- The Personal Data Privacy Act will apply to any entity processing personal data wholly or partly in Sri Lanka, and/or processing or monitoring personal data of data subjects in Sri Lanka.
- Appointment of Data Protection Officers will be mandatory for companies processing high volumes of personal data and good practice for others.
- Entities will need to consider privacy-by-design concepts during development of products, systems and processes
Manil Jayasinghe – Country Manager, Ernst & Young, and Hiranthi Fonseka – Partner- Financial Accounting and Advisory Services of Ernst & Young together with Manjula Sirimane – Partner D.L.F De Saram, and Kareena Teh – Partner | Solicitor Advocate LC lawyers LLP (Hong Kong Law Firm member of the Global EY network) will host the webinar “Are you ready for the Personal Data Protection Act?” to deliberate how companies can make the fundamental changes proposed by the Act. The session will discuss the salient features of the Bill, the regulatory expectations, and what it means for businesses on a local and international scale.
Speaking on the PDP Act, Manil Jayesinghe comments that Personal Data Privacy should not be looked at in isolation, or as the sole responsibility of Information Officers. He reiterates that this is an organization wide project, involving operations, IT, legal and business processes. As the volume of personal data collected increases, so does the responsibility of protecting it. This responsibility becomes a legal obligation once the PDP Act is passed.
Hiranthi Fonseka adds that the Bill is a much welcome regulation to Sri Lanka’s digital economy, allowing the country to be placed alongside countries following GDPR (General Data Protection Regulation) for example. Drawing in from her experience in digital transformation, Hiranthi emphasizes the need for early adoption of compliance measures, that will require a multi-disciplinary transformational approach. She notes that while the Act may seem prohibitive in that it forces companies to reassess and realign the way in which it collects, processes, and uses personal data, it is in essence an opportunity for companies to strengthen their risk and governance framework, overall Data Privacy and cyber-security.
Published on 25 November 2021, the Sri Lanka Personal Data Protection Bill explicitly defines ‘Personal Data’ with identifiers such as genetics, mental, cultural, economic, social identity as well as criminal proceedings, children, and biometrics being covered. Once enacted the bill gives certain rights to data subjects and makes clear the responsibilities of the data controllers and processes, while also vesting power in a Data Protection Authority to oversee compliance issues, among other tasks. The Act goes on to stipulate the appointment and role of the Data Protection officer in companies processing high volumes of personal data, and mandates Data flow mapping and Data Protection Impact Assessments, while listing the penalties enforceable for non-compliance.
Board Audit Committee members, Risk committee members, Internal Audit Risk and Compliance professionals, Human Resource Personnel, IS/IT professional, other decision makers and interested parties are invited to join this webinar organized by the Financial Accounting Advisory Services (FAAS) division of EY on 29 March 2022 from 10.30 am to 11.30 am. For Registrations contact Thilini Perera on Thilini.perera1@lk.ey.com or Tel. +94 770623529.
