EY webinar on personal data protection examines why companies need to be prepared for the Sri Lanka Data Protection Act

From left: Ernst & Young Country Managing Partner Manil Jayesinghe, Ernst & Young Partner (FAAS) Hiranthi Fonseka, Solicitor Advocate LC Lawyers LLP (Hong Kong Law Firm member of the Global EY network) Partner Kareena Teh, D. L. & F. DE SARAM Partner Manjula Sirimane

• The Personal Data Privacy Act will apply to any entity processing personal data wholly or partly in Sri Lanka, and/or processing or monitoring personal data of data subjects in Sri Lanka
• Appointment of Data Protection Officers will be mandatory for companies processing high volumes of personal data and good practice for others
• Entities will need to consider privacy-by-design concepts during development of products, systems and processes

Ernst and Young Country Manager Manil Jayasinghe and Ernst and Young Financial Accounting and Advisory Services Partner Hiranthi Fonseka together with D.L.F De Saram Partner Manjula Sirimane and Solicitor Advocate LC lawyers LLP (Hong Kong Law Firm member of the Global EY network) Partner Kareena Teh will host the webinar “Are you ready for the Personal Data Protection Act?” to deliberate how companies can make the fundamental changes proposed by the Act. The session will discuss the salient features of the Bill, the regulatory expectations and what it means for businesses on a local and international scale.

Organised by the Financial Accounting Advisory Services (FAAS) Division of EY the webinar will be held on 29 March 2022 from 10.30 a.m. to 11.30 a.m.

Speaking on the PDP Act Manil Jayesinghe comments that Personal Data Privacy should not be looked at in isolation, or as the sole responsibility of Information Officers. He reiterates that this is an organisation wide project, involving operations, IT, legal and business processes. As the volume of personal data collected increases, so does the responsibility of protecting it. This responsibility becomes a legal obligation once the PDP Act is passed.

Hiranthi Fonseka adds that the Bill is a much welcome regulation to Sri Lanka’s digital economy, allowing the country to be placed alongside countries following GDPR (General Data Protection Regulation) for example. Drawing in from her experience in digital transformation, Hiranthi emphasises the need for early adoption of compliance measures that will require a multi-disciplinary transformational approach. She notes that while the Act may seem prohibitive in that it forces companies to reassess and realign the way in which it collects, processes and uses personal data, it is in essence an opportunity for companies to strengthen their risk and governance framework, overall data privacy and cyber-security.

Published on 25 November 2021, the Sri Lanka Personal Data Protection Bill explicitly defines ‘Personal Data’ with identifiers such as genetics, mental, cultural, economic, social identity as well as criminal proceedings, children and biometrics being covered. Once enacted the bill gives certain rights to data subjects and makes clear the responsibilities of the data controllers and processes, while also vesting power in a Data Protection Authority to oversee compliance issues, among other tasks. The Act goes on to stipulate the appointment and role of the Data Protection officer in companies processing high volumes of personal data and mandates data flow mapping and Data Protection Impact Assessments, while listing the penalties enforceable for non-compliance.

Board Audit Committee members, Risk committee members, Internal Audit Risk and Compliance professionals, Human Resource Personnel, IS/IT professional, other decision makers and interested parties are invited to join this webinar. For Registrations contact Thilini Perera on [email protected] or Tel. +94 770623529