PDPA Enforcement Nears: LFC Sector Urged to Fast-Track Compliance 📈

• Overall Context: The Personal Data Protection Act (PDPA) No. 09 of 2022 is moving closer to full operation as the Data Protection Authority of Sri Lanka expands its team and prepares to gazette incoming regulations. Financial institutions are urged to take proactive steps now to avoid penalties. • Regulatory & Governance Scope: • Sri Lanka's enforcement model focuses on a mandatory inquiry process, allowing firms to correct non-compliant behavior before penalties under Section 38 apply. • Section 39 lists internal compliance systems as explicit mitigating factors for penalty calculations. • Section 38(6) extends corporate liability directly to company directors and officers for willful blindness or institutional negligence. • Sri Lanka aims to join the Global Privacy Assembly within the next year to align with international cross-border cooperation standards. • Sector & Operational Breakdowns: • Finance & Banking: Financial institutions can process data without explicit consent under legal obligations (e.g., Customer Due Diligence or filing Suspicious Transaction Reports under the Financial Transactions Reporting Act) or legitimate interests. • Consent is strictly mandatory for marketing communications and must be requested separately from general terms. • Highlighting the scale of compliance, a data mapping exercise by Hatton National Bank (HNB) mapped data flows across ~100 distinct departments and roughly 1,500 separate business processes. • Public Sector: Unlike India's digital-only law, Sri Lanka's PDPA covers both digital and physical structured data, significantly increasing compliance complexity for state departments (e.g., Motor Traffic, Immigration, and Land Registries) which currently lag behind the private sector. • Key Technical Risks: Emerging challenges include managing consent during cloud migrations and governance risks from AI platforms, where personal data might be fed into large language models for unintended purposes.