Sri Lanka’s Personal Data Protection Act (PDPA) – Are We Ready?

For years, personal data in Sri Lanka moved quietly through businesses—customer profiles, contracts, employee records, and transaction histories—without much public scrutiny. That era has ended. Sri Lanka became the first South Asian nation to enact comprehensive data protection legislation when the Personal Data Protection Act (PDPA) was signed into law on 19 March 2022. The Data Protection Authority (DPA) was established in August 2023, and core provisions began taking effect from 1 December 2023, and enforcement phased through to 2025 to allow for compliance.

PDPA marks a fundamental shift in how Sri Lankan organizations collect, store, use, and safeguard customer and staff data.  Whether a business operates in retail, finance, healthcare, education, or public services, compliance is no longer optional; it is a legal mandate and a reflection of their credibility and integrity. More importantly, it is becoming central to operational resilience and long-term trust.

PDPA arrives at a pivotal time when Sri Lankan organizations are adopting digital tools at unprecedented speed, while expectations around privacy, security, and accountability continue to rise. Government institutions now require adherence to strict data handling standards, and vendors must align operations accordingly. Many enterprises are discovering that legacy systems, fragmented databases, and informal processes that were once sufficient for daytoday operations, now expose significant compliance and security gaps. Global research shows that organizations with structured data governance outperform peers in both operational stability and stakeholder trust, underscoring the value of proactive compliance.

Today, compliance cannot be reduced to checklists or certificates. True PDPA readiness requires systems and frameworks that ensure transparency, clarity of processes, and accountability across the data lifecycle. When embedded into daily operations, robust governance empowers teams to innovate without fear of breaches, penalties, service interruptions, or reputational harm.

KBSL Information Technologies (KBSL), with over 38 years of shaping Sri Lanka’s enterprise technology landscape, has stepped forward to guide organizations through this transition. Under the leadership of Vasee Nesiah (CEO), Aruna Dissanayake (COO), and Pramukh Jayawardena (CSO), KBSL brings together operational excellence, sectorwide experience, and a strong focus on helping enterprises strengthen resilience while pursuing growth.

Their comprehensive strategy is designed to minimize risk while allowing businesses to focus on growth and innovation. This level of professional support brings genuine Peace of Mind to organizations navigating the complexities of the law. By partnering with a certified and experienced team, leadership can rest assured that their data protection duties are fully managed and secure.

A critical milestone KBSL’s journey is the recent certification under the ISO 27701 standard. This is an international benchmark for Privacy Information Management Systems and as an extension to the well-known ISO 27001 security standard. This certification is relevant to PDPA because it demonstrates that an organization has the technical and procedural controls needed to manage privacy risks. For clients, this means that the advisor they choose has already met the same rigorous standards that the regulator expects from them.

KBSL’s approach goes beyond helping companies tick compliance boxes. It focuses on protecting data as it flows across interconnected systems, establishing clear responsibilities, and implementing the guardrails essential for minimizing operational and reputational risk. By integrating policies, processes, tools, and leading-edge technology into a unified ecosystem, KBSL ensures organizations can achieve PDPA compliance without managing multiple vendors or disconnected frameworks. Independent auditors provide validation, technology partners supply the solutions, and KBSL orchestrates the entire journey.

To support this nationwide transition, KBSL is hosting a PDPA event at the Cinnamon Grand on 12 February 2026, to help Sri Lankan enterprises navigate PDPA. This event will also explore how organizations can turn compliance into a competitive advantage.

As digital transformation accelerates, PDPA presents both challenge and opportunity. Businesses that treat personal data with care, signal maturity, strengthen trust, and create conditions for innovation without compromise. With structured guidance and strong leadership, Sri Lankan enterprises can convert compliance from an obligation into a foundation for sustainable growth, ensuring clarity, accountability, and confidence in an increasingly complex digital ecosystem.

Dr. Aparrajitha Ariyadasa - Attorney-at-Law, CEO South Asia Privacy 

Professionals Association, 

Chairperson IAPP 

KnowledgeNet Chapter 

for Sri Lanka, will be speaking at the event.

Q: How do organisations know if they are truly PDPA-ready, rather than partially compliant?

Many companies think they are compliant because of basic policies, but true PDPA readiness is broader. It begins with embedding privacy by design across software and processes. A thorough audit identifies gaps, and structured guidance, training, and alignment with ISO 27001 and 27701 make compliance real, not just on paper.”

Q: Does PDPA compliance only concern IT or Legal, or does it affect the entire organisation?

 PDPA is not solely an IT issue or legal. Any employee handling personal data - HR, sales, or front-office operations, is part of the compliance ecosystem. Awareness and accountability must reach everyone, making compliance part of the organisational culture.”

Q: How should organisations approach PDPA proactively, rather than reactively?

 A proactive approach starts with understanding your data landscape. Mapping flows, assessing risks, and embedding privacy practices early ensures compliance is part of daily operations.”

Q: What are the consequences of not being PDPA compliant?

Non-compliance is more than a fine, which can reach 10 million rupees locally. It also exposes organisations to international legal risks, reputational damage, and loss of trust.”