Building trust in digital age: Sri Lanka’s roadmap to cybersecurity and data privacy

Key insights by experts at Daily FT-CICRA organised first ever data privacy and protection summit

By Janani Kandaramage

The ninth annual full-day Cyber Security Summit, organised by the Daily FT in collaboration with CICRA Holdings Ltd., was held last week at the Cinnamon Grand, Colombo.

Attracting an audience of over 300 participants, including IT and risk management professionals, corporate employees, and university students aspiring to build careers in information technology – the flagship forum convened both international and local experts exchanging critical insights into the evolving threat landscape of cybercrime, while exploring strategies and solutions to safeguard organisations and individuals.

Central Bank of Sri Lanka (CBSL) Assistant Governor CSP Bandara described the need for businesses to treat cybersecurity as a strategic imperative that balances risk management, technological innovation, and consumer trust in an increasingly complex digital landscape.

“As cyber threats continue to escalate in both frequency and sophistication, businesses are being urged to view cybersecurity not merely as a compliance issue but as a strategic priority,” he opined.

He stressed the need for organisations to evolve from passive risk management to proactive cyber orchestration by noting that the data is alarming: the cost of cybercrime is projected to reach $ 10.5 trillion annually by 2025, with nearly 3.5 million cybersecurity positions currently unfilled globally. He added: “Breaches now take an average of 70 days to contain, highlighting systemic vulnerabilities across sectors.”

Amid this growing threat, companies are also grappling with the ethical and legal implications of rapidly adopted technologies like generative AI, which is complicating data governance. With 40% of consumers reportedly ceasing business with firms that fail to protect their data, the message is clear: trust and transparency are becoming as vital as product or price. Leading firms are adopting integrated strategies that enhance internal efficiency, support innovation, and build customer confidence—all while navigating evolving global regulatory standards.

Data Protection Authority Chairman-Designate Rajeeva Bandaranaike underscored the escalating urgency of data protection in Sri Lanka’s digital age. “Our personal data, I think, has become one of the most valuable commodities today. And with that value comes risk,” the speaker noted, reflecting on the vast amounts of sensitive information exchanged online daily. “Privacy isn’t just a personal right, but a public responsibility,” he emphasised, advocating for privacy to be “a core value and not just an afterthought” in the digital era.

Mechanisms for citizens to exercise rights

Highlighting Sri Lanka’s legal strides, he drew attention to the Personal Data Protection Act No. 9 of 2022, calling it “the comprehensive law which regulates the processing of personal data.” The Act, they explained, aims to “facilitate the growth and innovation in the regional economy” while ensuring that data is “processed lawfully, fairly and also responsibly.” The law provides mechanisms for citizens to exercise rights such as access, correction, and deletion of their data, he said—”shifting the power balance from organisations to data subjects like you and me.”

The newly established Data Protection Authority (DPA) has been tasked with implementing the Act, with a focus on education, enforcement, and stakeholder guidance. “One key priority will be capacity building within the staff,” he observed, adding that raising awareness is essential because “this is a journey… towards establishing a robust data protection framework in the country.” The DPA also intends to publish sectoral and thematic guidelines to help businesses innovate responsibly and maintain public trust.

The CEO urged industry leaders to treat data protection as more than a regulatory requirement. “It is a strategic imperative that defines the credibility and sustainability of our digital ecosystem,” they said. “We need to move forward with a shared commitment to embedding privacy by design… and invite you to partner us in our journey towards establishing a robust privacy and protection network in the country.”

Telecommunications Regulatory Commission (TRC) Chairman Waruna Dhanapala noted the increasing responsibilities of telcos in a competitive and largely privatised industry, pointing to Section 27 of the Act—focused on unsolicited communications—as an area still awaiting full enactment. “Data subjects must be notified in advance if any controller intends to send promotional content,” he said, underscoring the need for greater enforcement in partnership with the Data Protection Authority.

Dhanapala also highlighted ongoing developments, including the recent entry of international satellite internet providers into Sri Lanka, made possible through a modernised regulatory framework. He acknowledged the growing public concern around SIM card data collection and vendor access to personal information. “We are at the receiving end of all this data,” he noted, calling for stricter regulations and self-discipline across telecom operators. The TRC, he said, is working toward greater cooperation with the emerging Data Protection Authority to define sector-specific compliance standards and onboard thematic experts in priority areas such as telecom, health, and finance.

