Data Security and Privacy in Sri Lanka’s Industrial Sector
Data security and privacy have emerged as critical concerns for Sri Lanka’s rapidly digitizing industrial sector. The nation has taken significant legislative steps to establish a robust legal framework, while businesses face mounting challenges in securing operational technology and personal data against evolving cyber threats. The current landscape is a complex interplay between foundational regulation, imminent implementation, and the need for practical industrial application.
Regulatory Foundation: The Personal Data Protection Act (PDPA)
Sri Lanka made history as the first South Asian country to enact independent legislation for personal data protection with the Personal Data Protection Act No. 9 of 2022 (PDPA) . This landmark law is heavily inspired by the European Union’s General Data Protection Regulation (GDPR), incorporating similar principles and standards .
Key Features of the PDPA
- Establishment of the Data Protection Authority: The DPA was established in August 2023 to regulate personal data processing and protect individuals’ privacy
- Territorial and Extraterritorial Scope: Applies to data processing within Sri Lanka AND regulates entities outside Sri Lanka that offer goods/services to or monitor individuals within the country
- Data Subject Rights: Includes rights to information, access, rectification, erasure, restriction of processing, objection, withdrawal of consent, and protection from automated decision-making
- Data Protection Officers: Requires designation of DPOs in certain circumstances, including processing by government departments or public corporations
- Data Protection Impact Assessments: Required for high-risk processing activities such as systematic evaluation of personal data or monitoring of public areas
- Cross-Border Data Transfer: Requires compliance with specific instruments to ensure binding commitments from recipients in third countries
- Breach Notification: Controllers must notify the Data Protection Authority of personal data breaches
Legislative Status: Implementation Underway
The PDPA’s implementation has followed a phased approach:
- 2023: Provisions establishing the Data Protection Authority and interpretation sections came into force
- March 2025: Amendment Act (No. 22 of 2025) was enacted, removing previous grace periods
- 2026 Outlook: Substantive provisions covering core data protection principles, controller obligations, data subject rights, and penalties are expected to be fully operational, with the DPA finalizing rules and regulations through stakeholder engagement
The Financial Consumer Protection Regulations (FCPR) for the banking sector are already fully operational, providing protection beyond personally identifiable information to all information pertaining to financial consumers .
Industrial Implications: Challenges and Requirements
For Sri Lanka’s manufacturing, logistics, and other industrial sectors, the PDPA introduces specific compliance demands :
| Compliance Area | Industrial Application |
|---|---|
| OT/ICS/SCADA Security | Securing operational technology and industrial control systems from cyber threats |
| Supply Chain Security | Managing security risks across global vendor networks |
| IT-OT Integration | Unifying IT and OT compliance requirements into a single programme |
| Quality Standards | Meeting industry-specific standards like ISO 9001 and IATF 16949 |
| Intellectual Property | Protecting trade secrets in collaborative design environments |
Potential Penalties: Non-compliance can result in fines up to LKR 10 million per violation, with additional penalties for repeat violations. Paying fines does not prevent regulatory bodies from taking further action, such as suspending business operations or cancelling licences .
IoT Security and Data Protection
The proliferation of connected devices has heightened security concerns across industries :
- Identity and Access Management (IAM): Critical for securing authentication and authorization of connected devices and users, safeguarding sensitive data and infrastructure from unauthorized access
- Data Breaches and Unauthorized Access: Key vulnerabilities in IoT ecosystems require robust measures including encryption, authentication, and threat detection to build trust
- Government Policy: Advocates standardized authentication protocols and secure access controls to safeguard IoT ecosystems
Vulnerable Sectors and Ongoing Concerns
Despite legislative progress, implementation readiness remains a concern :
Small and Medium Enterprises (SMEs):
- Limited access to capital hinders obtaining necessary cybersecurity knowledge and support
- Vulnerable to phishing, ransomware, trojans, malware, and impersonation scams
- Hackers often cast nets across numerous small businesses rather than targeting a single large company
Public and Private Sector Readiness:
- Questions remain about whether the public sector is equipped to safeguard citizen data
- Whether private companies—particularly SMEs—are aware of their obligations
- Whether the general public is informed of their data rights
Children and Senior Citizens:
- Children vulnerable to romance fraud, impersonators, and deepfakes
- Seniors more susceptible to hackers impersonating established institutions like banks and government agencies
Sector-Specific Guidance and Practical Steps
Data Protection Ecosystem:
- Data Subjects (Users): Individuals whose data is collected; have rights to information, access, correction, and deletion
- Data Custodians: Responsible for technical and administrative safeguarding, secure storage, and breach protection
- Data Controllers: Determine the purpose and method of processing; must obtain proper consent and ensure transparency
- Data Processors: Process data on behalf of controllers under their instructions
Compliance and Accountability:
- Implementing a Data Protection Management Program
- Appointing a qualified Data Protection Officer
- Maintaining detailed records of data processing activities
- Conducting regular data audits
- Conducting Data Protection Impact Assessments for high-risk processing
- Embedding privacy principles into employee training and internal controls
- Establishing an effective incident response and breach notification plan
Cyber Hygiene Practices:
- Remaining vigilant and verifying payments, receipts, vendors, and bank account details
- Never writing down passwords, especially on phones or wallets
- Being conscious about what is shared online
Future Outlook
The full operationalization of the PDPA in 2026 will mark a transformative moment for Sri Lanka’s industrial sector. The Data Protection Authority is actively finalizing rules and regulations through stakeholder engagement . Ongoing consultations focus on sectors such as finance, health, and telecom . As the Asia Foundation’s Rukshanie Vidyaratne noted, embracing cybersecurity is “part and parcel of moving towards a digital economy” —Sri Lanka must embrace digital opportunities while preparing to defend against the associated risks .
