PDPA in Sri Lanka: What Businesses Still Get Wrong
April 2nd, 2026 - Written By CyberLabsServices
You can’t secure what you don’t truly understand.
When the Personal Data Protection Act No. 9 of 2022 (PDPA) was introduced, it marked a turning point in how organizations across Sri Lanka were expected to handle personal data.
Boardrooms took notice. Legal teams rushed into action. Policies were drafted, updated, and circulated.
On the surface, it looked like progress.
But beneath that surface, a different reality exists:
Many organizations are compliant on paper but exposed in practice.
The Compliance Illusion
For many businesses, PDPA has been reduced to a documentation exercise:
- A privacy policy published on the website
- Consent clauses added to forms
- A Data Protection Officer (DPO) assigned
And then… business as usual.
This creates what we call the “compliance illusion” – the belief that having the right documents equals being compliant.
It doesn’t.
Because regulators don’t assess what you say.
They assess what you do.
-
Misunderstanding Lawful Basis – “Just Get Consent”
One of the most widespread misconceptions is over-reliance on consent.
Organizations often assume:
“If the user clicks ‘I agree,’ we are legally protected.”
However, PDPA outlines multiple lawful bases for processing personal data, not just consent.
Why this is a problem:
- Consent must be freely given, specific, informed, and unambiguous
- It must be withdrawable at any time
- Many business processes cannot function if consent is withdrawn
What this leads to:
- Overuse of consent where it is not appropriate
- Weak legal standing when consent is challenged
- Poor user experience (constant pop-ups, unclear notices)
Mature approach:
Map each data processing activity to the correct legal basis, not the most convenient one
-
Policies That Don’tMatch Reality
Many Sri Lankan businesses, including SMEs and even larger enterprises rely on template-based privacy policies.
They look polished. They sound compliant.
But internally?
- Data is shared across departments without clear documentation
- Third-party vendors (marketing tools, analytics platforms) are not fully disclosed
- Actual practices evolve but policies don’t
Example:
A company states that data is only used for “service delivery,” but marketing teams actively run data-driven campaigns.
That gap is not just a mistake. It’s non-compliance.
-
Lack of Data Visibility – “We Don’t Know Where Data Goes”
Most organizations know how they collect data.
Very few understand how that data moves.
Think about:
- CRM systems storing customer data
- Third-party vendors processing information
- Internal sharing across departments
- Cloud services and external integrations
The reality:
Data flows are often complex, undocumented, and poorly controlled.
Why this matters under PDPA:
You are accountable not just for collection, but for:
- Storage
- Processing
- Sharing
- Retention
Without data mapping, compliance is guesswork.
-
Internal Access: The Quiet Risk
One of the most underestimated risks is internal misuse of data.
Not all breaches are external attacks. Many are caused by:
- Employees accessing unnecessary data
- Lack of role-based access controls
- Shared credentials across teams
- No monitoring of user activity
The core issue:
Organizations confuse trust with control.
The impact:
- Insider threats go undetected
- Sensitive data is widely exposed internally
- Accountability becomes impossible
Best practice is to adopt the principle of least privilege – give access only when necessary, and only for as long as needed.
-
Data Subject Rights: The Operational Blind Spot
PDPA empowers individuals with rights such as:
- Access to their personal data
- Correction of inaccurate data
- Withdrawal of consent
On paper, most companies acknowledge these rights.
In reality? They struggle to handle them.
Common gaps:
- No standardized request-handling process
- No identity verification mechanism
- Requests handled manually via email
- Delays and inconsistent responses
Why this is critical:
Data subject rights are user-facing, failures here are:
- Highly visible
- Easily escalated
- Legally sensitive
True compliance requires operational readiness, not just awareness.
-
“IT Will Handle It”-A Structural Mistake
In many Sri Lankan companies, PDPA responsibility is pushed to:
- IT teams
- Security teams
- Or legal departments
But data is everywhere:
- HR manages employee records
- Marketing drives customer engagement
- Sales handles client interactions
Example:
A bank may have strong IT security, but weak controls in marketing data usage.
PDPA is not a technical problem. It’s an organizational one.
-
No Plan for When Things Go Wrong
Despite increasing cyber incidents globally and regionally, many organizations still lack:
- A clear incident response plan
- Defined roles during a breach
- Communication protocols
Sri Lanka context:
As more businesses digitize from e-commerce to transport platforms, the attack surface is expanding rapidly.
Yet preparedness remains low.
When a breach happens: It’s not just a technical issue. It becomes a business crisis.
From Compliance to Maturity
The organizations that succeed under PDPA are not the ones with the best documents.
They are the ones with the best understanding and control.
| Compliance Thinking | Mature Approach |
| “We have a policy” | “We follow it daily” |
| “Users gave consent” | “We use the right legal basis” |
| “Data is stored” | “Data is mapped and tracked” |
| “Employees are trusted” | “Access is controlled” |
| “We’ll handle requests later” | “We are ready now” |
Final Thought: This Is Bigger Than Compliance
Sri Lanka is moving rapidly toward a data-driven economy.
With that comes responsibility.
The Personal Data Protection Act No. 9 of 2022 is a signal that businesses must fundamentally rethink how they handle data.
Because in the end:
- Customers don’t see your policies
- Regulators don’t see your intentions
They see your actions.
So, Ask Yourself
Are you truly compliant…
Or just operating under the illusion of control?