CBSL Payments and Settlements Department Deputy Director Dr. Kanchana Ambagahawita provided a comprehensive view of the financial sector’s readiness. “Privacy has always been fundamental to the financial services industry,” she said, citing Section 77 of the Banking Act and Section 61 of the Finance Business Act, which mandate absolute data secrecy. She outlined the sector’s early adoption of privacy-by-design systems and adherence to international standards, which placed it ahead of many other industries. However, she noted that while banks are well-equipped in data protection, the challenge now lies in safe and ethical data sharing. “The next step is building trust across institutions so that sharing data doesn’t compromise privacy,” she added.

Dr. Ambagahawita also referenced the Financial Consumer Protection Regulation introduced in 2023, which aligns closely with the principles of the Data Protection Act—explicit consent, purpose limitation, data retention, and protections for vulnerable groups. She noted that customers have already begun raising concerns, and the Central Bank has a dedicated mechanism for redress, including compensation where appropriate. “Training and awareness are still needed,” she admitted, “but the systems and regulations are already in place. It’s about improving implementation.”

Legal frameworks

Decoding the PDPA frameworks, compliance, and best practices, Sparkoo Technologies Chief Security Officer Tommy Black said that legal frameworks like PDPA must be enforced not only through regulation but also through practical, technical safeguards. 

He warned of the growing sophistication of cyberattacks, especially those driven by generative AI, making access control and least privilege principles more important than ever. “You need to be proactive,” he advised, highlighting the need for internal penetration testing, threat modelling for AI systems, and transparent supply chain practices such as Software Bill of Materials (SBOM).

Reflecting on global trends, he declared that over 150 countries now have data protection laws, making compliance a “non-negotiable foundation” for digital participation. He also addressed data sovereignty concerns, particularly the differences in data access between US and EU frameworks, noting Huawei Cloud’s efforts to localise data storage as part of PDPA alignment.

Urging institutions to treat compliance, digital trust, and partnership as inseparable pillars of progress, the Officer noted, “Without compliance, you can’t have trust. Without trust, you can’t build partnerships,” he said, citing Singapore’s successful PDPA rollout as a model for fast, collaborative enforcement. “The real key,” adding that, “smart people, strong frameworks, and a shared responsibility for protecting citizen data.”

Additionally, PDPA Drafting Committee former Chair Jayantha Fernando also stressed the importance of international standards that shaped the PDPA, referencing the OECD privacy guidelines, the EU’s GDPR, the APEC privacy framework, and UK’s post-Brexit GDPR adaptation. He explained how the Sri Lankan legislation aims to harmonise local data protection efforts with global best practices. The law defines key actors—controllers and processors—and extends protection not only to Sri Lankan citizens but also to foreign individuals whose data is processed within the country. 

“A unique emphasis was placed on regulating special categories of personal data, especially for those under 16, and ensuring strict controller-processor accountability,” he opined.

A key theme was the balancing act between protecting privacy and promoting digital growth. Fernando outlined how the law establishes legal bases for data processing—consent, contractual obligations, regulatory compliance, and legitimate interest. 

He also clarified misconceptions around obligations like transparency and accountability, including the introduction of standards for privacy notices and data protection management programs. Importantly, the PDPA mandates that the responsibility for regulatory compliance rests squarely with controllers, while processors support their operations.

Addressing updates to the PDPA, particularly concerning data subject rights and obligations of data controllers, he assured that new amendments filled critical gaps, such as granting data subjects the right to appeal automated decision-making outcomes and clarifying that data access responses should be free unless workload justifies charges, he asserted. 

Threshold for appointing a Data Protection Officer

The threshold for appointing a Data Protection Officer (DPO) was also debated in a panel discussion moderated by Information Privacy and Technology Law Consultant Sanduni Wickramasinghe, currently set for entities processing over 25,000 personal data sets. Amendments ensured public corporations involved in commercial activities are treated on par with private entities. Fernando called for broader engagement with draft regulations and templates for smoother implementation.

To implement Sri Lanka’s Personal Data Protection Act (PDPA) effectively, experts stressed the importance of a holistic approach. “It has to be a cross-functional approach,” they said, referencing a 2024 report from the Future of Privacy Forum. “You need to pull in your legal folks... your cybersecurity teams... your product teams.” Determining roles is also complex: “It’s rarely black and white... for certain processing activities, you may be a data controller... for others, you may be a data processor.”

