri Lanka’s recognition of the importance of aligning its data protection practices with global standards, enhancing trust in its digital ecosystem, and facilitating international data transfers and flows securely and competently.

Data subject rights under Sri Lanka’s PDPA

The PDPA empowers data subjects by enhancing their rights over their personal data.

  • Right to access: Data subjects have the right to access their personal data held by data controllers.

  • Right to rectification: Data subjects can request the correction of inaccurate or incomplete personal data.

  • Right to erasure: Data subjects have the right to request the deletion of their personal data under certain circumstances.

  • Right to restriction of processing: Data subjects can limit the processing of their personal data under specific conditions.

  • Right to data portability: Data subjects are entitled to receive their personal data in a structured, commonly used, and machine-readable format and transmit it to another controller.

  • Right to object to processing: Data subjects can object to processing their personal data in certain situations.

  • Right to withdraw consent: Data subjects can withdraw their consent to process their personal data at any time.

Data controller obligations under Sri Lanka’s PDPA

  • Implementation of internal controls: Section 12 of the PDPA mandates data controllers establish internal controls and procedures to ensure compliance with the law.

  • Providing information to data subjects: Controllers must furnish data subjects with specific information outlined in Schedule V of the PDPA. This information must be provided in writing or electronically and in a concise, transparent, intelligible, and easily accessible format.

  • Appointment of a Data Protection Officer (DPO): Every data controller and processor under the PDPA is required to appoint a Data Protection Officer (DPO). The DPO’s responsibilities include ensuring compliance with the PDPA and serving as a point of contact for data subjects and the Data Protection Authority.

These obligations empower data controllers to effectively manage and protect personal data in accordance with the requirements of Sri Lanka’s PDPA.

Pandectes GDPR Compliance app for Shopify stores - Comparing basic and advanced versions of Google Consent Mode v2 - Milestone for South Asia_ Sri Lanka introduces Personal Data Protection Act - money

Fines for non-compliance

In Sri Lanka, non-compliance with the Personal Data Protection Act (PDPA) can lead to significant financial penalties. Organizations found to be in violation of PDPA regulations may face fines of up to ₹10 million. These penalties serve as a deterrent and underscore the importance of adhering to data protection laws. Additionally, non-compliance with directives issued under Section 35 of the PDPA can result in fines, with the amount determined based on the nature and severity of the violation.

The PDPA imposes strict penalties for non-compliance, reflecting the country’s commitment to enforcing data protection laws and regulations. These fines incentivize organizations to prioritize data protection and compliance, fostering a culture of accountability and responsibility in handling personal data.


Technology is advancing unprecedentedly, and the need for robust data protection measures cannot be overstated. Sri Lanka’s Personal Data Protection Act (PDPA) stands as a critical framework in this regard, providing a legal foundation for safeguarding personal data amidst the complexities of the digital age. However, as technology progresses, the PDPA must remain dynamic and adaptable to address the evolving challenges in data protection effectively.

Continuous revisions and adaptations to the PDPA are essential to ensure its relevance and efficacy in the face of emerging technologies and changing threat landscapes. By staying abreast of technological advancements and incorporating global best practices, the PDPA can maintain its effectiveness in safeguarding personal data and upholding individuals’ rights to privacy.

Moreover, as data breaches, identity theft, and privacy violations become increasingly prevalent, enforcing the PDPA through stringent penalties for non-compliance is crucial. Fines imposed on organizations that violate PDPA regulations serve as a deterrent, emphasizing the importance of adhering to data protection laws and fostering a culture of compliance within the digital ecosystem.

In essence, the ongoing refinement and enforcement of Sri Lanka’s PDPA are paramount to ensuring the continued protection of personal data in an ever-evolving digital landscape. By embracing innovation and international standards, the PDPA can uphold its mandate of safeguarding privacy rights and promoting trust in the digital economy.

Make your Shopify Store GDPR/CCPA compliant today
Pandectes GDPR Compliance App for Shopify
Subscribe to learn more

You Might Also Like

Scroll to Top