Personal Data Protection Act (PDPA) of Sri Lanka
\_(ツ)_/¯༼ つ ◕_◕ ༽つ(•_•)☆*: .。. o(≧▽≦)o .。.:*☆\^o^/༼ つ ◕_◕ ༽つ¯\_(ツ)_/¯
What is this PDPA? Following are few questions that first came to my mind regarding PDPA which is the Personal Data Protection Act, No. 9 of 2022.
What does this PDPA mean?
Who made this mandatory?
Who is this relative to?
Who is in charge of compliance?
What are the consequences?
People who are aware of global data protection frameworks may already be familiar with the PDPA, which became effective on March 19, 2022. With the consideration of international best practices, PDPA was created as a law to protect personal data. I intend to write a brief series covering PDPA so that any individual can learn more about it simply. Thus, let’s begin with a brief introduction for the time being.
In simple, PDPA deals with personal data. What then qualifies as personal data? Any data that can be used to identify a specific person or also known as a data subject is considered as personal data.
For example: Name, age, address, phone number.
We separate certain personal data as special category of personal data in accordance with the PDPA.
For example: Health data, personal data of children
So then our next question comes as, what is the purpose for identification of personal data? For that reason, the PDPA’s goal is made very plain. Its purpose is to “protect individual’s personal data.” The Act lays up safeguards for people’s personal information that is held by the government, banks, telecom companies, hospitals, and other public and commercial organizations. By notice, the controller or processor is required to pay a penalty for each non-compliance, up to a maximum of 10 million rupees.
The data controller and the data processor are two parties covered under the Personal Data Protection Act.
Data Controller -> A data controller controls the procedures and purpose of data usage. Protecting the rights and privacy of the data subject is primarily the data controller’s responsibility.
Data Processor -> Any data that the data controller provides to a data processor is processed by them.
The Act primarily targets data subjects in Sri Lanka and is intended to apply to companies both inside and outside of the country, including those that provide products or services to Sri Lankans. Digital platforms that offer services to Sri Lankans from outside the country may fall under this category. Among other things, the Act now establishes a legal framework with safeguards for Data Subjects’ personal information.
Therefore, an authority should be established in accordance with the PDPA for the purposes of this act. As a result, in July 2023, the Data Protection Authority (DPA) was officially created. A Board of Directors will be responsible for administration, management and control of the affairs of the Authority’s operations. The President will designate a member to serve as the Board Chairperson who has proven to be an outstanding leader in either the public or private sector.
So, PDPA covers ten sections and six schedules.
The dates on which the I — X PDPA parts will take effect are listed below.
In the upcoming articles, I will explain the Personal Data Protection Act in more depth under these sections. For further details, please refer to the published Personal Data Protection Act.
