Importance of data protection for organisations in Sri Lanka

In an increasingly digital world where data has become one of the most valuable assets, the need to protect personal and sensitive information is more important than ever. This leads to the question, as Sri Lanka attempts to strengthen its data protection policies, are we truly ready?

Global lessons: Looking to Europe and Australia

The European Union set a benchmark with the General Data Protection Regulation (GDPR) in 2018. The GDPR changed how personal data is handled in the EU by giving people more control over how their data is collected and used, and by introducing strict penalties for companies that do not follow the rules.

Similarly, Australia introduced the Privacy Act of 1988, which has since evolved to address contemporary data privacy concerns, particularly with regard to consent, data breaches, and cross-border data flows. These frameworks underscore the importance of long-term commitment, clear regulatory enforcement, and public awareness.

The Sri Lankan context

In 2022, Sri Lanka introduced its own Personal Data Protection Act (PDPA) – a commendable and necessary step. This Act aligns with international norms and seeks to establish a legal framework to govern the collection, processing, storage, and dissemination of personal data. This applies to any processing of personal data within Sri Lanka and by entities offering goods/services to, or monitoring the behaviour of, individuals in Sri Lanka, and excludes personal/domestic data use by individuals and data that is not personal in nature. This legislation aims to ensure that citizens and consumers can trust that their personal data is processed lawfully, fairly, and responsibly.

However, despite the legislative development, concerns remain about implementation readiness. Is our public sector equipped to safeguard citizen data? Are private companies –particularly Small and Medium-sized Enterprises (SMEs) – aware of their obligations? Is the general public informed of their data rights? More research needs to be done on Sri Lankan organisations to identify their readiness on this.

Importance of data protection

The Data Protection Authority (DPA) of Sri Lanka underscores the critical importance of data protection in today’s digital landscape. Their official website highlights several key reasons why safeguarding personal data is essential:

1. Protecting privacy

The right to privacy is fundamental. Ensuring that personal data is protected means it cannot be disclosed without an individual’s consent, thereby upholding personal freedoms and dignity.

2. Preventing crime

Robust data protection measures help prevent crimes such as identity theft. By securing personal information, individuals are less vulnerable to fraudulent activities.

3. Enabling innovation

When data is protected, companies can confidently develop new and innovative solutions. This secure environment fosters creativity and technological advancement.

4. Building trust in digital services and businesses

Data protection enhances public trust in digital platforms and businesses. When users feel their information is secure, they are more likely to engage with online services, contributing to economic growth.

5. Ensuring fairness, transparency, and anti-discrimination

Fair and transparent data practices prevent bias and discrimination. By adhering to ethical standards, organisations ensure equitable treatment of all individuals.

Understanding data privacy: Users, Custodians, Controllers and Processors

To fully grasp data protection, one must understand the ecosystem of stakeholders involved:

Data Subjects (Users): These are individuals whose data is collected. They have the right to be informed, to access their data, and to request corrections or deletions.

Data Custodians: These entities are responsible for the technical and administrative safeguarding of data. They ensure data is stored securely, backed up, and protected from breaches.

Data Controllers: These determine the purpose and method of processing personal data. They must obtain proper consent, ensure transparency, and guarantee compliance with privacy regulations.

Data Processors: Process data on behalf of controllers.

We will try to understand the above four (04) parties in relation to a bank as follows.

Data Subject: The bank’s customer, such as Mr. Fernando, who opens a savings account and registers for mobile banking.

Data Custodians: The bank’s IT and security teams responsible for safeguarding data through secure servers, databases, and cyber security measures.

Data Controllers: The bank’s management and compliance teams who determine the purpose and methods of processing customer data.

Data Processors: External third-party service providers engaged by the bank to process data on its behalf, under the bank’s instructions.

Further, as per the Section 20 of Personal Data Protection Act, No. 9 of 2022 in Sri Lanka, every controller and processor shall designate or appoint a Data Protection Officer (DPO) to ensure compliance in certain circumstances, such as where the processing is carried out by a Ministry, Government department, or public corporation, except for judiciary acting in their judicial capacity, with the provisions of this Act.

Each role carries distinct responsibilities, and the success of a data protection framework depends on all parties understanding and fulfilling their duties.

How to ensure compliance and accountability

Compliance and accountability under data privacy laws such as Sri Lanka’s Personal Data Protection Act (PDPA) can be effectively executed within organisations through a comprehensive data governance framework. This includes implementing a Data Protection Management Program (DPMP), appointing a qualified DPO, and maintaining detailed records of data processing activities. 

Regular data audits play a crucial role in identifying risks, verifying adherence to policies, and documenting corrective actions. Organisations must also conduct Data Protection Impact Assessments (DPIAs) for high-risk processing, ensure systems are in place to facilitate data subject rights (e.g., access, correction, deletion), and integrate privacy principles into employee training and internal controls. Additionally, an effective incident response and breach notification plan is essential. Together, these measures ensure that data privacy is embedded in both strategic and operational levels of the organisation, reinforcing trust and legal compliance.

Why compliance and accountability matter

As per the PDPA, No. 9 of 2022, relevant non-compliances can result in a penalty not exceeding a sum of Rs. 10 million for each non-compliance.

Non-compliance doesn’t just attract legal penalties – it risks reputational damage, loss of customer trust, and even financial ruin. In a hyper-connected world, a single data breach can reverberate globally. Organisations must, therefore, embed privacy principles deeply within their operations.

Moreover, customer trust is increasingly becoming a competitive differentiator. Businesses that are transparent and respectful of user data will thrive in this new landscape.

Privacy by Design: A strategic imperative

Data privacy shouldn’t be an afterthought – it must be designed into systems, processes, and products from the ground up. This principle, known as ‘Privacy by Design,’ is crucial for building resilient digital infrastructure.

From app development to cloud storage solutions, data minimisation, encryption, access controls, and audit trails must be integrated into the earliest stages of system architecture.

Importantly, employee awareness and training also form a key pillar of this design ethos.

The road ahead for Sri Lanka

Sri Lanka has taken a commendable first step with its PDPA, but legislation alone is not enough. A nationwide data protection culture must be cultivated through:

• Strong enforcement mechanisms.
• Capacity-building in both public and private sectors.
• Public education campaigns to inform citizens of their rights.
• Cross-sector collaboration to ensure consistent standards.

The question isn’t just whether Sri Lanka has a data protection law but whether its institutions, businesses, and citizens are ready to live by its spirit.

As we move deeper into the digital age, the readiness for data protection is not just a technical challenge but a societal one. It demands not just regulations, but a cultural shift towards transparency, accountability, and respect for privacy.

(The writer is a Senior Chartered Accountant with over 20 years of experience, primarily in the banking sector, and is currently serving as AGM – Audit at one of the leading banks. He is also a CISA-certified auditor (ISACA) and a visiting lecturer at PIM, CA Business School, and IBSL.)