Another overarching theme was the need to shift from over-reliance on consent. “It is not just limited to consent,” Attorney at Law Data Consultant Samantha De Zoysa said: “You can think about implementing a more layered privacy notice, reliance on consent has practically led to poor user experiences and legal uncertainty.” 

She warned: “You may not really know or prepare... So it’s important to have that breach response, incident management plan in place... and run your mock trials.”

Drawing from MasterCard’s own privacy program, they shared a four-pillar framework: protect, enable, educate, and influence. “Data subjects have to be at the centre of all you do,” they emphasised. “You need to enable your business... Privacy needs to be built into the culture of every organisation.” The final call to action was clear: “Leadership buy-in is absolutely critical,” and every employee—from legal teams to receptionists—must understand their privacy responsibilities.

Closing the discussion, they echoed: “It’s never fully achieved. You will never fully achieve 100% compliance. Privacy will always, always be a journey and not a destination.”

Addressing one of the most misunderstood aspects of the PDPA, Dialog Axiata Contracts and Regulatory Head Shanaka Gunasekera, Partner, FJ&G de Saram admonished against the exploitation of consent as a lawful basis for processing data. “Consent is the most misunderstood and misused aspect,” he stated. Highlighting that consent must be genuine and free, he explained, “If there is a denial of service involved, consent is not the appropriate lawful basis.” Instead, he pointed out that other grounds such as legal obligation or contractual necessity often apply. On cross-border data transfers, he added, “Even if you sign 1,500 contracts, if you send data to a country with mass surveillance laws, you will breach your obligations as a controller.”

Discussing organisational responsibility, South Asian Technologies Ltd. Chief Technical Strategy Officer Shabeer Shiyam emphasised the role of senior leadership in embedding privacy into corporate culture. 

“The leadership of a company... has to lead that discussion and implement those strategies,” he said, adding that boards must adopt principles like data minimisation, pseudonymisation, encryption, and privacy by design. “It’s not an easy task,” he admitted, “especially as privacy is a new topic to Sri Lanka... but it has to be a part of our culture.”

Centre privacy programs on core principles

In a panel discussion moderated by CICRA Holdings CEO/Group Director Boshan Dayaratne, Shiyam advised SMEs to centre their privacy programs around “core privacy principles—data minimisation, purpose specification, retention, accuracy, security.” He reassured smaller organisations that this approach would enable scalability: “Once you do that, scaling it... whether for volume or geography, will not be a problem.”

The panel closed with a crucial clarification: the current amendment to the PDPA “does not touch any of the fundamental principles governing the processing of personal data... or the rights available to data subjects.” Encouraging early adopters, they opined, “If an entity has already started their journey founded on the fundamental principles, you’re in the right direction.” Shiyam proposed a phased enforcement strategy, suggesting that “Part One and Part Three can come into operation first, while penalty provisions come in later.”

Clarifying concerns around individual liability, Shiyam explained that under current provisions, “personal liability does not come into the equation unless there is non-compliance with a directive and failure to pay an imposed penalty.” However, he acknowledged audience concerns, particularly from senior IT and data officers, noting that “directors and officers responsible for the control of the body corporate” may face liability under Section 38(6). “Nevertheless, we have some good news, Section 39 provides for mitigating circumstances that a future regulator must consider before imposing a fine.”

The general consensus was that Sri Lanka’s journey into regulated privacy will be a complex one. “It will take years for an organisation to mature in terms of privacy adoption,” they affirmed. “But with clarity, collaboration, and commitment, the foundations are firmly in place.”

Implementing a Data Protection Management Programme (DPMP) is one of the most challenging yet essential stepping stones for any organisation under Sri Lanka’s Personal Data Protection Act (PDPA), asserted Brandix Director Oshada Sennanayake. “We went through this journey a couple of years ago, and we are still in the middle of it,” he shared, stressing that compliance is not a one-time task but an ongoing process. “It’s a journey. It’s not a one-size-fits-all approach,” the Director noted, urging businesses to design systems that align with their specific operations and risks.

