Data privacy has transformed the global business landscape in the past five years, largely due to the implementation of the General Data Protection Regulation (GDPR) by the European Union (EU). The heightened demand for data privacy and its importance have led to the enactment of Personal Data Protection Act No.09 of 2022 (PDPA) in Sri Lanka. 

The PDPA aims to facilitate the growth of the digital economy and strengthen cross-border cooperation among data protection authorities. In recent years, the discussion around data privacy has gained momentum in Sri Lanka. It is important to understand why privacy is critical for the business world. 
This article examines the global demand for implementing a data protection programme for Sri Lankan companies rather than analysing the pros and cons of data privacy.
Global framework for data protection
The World Development Report 2021 by the World Bank identifies cross-border data flows as a cornerstone of international trade in the 21st century. It also notes the exponential growth of global trade in data-driven services over the past decade. The financial services industry, for instance, relies heavily on the secure exchange of customer information and transaction verification processes. Ensuring secure transmission and safe storage of customer data is crucial for building confidence in a digital ecosystem.
Since the GDPR’s implementation, having systems and processes for data protection has become essential for commencing business transactions. EU trading partners are increasingly adopting data protection mechanisms compliant with the GDPR. The EU uses adequacy decisions to evaluate if countries with which they trade maintain sufficient data protection standards. 
Article 45 of the GDPR outlines the EU’s mechanism for safe data flow with foreign countries. The European Commission (EC) assesses and makes decisions on the adequacy of data protection levels in foreign states or international organisations, considering factors such as the rule of law, fundamental freedoms and supervisory authorities. Currently, the EU has recognised 11 foreign states within the ambit of adequacy decisions.
In the absence of an adequacy decision, the GDPR requires either binding corporate rules or adequate safeguards between data controllers and processors. Data controllers collect data, while data processors handle data processing for specific purposes. Even a cloud host can serve as a data processor. Corporate binding rules encompass all general data protection safeguards and rights and are approved by the competent authority in the EU. Appropriate safeguards can also be established through contractual clauses to facilitate data flows with foreign countries or international organisations.
The GDPR has reshaped the landscape of business engagement with the rest of the world, making it essential for the EU trading partners to adopt adequate measures for safe data flows across boundaries.
Economic value of data protection for SL
Sri Lanka’s market share in the EU region is significant, as the EU is the second largest market for Sri Lankan exports, after China. According to the EU statistics, the EU absorbed 22.4 percent of Sri Lanka’s export market in 2020. The Central Bank Annual Report of 2022 highlights a significant reduction in the merchandise trade deficit, with merchandise exports increasing by 4.9 percent compared to 2021. Higher global demand and currency depreciation contributed to this increase in industrial exports. Export earnings improved to 17 percent of GDP in 2022, compared to 14.1 percent in 2021. Increasing export earnings is vital for reducing the trade deficit and improving the balance of payments. It is crucial for Sri Lankan companies to comply with data privacy standards to avoid barriers to trade and maintain access to global markets amid challenging conditions.
Personal data is exchanged between trading partners during transactions involving goods and services and sometimes data is hosted on cloud servers outside the host country. Ensuring secure storage and processing of data is critical in shaping trade engagements with the EU region.
The Colombo Stock Exchange (CSE) has implemented extensive measures to comply with the GDPR since 2018, announcing the GDPR compliance. The CSE and the Central Depository System (Private) Limited (CDS) collect personal data of clients when opening CDS accounts. Clients likely expect the same level of data protection when transacting abroad.
With the increasing global penetration of data protection, Sri Lanka enacted the Personal Data Protection law in 2022, covering principles underlying the GDPR.
Data protection regime in Sri Lanka
Since the enactment of the PDPA, public discussions have increased, with many companies and sectors showing interest in preparing and adopting data protection plans. Although the law was enacted in March 2022, its implementation is scheduled for 18 to 36 months after enactment. The Data Protection Authority has been appointed and is working towards full operationalisation.
Obligations of data controllers and rights relating to personal data
The PDPA identifies individual rights to protect personal data and obligations for data controllers. Data controllers must collect data for lawful and legitimate purposes, ensuring the data collected is proportionate to the purpose. They must also preserve the integrity and confidentiality of the data. Individuals have rights to access their personal data, withdraw consent for data processing and request data erasure. The right to forget or the right to erasure comes with practical challenges. Companies in the financial sector may not be able to delete client information even after the business relationship has ended. It is because a financial regulator might call for historical data from these companies for a special inquiry or a similar purpose.
Data protection management programme
Companies are given leeway to design their own data protection management programmes, adopting a self-governance initiative. The PDPA provides a framework for such programmes in section 12. Each data controller and processor must devise his or her plan based on his or her structure, volume and sensitivity of processing activities. Identifying and cataloguing processed data is necessary before implementing an initiative. A risk-based, stepped-up approach is recommended.
Governance
The designed programme should be integrated into the company’s governance structure. One of the law’s main aims is to encourage a culture of privacy and make data protection a board-level discussion. While the Data Protection Authority can act against breaches, the law promotes self-governance, allowing companies to design and comply with their programmes. This is how the data protection law distinguishes from other laws based on a punitive approach. 
Accountability
Companies must ensure proper accountability through internal oversight mechanisms. Regular monitoring and audits of data protection compliance are required, along with a complaint handling procedure to address possible data breaches. This will ensure that data breaches are addressed at a company level rather than escalating it to the Data Protection Authority. 
Data protection impact assessment
Before implementing a data protection management programme, a data protection impact assessment should be conducted. This involves evaluating data and assessing risks associated with data processing to identify risk mitigation measures. Existing information systems should be assessed for vulnerabilities and strengthened accordingly. System upgrades should consider data protection measures.
A pragmatic approach to implementation
Industries regulated by sectoral regulators likely already have measures in place to secure data. Conducting an IT system audit and a risk-based data protection impact assessment are practical starting points for designing a data protection programme. Companies should look for cost-effective mechanisms to upgrade existing systems and design processes, ensuring compliance with legal standards for a seamless transition to a data privacy regime. The PDPA’s flexibility allows companies to design their own programmes, which can enhance global trade competitiveness. The cost of compliance may soon be outweighed by the potential loss of business, making it imperative for businesses to embrace a culture of privacy.
The Data Protection Authority should continue its dialogue with various industries and sectors to build consensus and facilitate pragmatic implementation of data protection measures.
(Suhadini Wickremasinghe, Attorney-at-Law and Head of Compliance at NDB Capital Holdings Limited, can be reached at [email protected])