The Personal Data Protection Act (PDPA) regulates the processing of personal data and protects the rights of data subjects. This guideline aims to help you understand what your responsibilities will be once the substantive provisions of the PDPA will come into force somewhere between 19th September 2023 and 19th March 2025.
Step 1: Identify Applicability: The PDPA applies to the processing of personal data in Sri Lanka, whether it is wholly or partly processed within Sri Lanka or by a controller or processor who is domiciled, incorporated or established in Sri Lanka, offers goods or services to data subjects in Sri Lanka or monitors the behavior of data subjects in Sri Lanka.
Step 2: Understand the Definition of Personal Data: In terms of Section 56 of the PDPA, “personal data” means any information that can identify a data subject directly or indirectly, by reference to an identifier such as a name, an identification number, financial data, location data or an online identifier.
Step 3: Know the Definition of Special Categories of Personal Data: The PDPA provides for a definition of “Special Categories of Personal Data” that includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, personal data relating to offences, criminal proceedings and convictions, or personal data relating to a child.
Step 4: Determine Your Role as a Controller: As per the PDPA, a controller is a legal person that determines the purposes and means of processing personal data. If you fall within the definition of a controller, you need to ensure compliance with the PDPA.
Step 5: Ensure Lawful Processing Processing of personal data as a controller is lawful if it complies with the conditions for lawful processing specified in Schedule I of the PDPA. The relevant conditions include obtaining consent from the data subject or processing necessary for the performance of a contract, or compliance with a legal obligation.
Step 6: Obtain Consent If processing involves special categories of personal data, obtain consent from the data subject. The conditions for obtaining consent are specified in Schedule II of the PDPA. Consent must be freely given, specific, informed and unambiguous. Special consideration must be taken for whether the performance of a contract is conditional on consent to processing personal data that is not necessary for the performance of that contract.
Step 7: Inform Data Subjects Inform data subjects that their personal data is being processed, the purposes of processing, the recipients of the data and the rights of data subjects.
Step 8: Protect Personal Data: Ensure appropriate technical and organizational measures are taken to protect personal data from unauthorized access, disclosure, destruction or alteration.
Step 9: Respond to Data Subjects’ Requests: Respond to data subjects’ requests to access, rectify, erase, or restrict processing of their personal data, or to object to processing.
Step 10: Appoint a Data Protection Officer: If you are a public authority or your processing activities require regular and systematic monitoring of data subjects, appoint a data protection officer.