Under Section 12 of the PDPA, all organisations are required to implement a DPMP—a comprehensive set of policies, practices, and procedures to ensure legal compliance and uphold key privacy principles. But as he warned, “Just having something in place like a policy document is not going to be sufficient. It has to be a live thing that is operational.” 

He added that regulators will scrutinise not only the existence of policies but also their practical efficacy and efficiency, particularly in the event of a breach. 

Executive buy-in and cross-functional collaboration

Executive buy-in and cross-functional collaboration are key to a successful data protection strategy. “A lot of organisations fail when the top management doesn’t really believe in the need to comply,” she said. Establishing clear governance structures and involving legal, IT, and security teams was identified as essential. Equally important is staff awareness: “People are your weakest link when it comes to a breach,” she cautioned, adding that data protection training must go beyond a “simple checkbox” and become embedded in the organisational culture.

The importance of data mapping, minimisation, and proactive risk assessments was also highlighted. Sri Lanka, McKinsey, Managing Partner Ganaka Herath cited a practical example of privacy by design from the COVID-19 pandemic: “Uber required riders to wear face masks and used a selfie verification system that deleted the image immediately after use. That’s privacy by design.” 

In addition, he advised organisations to approach the new legal requirements with confidence and not to feel daunted by them. “If we structure our program well, there’s definitely a chance we can be compliant… It’s about staying the course and building the right culture.”

At a recent data protection event, cybersecurity veteran Shabbir Shihab captivated audiences with a comprehensive, no-nonsense breakdown of how Sri Lankan enterprises must gear up for the Personal Data Protection Act (PDPA). With over 15 years of experience in the information technology and security services industry, Shihab – currently Chief Technical Strategy Officer at South Asian Technologies – emphasised that compliance isn’t about any single tool or quick fix. “There is no one product or control that covers all clauses. It’s about people, process, and technology coming together,” he told a room filled with CIOs, CISOs, legal experts, and compliance leaders.

The Brandix Director outlined six of the most pressing questions posed by clients grappling with PDPA obligations – from the location of personal data to managing third-party risks. He highlighted critical technologies such as data discovery, classification, encryption, Data Loss Prevention (DLP), and consent management platforms. “You can’t protect what you can’t find,” he warned, likening the task to “finding a needle in a haystack” if enterprises lack proper data mapping tools.

Additionally, he stressed that adoption success hinges on awareness and alignment across the board. “If people don’t understand the ‘why’, even the best tech fails,” he said. He recommended enterprises begin with a technical gap analysis, align with board-level stakeholders, and phase in tools based on impact and urgency. Technologies such as automation for data subject rights requests, vendor risk management platforms, and Governance Risk and Compliance (GRC) systems also featured in his roadmap.

“Think of this as a journey,” he remarked,” start small, build gradually, and continuously audit and adjust.” Calling for a balance between technical insight and real-time pragmatism – setting the tone for the panel discussion that followed, featuring legal and compliance leaders from leading companies including Nestlé, MBB Capital Holdings, and Axiata.

Breach response plan

The final panel, moderated by Securities and Exchange Commission (SEC) former Chairman Ranel T. Wijesinha underscored the urgency of a breach response plan, stressing that “you cannot avoid a data breach—but how you respond matters.” He emphasised isolating systems, notifying regulators within 72 hours, and transparently informing affected data subjects. Documentation, internal crisis committees, and communication templates were outlined as essential tools in any company’s breach management strategy.

He observed that supply chain attacks are becoming as threatening as internal breaches. Supply chain attacks have become as significant a threat as internal breaches. “Assess your vendors, verify their certifications and compliance standards such as ISO 27001, and ensure robust contractual protections,” he advised. The former Chairman also noted that regular audits and clear contractual data protection clauses are vital to ensuring accountability across the supply chain.

Exploring the evolving role of the Data Protection Officer (DPO), the panellists emphasised the need for leadership, not just legal knowledge. “This isn’t just about filling a role,” they asserted, “but about embedding privacy into the very DNA of your organisation.” 

The summit underscored a key takeaway: successful PDPA implementation will require a cohesive and coordinated approach across people, processes, and technology — and it must commence without delay. Extending support to the inaugural Data Privacy and Protection Summit were Agility Innovation as Platinum Partner, and Mastercard and Orin. Brand Communications Partner was MullenLowe Sri Lanka and Cinnamon Lakeside was the Hospitality Partner.