ADAPTING TO THE NEW LAW

Sri Lanka’s lawmakers approved the Personal Data Protection Act in parliament in March 2022 – the act aims to safeguard the rights of individuals and ensure consumer trust in processing personal data.

The act provides measures to protect the personal data of individuals held by banks, telecom operators, hospitals, and other personal data aggregating and processing entities, whereby they will be required to collect personal data only for specified purposes – and not for any other purpose.

In a nutshell, Sri Lanka’s Personal Data Protection Act will seek to define roles and responsibilities of the various chains in the usage, storage and processing of data. It also imposes penalties for failure to comply, which would be subject to the nature and extent of non-compliance.

As such, and especially with the establishment of the Data Protection Authority recently, both large and small organisations that fall within the scope of the law are bound to conduct their data processing and related activities as specified in the act.

This in turn involves putting in place a robust data security strategy that centres on people, processes and technologies, which are embedded into the culture of a business and its processes.

Businesses will also need to ensure that employees are trained to understand the importance of securing sensitive and personal information, as well as implementing appropriate technology to guard against both malicious and accidental loss of data.

In this context, Deloitte says it intends to play a key role in assisting the boards of organisations to adapt to the requirements of the act and help ensure that companies have a data privacy compliance programme in place, along with the right processes and controls.

Assisting companies in their journey to comply with multiple data privacy laws that are consistent with conducting ‘business as usual’ calls for a full scope of preparations for regulatory changes in data protection, from scoping and gap assessments through to implementation.

Accordingly, the following services will come into play: privacy assessment; personal data governance; contract evaluation; privacy awareness and individual rights management; privacy enhancing security; privacy framework reviews; privacy strategy advisory; privacy programme development, structures, roles and operating models; data flow mapping; inventory cataloguing and classification; data privacy impact assessments; global data transfer strategies; and data retention policies.

Outlining the importance of local businesses transitioning to the new privacy regime, the Head of Cyber and Technology Risk for Risk Advisory of Deloitte Sri Lanka and Maldives Vengadasalam Balagobi notes: “To build customer trust, businesses today must ensure persistent protection of data they collect. Therefore, today’s organisations need new mechanisms to build consumer trust and confidence as they address emerging challenges in business, risk management and compliance.”

He adds that Deloitte supports local companies to establish digital trust, which is both an important and essential criteria today for a company’s success and integrity.

“As such, we can help companies put data protection requirements in the context of the business and help develop the requisite steps to transforming privacy programmes, with tools and accelerators to assist the process,” he states.

Vengadasalam Balagobi
Head of Cyber and Technology Risk for Risk Advisory Deloitte Sri Lanka and Maldives