📈 Sri Lanka’s PDPA Enforcement: Transitioning to Mandatory Compliance

Sri Lanka marks a milestone as the first South Asian nation to enforce comprehensive data legislation under the Personal Data Protection Act (PDPA). With the Data Protection Authority (DPA) established and enforcement phased through 2025, compliance is now a legal mandate for all sectors. • Legal & Financial Risks: Non-compliance carries significant penalties, including local fines of up to Rs. 10 Million, potential international legal exposure, and severe reputational damage. • Sector Impact: The act fundamentally changes data handling in finance, healthcare, retail, and ICT/BPM. It moves beyond IT/Legal departments, requiring accountability from any staff handling personal data, including HR and sales. • Operational Standards: • Transitioning from legacy systems to structured data governance. • Emphasis on "Privacy by Design" and alignment with global benchmarks like ISO 27701. • Integration of policies across the entire data lifecycle to ensure operational resilience. • Industry Support: KBSL Information Technologies is leading enterprise transitions, recently achieving ISO 27701 certification to guide firms through audit gaps and system integration. • Key Event: A national PDPA strategy session is scheduled for 12 February 2026 at Cinnamon Grand, featuring experts like Dr. Aparrajitha Ariyadasa to assist businesses in turning compliance into a competitive advantage.