Sri Lanka Personal Data Protection Act | Sri Lanka PDPA
The Trust Challenge

Key Obligations & Consequences

Pointer

Ensuring that personal data that is processed is accurate and kept up to date, with every reasonable step being taken to erase or rectify any inaccurate or outdated personal data, without overdue delay.

Pointer

Ensuring that personal data is kept in a form which permits identification of data subjects only for such period which is necessary or required to achieve the purpose for which the data was processed. A controller may store personal data for longer periods if the personal data is being processed further for archiving purposes in the public interest, scientific research, historical research or statistical purposes.

Pointer

Ensuring integrity and confidentiality by using measures such as encryption, pseudonymisation, anonymisation or access controls in order to prevent the unauthorized or unlawful processing of personal data or loss, destruction or damage of personal data.

Pointer

Processing personal data in a transparent manner, by providing data subjects with information relating to the collection of data and information regarding any decisions made in relation to requests made by data subjects, in writing or by electronic means and “in a concise, transparent, intelligible and easily accessible form”.

Pointer

Ensuring that the processor (who is carrying out processing on behalf of the controller) is bound by a contract setting out the parameters of such processing, and is using appropriate technical and organizational measures to protect the rights of the data subjects.

The Trust Challenge

Key Challenges in brief:

Under the DPA, the data controller has to maintain the following key records, amongst others:

  • Personal data collected (“Data Inventory”)
  • Retention period for the personal data (“Data Minimization”)
  • Rights and methods in accessing the personal data (“Data Subject Rights”)

This is permissible under the DPA in a limited number of circumstances. Therefore, the data flow (outgoing personal and sensitive data) ought to be monitored appropriately.

Using the centralized database along with the necessary workflow, automate all data breach notifications that alert all the concerned parties, such as the regulatory authorities and affected data subjects, as soon as possible, as well as setting a response plan in action.

Data subjects have a series of rights conferred upon them by the PDPA, for instance right to access, right to withdrawal of consent, right to rectification, right to appeal, right to erasure, individual data subjects raise various requests pertaining to their individual data subject rights.

PDPA stipulates that an organization should not retain personal data for longer than is necessary to achieve the specified purpose of processing of data. This is subject to the exception of the retention period enshrined under the PDPA. Post mandatory retention period, it has to be erased / deleted.

The Trust Challenge

Key Obligations & Consequences

Pointer

Ensuring that personal data that is processed is accurate and kept up to date, with every reasonable step being taken to erase or rectify any inaccurate or outdated personal data, without overdue delay.

Pointer

Ensuring that personal data is kept in a form which permits identification of data subjects only for such period which is necessary or required to achieve the purpose for which the data was processed. A controller may store personal data for longer periods if the personal data is being processed further for archiving purposes in the public interest, scientific research, historical research or statistical purposes.

Pointer

Ensuring integrity and confidentiality by using measures such as encryption, pseudonymisation, anonymisation or access controls in order to prevent the unauthorized or unlawful processing of personal data or loss, destruction or damage of personal data.

Pointer

Processing personal data in a transparent manner, by providing data subjects with information relating to the collection of data and information regarding any decisions made in relation to requests made by data subjects, in writing or by electronic means and “in a concise, transparent, intelligible and easily accessible form”.

Pointer

Ensuring that the processor (who is carrying out processing on behalf of the controller) is bound by a contract setting out the parameters of such processing, and is using appropriate technical and organizational measures to protect the rights of the data subjects.

The Trust Challenge

Key Challenges in brief:

Under the DPA, the data controller has to maintain the following key records, amongst others:

  • Personal data collected (“Data Inventory”)
  • Retention period for the personal data (“Data Minimization”)
  • Rights and methods in accessing the personal data (“Data Subject Rights”)
Pointer

International transfer of personal data

This is permissible under the DPA in a limited number of circumstances. Therefore, the data flow (outgoing personal and sensitive data) ought to be monitored appropriately

Pointer

Data Breach notification

Using the centralized database along with the necessary workflow, automate all data breach notifications that alert all the concerned parties, such as the regulatory authorities and affected data subjects, as soon as possible, as well as setting a response plan in action.

Pointer

Fulfillment of Data Subject rights

Data subjects have a series of rights conferred upon them by the PDPA, for instance right to access, right to withdrawal of consent, right to rectification, right to appeal, right to erasure, individual data subjects raise various requests pertaining to their individual data subject rights.

Pointer

Data Retention/Minimization/Deletion

PDPA stipulates that an organization should not retain personal data for longer than is necessary to achieve the specified purpose of processing of data. This is subject to the exception of the retention period enshrined under the PDPA. Post mandatory retention period, it has to be erased / deleted.

Featured News & Blogs

Be the first to catch our latest updates,
happenings and more.

Follow us