Tuesday Jun 23, 2026
Tuesday Jun 23, 2026
Monday, 22 June 2026 00:00 - - {{hitsCtrl.values.hits}}
From left: Data Protection Authority of Sri Lanka Director General Dimuth Atapattu, Board Member Jayantha Fernando, HNB Chief Information Security Officer Suresh Emmanuel, Information Privacy and Technology Law Legal Consultant Sanduni Wickramasinghe, and D. L. & F. De Saram Consultant Counsel Shenuka Jayalath
By Safna Malik
Personal Data Protection Act (PDPA) No. 09 of 2022 moved closer to becoming an operational reality last week, as the Finance Houses Association of Sri Lanka (FHASL) convened an awareness session at the Galadari Hotel, bringing together some of the country’s foremost legal, regulatory, and cybersecurity minds to chart the compliance road ahead for the Licenced Finance Company (LFC) sector.
The forum, held under the Association’s Compliance Forum 2025/26, titled “Data Protection in Action: Navigating Compliance, Challenges and Opportunities,” drew key responsible persons from across the LFC sector for what turned out to be one of the most substantive public conversations yet on what enforcement of the PDPA will actually look like and what financial institutions must do now to avoid being caught flat-footed when the Act comes into full force.
The experts discussed the practical side of data privacy. The session was led by DL&F De Saram, Consultant Counsel, Shenuka Jayalath.
The panel included the Data Protection Authority of Sri Lanka Director General Dimuth Atapattu; Heritage Partners Partner and Data Protection Law Drafting Committee Chair Jayantha Fernando; Hatton National Bank Chief Information Security Officer Suresh Emmanuel; and Information Privacy and Technology Law Legal Consultant Sanduni Wickramasinghe.
The Data Protection Act is becoming fully operational as the Data Protection Authority of Sri Lanka expands its team; as new regulations are set to be gazetted, organisations are required to take proactive steps to align with strict standards before formal enforcement begins.
The regulatory timeline
Atapattu discussed the progress being made, noting that since his appointment, he has frequently received the same question from regulators, industry leaders, and the public: when will enforcement begin?
He confirmed that the Data Protection Authority remains active while completing its staffing process. Several sections of the Act are currently with the Legal Draftsman’s Department and will be published as official gazette notices shortly. These notices will affect compliance obligations for financial institutions. Additionally, drafted regulations, rules, and directives are already available on the Authority’s website and will also be published in the gazette.
Atapattu highlighted that many upcoming changes will directly affect data protection compliance within technical operations. With senior roles expected to be filled in the coming weeks, he indicated that the Authority will significantly increase its public visibility and pace of operations in the near future.
Understanding the enforcement approach
With the regulatory deadline approaching, the primary concern for compliance officers was the scale and application of penalties. Fernando, provided reassurance while noting that the law’s architecture is designed to be firm, not reckless.
He described Sri Lanka’s enforcement model as unique compared to regional neighbours, noting that the PDPA balances data protection with the needs of growth and innovation. “I don’t think that any regulator, given the circumstances through which the country has gone, will look at its own subject of enforcement in a disproportionate manner.”
On the international front, Fernando mentioned that Sri Lanka is expected to become a member of the Global Privacy Assembly within the next year. This will align the country’s approach with international standards for independent oversight and cross-border cooperation. He noted that this membership will strengthen the Authority’s independence, which sets it apart from neighbouring countries where data protection oversight is managed by Government Ministries.
Prior to any penalty being imposed, the law mandates an inquiry process through which a violating party must be given an opportunity to correct its non-compliant behaviour. Only if a direction under Section 35 is ignored or if a deliberate subsequent violation occurs does Section 38 the penalty provision become operative.
He also drew attention to Section 39, which provides a defined set of mitigating factors that the Authority must consider when calculating any penalty. Crucially, the extent to which an organisation has established and maintained an internal compliance system is explicitly listed as a mitigating factor.
