Data Protection in Paradise: A Practitioner’s Guide to Sri Lanka’s PDPA

Sri Lanka made history in March 2022 by becoming the first South Asian country to enact comprehensive data protection legislation. The Personal Data Protection Act No. 9 of 2022 — the PDPA — received certification on 19 March 2022, creating a legal framework for how personal data is collected, processed, stored, and shared across the island.

And almost nobody in the Sri Lankan business community truly understands it.

This is not a criticism. The Act is dense, technically complex, and was enacted during a period when Sri Lanka had rather more pressing concerns — a sovereign debt default, an economic crisis, a political upheaval, and an IMF programme that consumed nearly all available institutional bandwidth. Data protection was, understandably, not the first thing on anyone’s mind.

But here we are in 2026, and the PDPA is no longer a distant abstraction. The Data Protection Authority has been established. A Board has been constituted. An Amendment Act was certified in October 2025. The institutional machinery is slowly, fitfully, coming to life.

And most Sri Lankan businesses — from the largest listed conglomerates to the smallest e-commerce operators — are not ready.

Why This Series Exists

There is no shortage of legal commentary on the PDPA. Several excellent law firms have published detailed analyses. The Information and Communication Technology Agency (ICTA) has produced guidance documents. Academic papers have been written.

What does not exist — or did not, until now — is a practitioner’s guide. Something written not by lawyers for lawyers, but by someone who builds enterprise software systems, who has sat in rooms where compliance decisions are actually made, and who understands that the gap between what a law says and what organisations actually do is where all the interesting problems live.

This series is that guide.

Over twelve parts, we will work through the PDPA section by section, obligation by obligation, examining each through three lenses:

Enterprise software. What does this obligation actually mean for the systems you build and operate? What needs to change in your databases, your APIs, your data pipelines, your consent management infrastructure? Where are the technical landmines?

Behavioural economics. How will real humans — your customers, your employees, your data subjects — actually behave when confronted with the choices and rights the PDPA creates? What does the research tell us about consent, about defaults, about the gap between intention and action?

Business reality. What does compliance actually cost? Where are the competitive advantages? What are the risks of non-compliance, and how do they compare to the risks of over-compliance? What should you do first, second, third?

This is not legal advice. I am not a lawyer. If you need legal advice, hire a lawyer — ideally one who has actually read the Act, which narrows the field more than you might expect. This is practical guidance for the people who will actually have to implement whatever the lawyers advise.

The State of Play

Before we dive in, let’s establish what is actually in force as of March 2026.

The PDPA was enacted with a staggered commencement structure. Not all provisions came into force at once. The original Act brought Part I (Preliminary) and Part VII (the Data Protection Authority) into immediate operation. This means the Authority exists, the Board is constituted, and the institutional framework is live.

But the core obligations — the rules about how you process data, the rights of data subjects, the requirements for Data Protection Officers, the cross-border transfer restrictions, the penalties — these are in Parts II, III, IV, V, and VI, and they are still waiting for commencement dates that have not yet been confirmed.

The 2025 Amendment changed the commencement mechanism. Under the original Act, Parts II through VI were supposed to commence on a date appointed by the Minister. The Amendment replaced this with a more flexible structure: different provisions can be brought into force on different dates by Gazette notification. This is pragmatic — it allows the Authority to phase in obligations rather than switching everything on at once.

But it also means we are in a peculiar limbo. The Authority exists. The Board is constituted. The law is on the books. But the core obligations, the rights, the penalties — these are still waiting. Schrödinger’s Regulation.

We will examine this implementation paradox in detail in Part 2. For now, the key point is this: the smart money is on substantive commencement beginning in late 2026 or early 2027. If you wait until the Gazette notification to start preparing, you will be too late.

What the PDPA Actually Does

At its core, the PDPA establishes six fundamental obligations for anyone who processes personal data in Sri Lanka, or processes the personal data of persons in Sri Lanka. These six obligations form the backbone of the entire regulatory framework:

1. Lawful Processing

You must have a legal basis for processing personal data. The Act provides several possible bases — consent, contractual necessity, legal obligation, vital interests, public interest, and legitimate interests. You cannot simply collect and process data because you want to or because it might be useful someday. Every processing activity must be grounded in one of these bases, and you must be able to demonstrate which one applies.

This is more revolutionary than it sounds. The current default in Sri Lankan business practice is that data collection requires no justification at all. You collect because you can. The PDPA inverts this entirely.

2. Purpose Limitation

You must collect personal data for specified, explicit, and legitimate purposes, and you must not process it further in a manner incompatible with those purposes. If you collect someone’s phone number to deliver a parcel, you cannot later use it to send marketing messages — unless you have a separate legal basis for doing so.

This will be particularly disruptive for organisations that have built their data strategies around the assumption that once you have data, you can use it for anything. The “data lake” mentality — pour everything in, figure out what to do with it later — is fundamentally incompatible with purpose limitation.

3. Data Minimisation

You must ensure that personal data is adequate, relevant, and limited to what is necessary for the purposes for which it is processed. If you only need someone’s name and email to create an account, you cannot also require their national identity card number, date of birth, mother’s maiden name, and blood type.

Walk into almost any Sri Lankan institution — a bank, a telco, a government office — and look at the forms they ask you to fill out. Then ask yourself how much of that information is actually necessary for the service being provided. The gap between current practice and PDPA compliance is a canyon.

4. Accuracy

Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that inaccurate data is erased or rectified without delay.

