PDPA Compliance Guide

Aligning DLP with Sri Lanka's Personal Data Protection Act No. 9 of 2022

Overview

The Personal Data Protection Act No. 9 of 2022 (PDPA) establishes Sri Lanka's framework for protecting personal data. Data Loss Prevention (DLP) is a critical technical control for meeting PDPA requirements, particularly for preventing unauthorized access, use, and disclosure of personal data.

Key PDPA Facts

  • Enacted: March 2022
  • Applies to: All organizations processing personal data in or from Sri Lanka
  • Penalties: Fines up to 5% of annual turnover or LKR 5 million, whichever is higher
  • Authority: Personal Data Protection Commission (PDPC)

PDPA Principles Supported by DLP

1. Purpose Limitation (Section 5)

Personal data must be collected for specified, explicit, and legitimate purposes.

DLP Role: Detect and prevent use of personal data beyond stated purposes. Alert when data is accessed by unauthorized departments.

2. Data Minimization (Section 6)

Collect only data that is adequate, relevant, and necessary.

DLP Role: Identify excessive data collection. Flag unnecessarily stored personal data for review and deletion.

3. Security Safeguards (Section 7)

Implement appropriate technical and organizational measures to protect personal data.

DLP Role: Core technical control. Prevent unauthorized access, use, disclosure, alteration, or destruction of personal data.

4. Transfer Restrictions (Section 9)

Personal data transfers outside Sri Lanka require adequate safeguards.

DLP Role: Block or require approval for cross-border data transfers. Enforce encryption for international transmissions.

5. Data Breach Notification (Section 11)

Notify PDPC within 72 hours of becoming aware of a data breach.

DLP Role: Early detection of data breaches. Provide forensic logs for breach investigation and notification.

PDPA Compliance Resources

PDPA Requirements

Detailed breakdown of PDPA sections and how DLP addresses each requirement.

View Requirements

Gap Analysis Tool

Assess your current compliance posture and identify areas for improvement.

Start Assessment

Compliance Reporting

Templates and guidance for demonstrating PDPA compliance to authorities.

View Templates

Penalties for Non-Compliance

PDPA violations carry serious consequences. Understanding penalties helps justify DLP investment and prioritize compliance efforts.

Financial Penalties

  • • Up to LKR 5 million or 5% of annual turnover (whichever is higher)
  • • Additional fines for repeat violations
  • • Daily penalties for ongoing non-compliance

Other Consequences

  • • Suspension of data processing activities
  • • Criminal liability for responsible individuals
  • • Reputational damage and loss of customer trust
  • • Civil lawsuits from affected data subjects

PDPA Timeline & Key Dates

March 2022

PDPA Enacted

Personal Data Protection Act No. 9 of 2022 passed by Parliament

Ongoing

Gradual Implementation

PDPC issues regulations, guidelines, and codes of practice. Organizations expected to implement compliance measures.

Immediate

Compliance Required

All organizations should begin PDPA compliance efforts now. Don't wait for full enforcement—penalties apply once regulations are in effect.

Ready to Ensure PDPA Compliance?

Use our comprehensive tools and resources to align your DLP implementation with PDPA requirements.

Review Requirements Start Gap Analysis