Fernando’s message to boards and compliance teams was direct: document everything, engage cooperatively with the regulator, and treat compliance not merely as a legal burden but as a tool for building customer trust. “I would argue that while this is a regulatory requirement, you can use this as a tool or legal instrument to build your customer trust,” he said.
Managing data processing beyond consent
Wickramasinghe described as a misconception going around the idea that the PDPA is essentially a consent-driven law, requiring financial institutions to obtain customer consent for every instance of personal data processing.
“The PDPA requires you to meet all processing via consent, this is personal data under the PDPA, and individuals think it’s primarily a consent-driven law, which is not the case,” Wickramasinghe said, drawing an explicit parallel with the General Data Protection Regulation (GDPR).
Wickramasinghe explained that the Act allows for data processing based on more than just consent. Other valid bases include fulfilling a contract, meeting a legal obligation, and pursuing a legitimate interest. For a Licenced Finance Company (LFC) subject to the Financial Transactions Reporting Act, which requires Customer Due Diligence, transaction monitoring, and the filing of Suspicious Transaction Reports (STRs), these activities are legal requirements and do not need separate customer consent.
“If you are filing an STR, you must report the transaction. You do not need to seek consent for this type of compliance activity,” Wickramasinghe noted. “The law requires you to use certain data for this purpose, and you have an obligation to act within the governing laws.”
She identified one exception where consent is mandatory: marketing communications. If an institution uses customer data for marketing, it must obtain consent through a specific request that is entirely separate from general terms and conditions and the institution’s privacy policy.
Wickramasinghe emphasised the difference between a privacy policy and a consent form. A privacy notice is an informational document explaining how data is processed; it does not count as consent. “You cannot include it in your general terms and conditions, or claim that agreeing to those terms also counts as accepting the data protection notice,” she stated.
She also warned about the risks of asking for consent when it is not strictly required. Requesting consent grants the individual the legal right to withdraw it at any time, which forces the institution to maintain systems capable of processing these withdrawals. “Consent can be difficult to manage,” she cautioned. “It seems simple, but it is more complex than it appears.”
Finally, she argued that “legitimate interest” is often a more suitable basis than many organisations realise. It allows an institution to balance its operational needs against an individual’s expectations without requiring explicit consent, provided the institution can show that the individual’s rights are protected.
Facing artificial intelligence and cyber risks
Emmanuel offered a practical perspective on a difficult aspect of PDPA compliance: mapping and protecting personal data across complex systems while cyber threats are increasing.
He identified AI as a complex issue, for example large language models and AI platforms create new risks regarding data governance, including the possibility that personal data collected for an original purpose is fed into AI systems for extended purposes that customers were never informed about.
Obtaining updated consent from a large existing customer base remains a significant practical hurdle that the industry has not yet resolved, particularly in banking where many customers do not use digital services.
“Gaining consent from existing customers is quite difficult,” he acknowledged. “Sometimes there is the excuse that they cannot opt in. If we send out a notice and people do not respond, what do we do? Do we have to remove them as customers?”
He described how cloud migration complicates matters further. Most organisations have already moved infrastructure to cloud space, meaning customer data is hosted beyond local perimeters, often without explicit consent having been obtained when the migration occurred.
Regarding cybersecurity threats, he mentioned that financial scams exploiting personally identifiable information have become increasingly sophisticated, with targeted phishing approaches that leverage personal data in highly advanced ways. Managing this threat has become a full time job for banking and financial institutions.
The sheer scale of PDPA compliance was best shown by the Hatton National Bank’s data mapping exercise. When the bank undertook the process of identifying and cataloguing its personal data flows, it discovered approximately 100 distinct business departments running close to 1,500 separate business processes, each handling different categories of personal data.
It takes a lot of resources, even if you use automated software tools, it is a tedious process. He advised, “start now, start early, and begin at the collection point. You should not collect any data that is not compliant with processing requirements. That is where data protection begins.”
Public sector readiness
Atapattu turned his attention to the public sector, which holds a larger volume of sensitive personal data regarding Sri Lankans than the private sector. He described an organisation actively prioritising readiness, even while acknowledging there is much work to be done.
