By Nishel Fernando

The proposed Personal Data Management Policy (PDMP) unequivocally favours data controllers while undermining the rights of data subjects, according to the local chapter of Information Systems Audit and Control Association (ISACA).

The Data Protection Authority of Sri Lanka recently published the draft outline of the Data Protection Management Programme intended to be issued as guidelines by the Authority under section 12(2) of the Personal Data Protection Act No.9 of 2022.

“Our key observations indicate that the rights of Data Subjects are not sufficiently protected, while almost all directions appear to favour the Controllers. Specifically, the rights of data subjects conflict with the Controllers’ ability to charge fees for related activities, which are determined solely by the Controllers themselves,” ISACA Sri Lanka President Lakmal Embuldeniya opined while sharing the organisation’s feedback on the draft policy with the Authority.

Indentifying and strengthening the rights of data subjects in order to protect personal data is an objective of the Personal Data Protection Act, No. 9 of 2022.

For an example, while the proposed policy defines controller’s responsibility for data processing, it was noted that it lacks specific guidelines on shared ownership in joint-controller or third-party scenarios. Similarly, it was pointed out that the proposed policy does not detail internal access controls for personnel accessing sensitive data.

ISACA Sri Lanka has proposed 18 amendments to the draft policy.

In addition, ISACA Sri Lanka mooted the necessity for guidelines or regulations stipulating that any Controller handling data related to external customers must publish a “Data Governance Policy”.

Additionally, we would like to emphasise the necessity for guidelines or regulations stipulating that any Controller handling data related to external customers must publish a “Data Governance Policy.” 

“This policy should clearly outline the details of the respective controls applicable to different categories of data,” it pointed out.

Furthermore, ISACA Sri Lanka also proposed transparency when the fees that may be charged to data subjects when they seek to exercise their rights as provisioned by the Act.

It was also proposed to include the aspect of “Cross-Border Data Transfer,” in the policy, given it is one of the key objectives addressed by the Act.

“Addressing these issues will enhance the overall effectiveness of the DPMP Guidelines and better protect the rights of individuals whose data is being processed,” Embuldeniya stated.