Sri Lanka Data Protection Act: How Companies Must ComplyA Group of Experts Shares Highlights of Data Protection Act in Sri Lanka
Earlier this year, Sri Lanka became the first South Asian country to pass privacy legislation, which will go into effect in 2023. Information Security Media Group talked to several privacy experts about the highlights of Sri Lanka's Data Protection Act and what companies are doing to comply with the new regulations.
The new law will have far-reaching impact on business, according to Jayantha Fernando, general counsel for the Information and Communication Technology Agency of Sri Lanka; Sanduni Wickramasinghe, a consultant in information privacy and technology law; and Sujit Christy, director of the Layers-7 security firm.
One of the unique features of the act is the exclusion of penalties. Wickramasinghe says the emphasis is on "effective implementation as opposed to a means of penalizing controllers for some activity. It is important to achieve compliance through open dialogue as opposed to going about including penalties. But as the law matures, these provisions maybe revisited."
According to Fernando, the main concern while designing the act was to protect the rights of the subjects. "One of the main concerns was the omnipresent link between the subject and cybersecurity," he says. "One of the key pillars is to focus on building a governance framework for cybersecurity" while protecting "the rights of data subjects."
Some companies are already complying with the EU's General Data Protection Regulation and will find it easier to comply with Sri Lanka's Data Protection Act, Christy says, but they will still face challenges. "They all need to come up with a governance mechanism," he says. Another challenge is that organizations will need the skills "to understand the intricacies of the law and have a framework to address that."
In this video interview with ISMG, the panelists discuss:
- The salient features of Sri Lanka's Data Protection Act;
- The powers of the Data Protection Authority;
- How organizations must comply with the new law.
Wickramasinghe is an independent legal consultant specializing in law and digital technologies. She is a fellow of information privacy with the International Association of Privacy Professionals, a certified information privacy manager and a certified information privacy professional in Europe.
Fernando handles legal issues for the Information and Communication Technology Agency of Sri Lanka and is director of the Sri Lanka CERT. He has nearly 25 years international experience in a range of cybersecurity law and internet governance topics.
Christy is a governance, risk and compliance professional who serves as CISO and security adviser for several customers of Layers-7 Seguro Consultoria Private Ltd. He is a cybersecurity adoption evangelist providing vital guidance to improve cyber defenses while raising cybersecurity awareness to improve risk reduction and compliance. He also serves as president of the (ISC)2 Colombo, Sri Lanka Chapter.