Unlike India’s Digital Personal Data Protection Act, which only covers digital data, the Sri Lankan PDPA covers both digital and physical structured data. This wider scope makes compliance considerably more complex for government agencies, such as the Department for Registration of Persons, the Department of Immigration and Emigration, the Pensions Department, the Motor Traffic Department, and Land Registries.
“From my experience in the public sector, the accountability and responsibility structures have not always been as robust as expected,” Atapattu said. “When it comes to personal data protection, privacy, or even cybersecurity, the private sector is often further ahead, while the public sector requires significant support.”
The Authority has already issued a formal circular to public sector organisations outlining data mapping requirements, Data Protection Officer obligations, and capacity building programmes. Guidance and circulars are updated regularly. However, Atapattu was clear that this is a phased process. The goal at this stage is to drive awareness and build internal capacity across Government departments, before requiring full compliance.
“The public sector needs more resources and policy support from the government, alongside external expertise. A Data Protection Officer cannot achieve this alone. Success requires policy frameworks, financial resources, capacity building, and clear liability structures to come together.”
Taking responsibility at the Board level
Fernando argued that data protection can no longer be treated as a matter solely for the IT or compliance departments. It is a governance function equal to financial risk management or corporate taxation, and boards that treat it as less are exposing themselves and individual directors to significant personal liability.
Section 38(6) of the Act explicitly extends corporate liability to every director and officer responsible for managing and controlling the activity. Wilful blindness or institutional negligence regarding data subject rights creates clear pathways for personal penalties against individual board members.
“Boards often fail to provide deliberate oversight based on proper insights,” Fernando said. “Just as the board oversees audit, risk, and compliance committees, they must ensure dedicated discussion on data protection practices.”
The draft criteria under the Act make it clear that the responsibility for data protection compliance cannot be delegated entirely to one individual. An integrated management framework is required, supported by board level resource allocation and a genuine understanding of the organisation’s data flows.
Defining the Data Protection Officer role
Wickramasinghe explained the role of the Data Protection Officer. The PDPA specifies the categories of organisations required to appoint a DPO, which generally includes those where data processing is a core activity and that meet established thresholds. This role can be filled by existing personnel, such as a general counsel, Chief Risk Officer, or Chief Information Security Officer, provided they can fulfil statutory obligations without a conflict of interest.
She noted that a Chief Marketing Officer would represent such a conflict, given the tension between maximising data collection for commercial purposes and the mandate of the DPO to enforce data minimisation and protection.
While current draft regulations do not yet impose the strict autonomy requirements seen under the GDPR, Wickramasinghe indicated that organisations should move towards a structurally independent DPO function as their data management programs mature, even if this is not currently a strict legal requirement. “Combining these functions might be necessary during the initial implementation phase,” she said, “but organisations should consider making the DPO role an entirely independent function as their data management program matures.”
Lessons from practical implementation
Emmanuel provided a survival guide for practitioners based on the extensive compliance journey of the bank, which he emphasised is still ongoing.
The starting point, he said, is ownership. Senior personnel must be personally accountable for the data protection programme, with the authority to drive it across departmental lines. Following this, the priority is a systematic data inventory. This involves identifying the personal data the organisation collects, tracing its path, noting how it is processed, identifying who has access to it, determining how it is archived, and establishing an exit strategy for when it moves to or from third parties.
The approach taken by the bank regarding Data Subject Requests provided a valuable lesson. When the institution published its data privacy policy and made data subject rights accessible early last year, the response was immediate and voluminous.
Customers requested confirmation of what data the institution held, asked for the deletion of data, and raised various queries related to rights. The bank had to develop formal, legally reviewed processes that were friendly to customers to manage these requests. “We went through the cycle, learned new areas, and now we know how to respond properly,” Emmanuel said. “Figuring out this DSR process itself is a major process.”
His final note of warning was measured. For a large institution, the journey from initiation to reasonable compliance took more than three years, and refinement continues. For Licenced Finance Companies that have not yet started, the clock is already running. “He suggested initiating the process as soon as possible, as the framework is a challenge for any organisation.”
