Back to PDPA Compliance

PDPA Requirements

Detailed mapping of DLP controls to PDPA sections

PDPA Section-by-Section Requirements

Comprehensive guide to how DLP addresses each section of the Personal Data Protection Act No. 9 of 2022.

Section 4: Data Protection Officer

Requirement: Organizations must appoint a Data Protection Officer (DPO) responsible for compliance.

DLP Implementation:

  • • DPO receives all DLP alerts and incident reports
  • • DPO approves DLP policies and rule changes
  • • DPO reviews quarterly compliance reports from DLP system
  • • DPO coordinates with IT Security on data protection measures

Section 5: Purpose Limitation

Requirement: Personal data must be collected for specified, explicit, and legitimate purposes only.

DLP Implementation:

  • • Tag data with purpose metadata during collection
  • • Create DLP rules that restrict data access by purpose
  • • Alert when data is accessed outside designated purpose
  • • Block transfers to departments without legitimate purpose

Section 7: Security Safeguards

Requirement: Implement appropriate technical and organizational measures to secure personal data.

DLP Implementation:

  • Encryption: Enforce encryption for sensitive data at rest and in transit
  • Access Control: Restrict data access to authorized personnel only
  • Monitoring: Continuous surveillance of data access and transfers
  • Incident Detection: Real-time alerts for policy violations and breaches

Section 9: Cross-Border Transfer

Requirement: Personal data transfers outside Sri Lanka require adequate level of protection.

DLP Implementation:

  • • Detect and log all cross-border data transfers
  • • Require approval workflow for international transfers
  • • Enforce encryption for data sent to foreign jurisdictions
  • • Maintain audit trail of all external transmissions

Section 11: Data Breach Notification

Requirement: Notify PDPC within 72 hours of becoming aware of a data breach.

DLP Implementation:

  • • Automatic incident detection and classification
  • • Immediate alerts to security team and DPO
  • • Forensic logs for breach investigation
  • • Automated breach notification templates
  • • Timeline tracking for 72-hour compliance

Need Help with PDPA Compliance?

Explore our other PDPA resources

Gap Analysis

Compliance Reporting