Justice, prisons affairs and constitutional reforms minister Dr. Wijeyadasa Rajapakshe yesterday (12) revealed that the Sri Lanka Personal Data Protection Authority,
established to safeguard personal data within the nation, will be fully functional by early 2024.
He made this disclosure speaking at the inauguration of the 9th annual Cyber Security Summit, organised by the Daily FT in partnership with CICRA Holdings Ltd.
“The Data Protection Authority is expected to commence full operations in early 2024, with vital responsibilities such as developing guidelines, investigating complaints, imposing penalties and raising awareness of data protection rights among individuals and organisations,” said Rajapakshe who was the chief guest at the summit which saw a record participation of 350 IT and risk management professionals, employees and university students.
Emphasising the importance of setting up the Authority, Dr. Rajapakshe said local organisations are still required to comply with the Personal Data Protection Act (PDPA) provisions as the Authority is yet to be fully functional.
“Establishing the Data Protection Authority is a milestone in data protection in Sri Lanka. However, until it becomes fully functional, organisations in Sri Lanka are required to comply with the Personal Data Protection Act provisions that have already come into effect. This includes obtaining the consent of individuals before collecting, using or disclosing their data,” said Dr. Rajapakshe.
Earlier this week president Ranil Wickremesinghe appointed members to the Board of the Sri Lanka Personal Data Protection Authority, which comprises seven individuals with expertise in engineering, accounting/finance, law and regulatory affairs. Former Ernst & Young Sri Lanka and the Maldives Consulting Leader and Senior Chartered Accountant Arjuna Herath leads the Board.
Sri Lanka’s Personal Data Protection Act No. 9 of 2022 has been making strides toward full implementation. The Act, certified by the Speaker on 19 March 2022, aims to safeguard personal data held by various entities, including Government bodies, banks, telecom operators and hospitals.
This legislation, the first in South Asia, was developed transparently, with draft versions made available for public comment in June 2019. The PDPA is set to be implemented in phases. A Gazette notification on 21 July 2023 brought Part V into operation.
The Board of Directors is in the deliberation and planning phase for creating the Data Protection Authority. The first step involves recommending the operation of Part VIII (Fund of the Authority) and Part IX of the Act to design the organisational framework, recruitment procedures and roles of key officers, including the Director General.
The Authority plans to formulate policy frameworks and regulations to meet the Act’s enforcement deadline of 19 March 2025. It will hold public consultations and engage with advisory committees representing critical sectors of the economy and other stakeholders to ensure comprehensive and effective data protection measures. The Authority is set to commence public consultations and awareness campaigns once it has the necessary capacity, a process expected to take several months.
A flagship event in Sri Lanka’s cyber security calendar, the summit brought together international and local experts to share key insights to the threat of cybercrime and strategies and solutions available to secure organisations and individuals.
This year’s full-day summit focussed on three critical areas: Payment Card Industry Data Protection, Cloud Security, and Zero Trust. Strategic partners of the summit are Visa and Huawei. Official Payment Network is LankaPay, Official finance company partner People’s Leasing and Finance PLC, Knowledge partners PCI Security Standards Council and ISC2 Chapter Sri Lanka, Creative Partner Mullenlowe and Hospitality partner Cinnamon Grand.