This creates affirmative obligations. It is not enough to simply record what someone tells you and never look at it again. If you know or should know that data is inaccurate, you must take steps to correct it. This has significant implications for data quality practices, master data management, and the frequency of data verification processes.

5. Storage Limitation

Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which it is processed. You cannot keep data forever “just in case.” You must have retention policies, and those policies must be linked to the purposes for which the data was collected.

This is going to be extremely painful for organisations that have never deleted anything. And in Sri Lanka, that is nearly all of them. The cultural and institutional default is to keep everything, forever, because storage is cheap and deletion is scary. The PDPA says the opposite: keeping data without justification is the scary part.

6. Integrity and Confidentiality

Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage. This requires appropriate technical and organisational measures.

The Act does not prescribe specific security standards — it uses the language of “appropriate” measures, which means the standard is contextual. What is appropriate for a hospital processing medical records is different from what is appropriate for a small retailer processing delivery addresses. But the obligation exists across the board: if you process personal data, you must protect it.

These six obligations are not optional. They are not aspirational. When the relevant Parts commence, they will be legally binding on every controller and processor operating within the scope of the Act. And the scope is broad — it covers processing that takes place in Sri Lanka, processing by Sri Lankan entities regardless of where the processing occurs, and processing of personal data of persons in Sri Lanka by entities outside the country.

What the 2025 Amendment Changed

The Personal Data Protection (Amendment) Act, No. 22 of 2025, was certified on 30 October 2025. It makes surgical but significant changes to thirteen sections of the original Act. We will examine each change in detail in Part 3, but the headlines are:

Commencement timeline. The Amendment replaces the original single commencement mechanism with a flexible, provision-by-provision approach. Different parts of the Act can now be brought into force on different dates. This is pragmatic and reflects the reality that some provisions require more institutional readiness than others.

Cross-border data flows. The original Act imposed strict restrictions on transferring personal data outside Sri Lanka, requiring either adequacy determinations or specific safeguards. The Amendment dramatically liberalises this, shifting to a model where cross-border transfers are permitted unless the Authority specifically restricts them. This is excellent news for Sri Lanka’s IT and BPO sector.

Response timelines. The original Act required controllers to respond to data subject requests within 14 days. The Amendment extends this to 21 days, with the possibility of a further 21-day extension for complex requests. Pragmatic, given institutional capacity constraints.

Data subject requests free of charge. The Amendment explicitly states that controllers cannot charge fees for processing data subject requests. This removes an ambiguity in the original Act and aligns Sri Lanka with international best practice.

Data Protection Officer definition expanded. The Amendment broadens the definition of who can serve as a DPO, relaxing some of the more restrictive requirements in the original Act. This is important given the severe shortage of qualified data protection professionals in Sri Lanka.

Public authority definition narrowed. The Amendment tightens the definition of “public authority” for the purposes of the Act. This has implications for which government entities are subject to PDPA requirements and which rely on other legal frameworks.

The Twelve Areas This Series Will Cover

Over the coming weeks, this series will work through the PDPA systematically. Each part will be self-contained — you can read them in any order — but they are designed to build on each other. Here is the roadmap:

Part 1 (this article) — Overview and orientation. What the PDPA is, what it does, and why you should care.

Part 2 — The Implementation Paradox. The strange limbo of a law that exists but hasn’t commenced. What’s in force, what isn’t, and what the timeline looks like.

Part 3 — The 2025 Amendment. A section-by-section breakdown of every change, what it means, and who it affects.

Part 4 — Consent Theatre. Why your cookie banner won’t save you. The behavioural economics of consent, and what genuine consent actually requires.

Part 5 — The Compliance Overlap. Four laws, one bank. How the PDPA interacts with existing regulation in banking, telecoms, and healthcare.

Part 6 — Cross-Border Data Flows. What the Amendment actually changed for Sri Lanka’s IT sector, and what it means for contracts, cloud infrastructure, and outsourcing.

Part 7 — AI and Automated Decision-Making. Two words the Amendment added that changed everything about algorithmic accountability in Sri Lanka.

Part 8 — The DPO Gap. Building a privacy profession from scratch. The skills, the training, the institutional challenge.

Part 9 — Solicited Messages and Direct Marketing. Your SMS marketing is about to become illegal. The end of spray-and-pray.

Part 10 — Data Protection Impact Assessments. A practical guide to DPIAs under the PDPA — when you need one, how to do one, what to do with the results.

Part 11 — Penalties and Enforcement. The Rs. 10 million question. How the penalty regime actually works, and why the headline number is not the real risk.

Part 12 — Building a Compliance Roadmap. Putting it all together. A phased, prioritised approach to PDPA readiness for organisations of different sizes and sectors.

Who This Series Is For

This series is written for three audiences:

Technology leaders — CTOs, engineering managers, architects, and developers who will need to build compliance into the systems they design and operate. You need to understand not just what the law requires, but how to implement it in code and infrastructure.

Business leaders — CEOs, COOs, CFOs, and board members who need to understand the strategic implications of data protection regulation. You need to know what this costs, what the risks are, and where the opportunities lie.

Compliance professionals — legal counsel, compliance officers, DPOs (current and future), and consultants who need a practical framework for operationalising the PDPA. You need to bridge the gap between what the law says and what the organisation actually does.

If you fall into any of these categories — or if you are simply someone who wants to understand how data protection is going to reshape business in Sri Lanka — this series is for you.

Let’s find out which category you fall into.

Let’s begin.