EY stresses need for navigating privacy compliance with upcoming legislative changes

Thursday, 10 April 2025 00:02 - - {{hitsCtrl.values.hits}}

“Global Cybersecurity Index, published by International Telecommunication Union, ranks Sri Lanka in 83rd place out of 190 nations”
Sri Lanka Computer Emergency Readiness Team reports handling of over 300 cybersecurity incidents (excluding social media incidents) for 2024, while reported cases were only slightly above 100 back in 2015

Global specialists in the field of cybersecurity and digital privacy state that cyber threats are globally on the rise which has increased rapidly over the past few years.

The need for robust data protection measures has never been more critical, as cyber incidents reported in the corporate and public sectors in Sri Lanka lead to data breaches that not only compromise individual privacy but also erode public trust in such institutions.

When Sri Lanka took a significant step forward by enacting the Personal Data Protection Act (PDPA), it also aimed to address the pressing concerns surrounding personal data security to navigate the complexities of the information age. The PDPA is set to empower individuals to have greater control over their personal data while holding organisations accountable for their data-handling practices.

The recent media release issued by the Ministry of Digital Economy indicated the Cabinet of Ministers has granted approval to amend several provisions of the PDPA while proposing an extension of six months to the date of operation (i.e., 18 March 2025). After this media release, the Minister of Digital Economy published in the gazette a bill to amend the PDPA on 27 March which has notable changes such as,

To extend the duration of responding to data subject rights from 21 days to one month by a controller unless it is extended for a further period of two months informing the data subject
The Controller is no longer required to submit all Data Protection Impact Assessments (DPIA) to the Data Protection Authority (DPA) unless the DPA requests such a submission of the DPIA
The Controller has to decide whether to consult the DPA about conducting DPIAs unless it is for national security, public order and public health
Not to make adequacy decisions for third countries
A Data Protection Officer can be a third party appointed to fulfil its responsibilities.
Public authority definition to exclude statutory bodies or any institution established by any written law

Amidst these changes, organisations are encouraged to take advantage of the proposed extended timeframe to ensure their data handling practices are aligned with the PDPA requirements while staying focused on any further developments.

In the wake of the upcoming implementation of the PDPA, Ernst & Young (EY) will be hosting an in-depth workshop entitled “Is your organisation ready to comply with the Personal Data Protection Act?” at the Courtyard by Marriott in Colombo on 28 April from 9 a.m. to 4 p.m.

EY would like to warmly welcome all interested stakeholders to this detailed workshop which will cover essential topics of privacy and data protection and provide practical insights for implementing the compliance framework. To register for the event, contact Chamika Kalpani on [email protected] or Tel. +94115578814.

Discover Kapruka, the leading online shopping platform in Sri Lanka, where you can conveniently send Gifts and Flowers to your loved ones for any event including Valentine ’s Day. Explore a wide range of popular Shopping Categories on Kapruka, including Toys, Groceries, Electronics, Birthday Cakes, Fruits, Chocolates, Flower Bouquets, Clothing, Watches, Lingerie, Gift Sets and Jewellery. Also if you’re interested in selling with Kapruka, Partner Central by Kapruka is the best solution to start with. Moreover, through Kapruka Global Shop, you can also enjoy the convenience of purchasing products from renowned platforms like Amazon and eBay and have them delivered to Sri Lanka.