What is the Sri Lanka PDPA (Personal Data Protection Act)?

The Sri Lanka PDPA is a data protection law that sets out how both government and private-sector organizations must collect, use, store, and safeguard personal data. It ensures individuals’ privacy is respected and protected within Sri Lankan jurisdiction.

Who is covered by the Sri Lanka PDPA?

All entities—government bodies, private companies, and non-profits—operating in Sri Lanka that handle personal information must comply with the Sri Lanka PDPA. This includes any organization collecting or processing personal data of individuals in Sri Lanka.

What is considered personal data under the Sri Lanka PDPA?

Personal data refers to any information that can identify a person—such as their name, address, email, or phone number. If, alone or combined with other data, it can pinpoint an individual, it’s deemed personal data under the Sri Lanka PDPA.

How should consent be obtained under the Sri Lanka PDPA?

Organizations must obtain clear, specific, and informed consent from individuals before collecting their personal data. Individuals should be told why the data is collected, how it will be used, and who will have access.

What are the data protection requirements under the Sri Lanka PDPA?

Organizations must secure personal data against unauthorized access, use, disclosure, alteration, or destruction. Measures may include encryption, secure storage, robust access controls, and regular security audits.

What happens if an organization violates the Sri Lanka PDPA?

Non-compliance can result in financial penalties, legal consequences, and reputational damage. Furthermore, individuals may seek compensation if their personal data is misused or disclosed without proper authorization.

How does the Sri Lanka PDPA interact with other laws?

Although the Sri Lanka PDPA is a standalone law, it may overlap with other regulations, such as cybersecurity and privacy legislation. Organizations must ensure compliance across all relevant laws to meet data protection obligations.

India DPDPA

What is the Digital Personal Data Protection Act (DPDPA)?

The Digital Personal Data Protection Act (DPDPA), enacted in August 2023, is India’s comprehensive privacy law governing the processing of digital personal data. It aims to safeguard individual privacy while enabling responsible data use for lawful purposes such as governance, innovation, and service delivery. It applies to personal data collected online or offline but subsequently digitised, and covers entities both within and outside India if they offer goods, services or monitor individuals in India.

When did the DPDPA come into force?

The Act was passed in August 2023. Its key provisions were implemented in 2024, followed by the introduction of detailed rules by MeitY in January 2025. These rules became operational through phased enforcement in 2025, bringing full legal effect to its obligations, penalties, and rights enforcement mechanisms.

Who does the DPDPA apply to?

The DPDPA has a broad scope and applies to a wide range of entities:

All organisations operating in India, including companies, startups, government departments, schools, hospitals, and NGOs.
Foreign entities that process personal data to offer goods or services to individuals in India or to engage in profiling.

The Act excludes personal or household activities and data that has been fully anonymised or lawfully made public.

What qualifies as personal data under the DPDPA?

Personal data is any digital information that can directly or indirectly identify an individual. This includes:

Basic identifiers: names, phone numbers, addresses
Government IDs: Aadhaar, PAN, passport numbers
Sensitive data: financial records, health data, biometrics
Online data: IP addresses, cookie identifiers, device information

What are the key principles of the DPDPA?

The Act outlines foundational principles to guide data processing:

Consent-based Processing: Data should only be processed with explicit consent, unless covered under a legitimate use.‍
Purpose Limitation: Data should be collected only for specific, lawful purposes.‍
Data Minimisation: Only necessary data should be collected and used.‍
Data Accuracy: Entities must ensure data is complete and up to date.‍
Security Safeguards: Reasonable measures must be in place to prevent data breaches.‍
Transparency and Rights: Individuals must be informed of their rights and given mechanisms to exercise them.‍
Accountability: Fiduciaries must be able to demonstrate compliance.

What rights do individuals (Data Principals) have?

The DPDPA grants individuals several rights to help them control their data:

Right to Access: Know what data is being held and how it is being used.‍
Right to Correction and Erasure: Request corrections or deletion of inaccurate or unnecessary data.‍
Right to Withdraw Consent: Opt out of processing at any time.‍
Right to Grievance Redressal: File complaints with the organisation or escalate to the Data Protection Board.‍
Right to Nominate: Designate another individual to manage rights after death or incapacity.

What is consent under the DPDPA?

Consent must be:

Free, specific, informed, and unambiguous‍
Given through clear affirmative action
Easily withdrawn, with a process as simple as giving consent

Notices must be in plain language and accessible formats.

Who are Data Fiduciaries and Data Processors?

Data Fiduciary: Determines the purpose and means of processing data (e.g., a business or agency).‍
Data Processor: Processes data on behalf of a fiduciary, under contract.

Fiduciaries bear primary responsibility for compliance.

What are Significant Data Fiduciaries (SDFs)?

SDFs are high-impact entities that process large volumes of data or sensitive information. They have additional obligations:

Appointing a Data Protection Officer (DPO) based in India
Conducting Data Protection Impact Assessments (DPIAs)‍
Performing annual audits‍
Ensuring algorithmic transparency and restrictions on international data transfers

What changed under the DPDPA Rules, 2025?

The 2025 rules provide further clarity and enforcement mechanisms:

Mandatory breach notification within 72 hours‍
Standardised consent and privacy notice templates
Parental consent for children under 18
White-listed countries for data transfers abroad
Security standards and data retention timelines based on fiduciary category‍
Defined grievance response timelines

How is children’s data treated?

Children receive special protection under the Act:

Age of consent is under 18
Parental consent is mandatory
Targeted advertising and behavioural tracking are prohibited
Some exemptions for educational, medical, or safety purposes are allowed under strict conditions

What are the security obligations?

All Data Fiduciaries must:

Use encryption, obfuscation, or masking
Control access to systems and data
Maintain logs to detect breaches and retain them for at least one year
Ensure business continuity through backups
Include data protection clauses in contracts with processors

What are the rules on data retention and deletion?

Data must be deleted when:

It is no longer required for the original purpose
The individual withdraws consent

High-volume entities like ecommerce or social media platforms must delete unused data after 3 years of inactivity, with 48 hours’ prior notice to the individual.

Are there exemptions?

Yes, specific exemptions apply:

National security and public interest functions
Legal proceedings, investigations, and compliance
Medical emergencies or public health needs
Government schemes involving public funds

What about cross-border data transfers?

Allowed only to countries not restricted by the Indian government
No adequacy or SCC regime; a whitelist approach is followed
SDFs may face stricter restrictions on transferring certain personal or traffic data

What is the grievance redressal process?

Data Principal files complaint with the organisation (Fiduciary).
If unresolved, they can escalate to the Data Protection Board of India (DPBI).
The Board investigates and may issue fines or remediation orders.

What are the penalties for non-compliance?

Fines consist of:

Up to ₹250 crore for major breaches‍
₹200 crore for failing to notify breaches or protect children’s data
‍₹10,000 for knowingly filing false complaints
Suspension of operations or services in severe cases

Do SMEs and Startups need to comply?

Yes, however:

Startups and low-risk entities may receive compliance relaxations
Entities processing sensitive or large-scale data can still be classified as SDFs

What are Consent Managers?

These are government-registered platforms that help individuals manage their consents across different services. They ensure:

Transparent, secure, and interoperable consent management
Individuals can view, grant, or withdraw consents in one place

Where can I find official DPDPA resources?

India DPDPA‍

India DPDPA
‍