Is it mandatory to appoint a Data Protection Officer (DPO)?
As per Sri Lanka Personal Data Protection Bill (Part 3, Chapter 20), it clearly states that any organization that acts as Controller or Processor of Personal Information shall designate a Data Protection Officer for the organization.
Is it possible to outsource the services of a DPO?
Yes. It is possible to outsource the function. But not the responsibility. The responsibility lies within the organization.
What are the considerations for companies when managing personal data?
Organizations need to understand what types of personal data they collect within their organization and how they use it. Once you have a clarity on types of data you have in your systems, then it is becomes easier to put processes and controls in place to manage that data. These processes and controls, along with assessing your suppliers, and training your staff combine to provide the fundamental basis for a Data Protection Management Program. It should be noted that any organization
with one employee will be holding personal data and, therefore, will be required to have a Data Protection Management Program in place and a Data protection Officer to enforce it.
What are your thoughts on how Sri Lanka has fared with privacy regulations in the South Asian region?
Sri Lanka has always been an exciting destination in the South Asian region. It became the first nation in the region to enact comprehensive privacy legislation. It is crucial when doing business globally that you understand your responsibilities in global data protection.
Can you explain about fines and penalties imposed?
Sri Lanka PDP Act states a maximum fine of Ten Million rupees for non-compliance. Non-Compliance will be reviewed by the Sri Lankan data protection organization, and the fines will be assessed depending on the compliance level of the organization. Such as how the organization responded to a data breach and how effective the processes and controls the organization has to protect personal data.
In comparison, the European privacy regulator imposes a maximum fine of €10 million or 2% of a firm’s annual revenue, and in Singapore you would see financial penalty of up to SG$ 1 million or 5% of the organization’s annual turnover, where the organization’s annual turnover exceeds SG$ 20 million.
For the moment, the fines and penalties that can be imposed by the Sri Lankan Privacy regulator can be described as reasonable but can be expected to be increased over time.
Having said that, even if the fine is relatively low in comparison to GDPR, and organization that fell foul of the regulations would have a significant impact to its reputation both publicly and privately.
What is usually expected from the regulator in the first year once the data protection authority has been established?
In the first year of operation generally a regulator will be building its organization as well as providing education and information to the organizations. It can however be expected that the regulator may want to make an example of organizations who are deliberately not following the regulations.
What are the restrictions of processing data outside of Sri Lanka?
Processing of personal data outside the territory of Sri Lanka is restricted to public authorities except if it is made under an adequacy analysis.
So for commercial organizations, processing data outside Sri Lanka will be possible if it is cleared through the regulator and analysis of the adequacy of the privacy regime of the country where the data will be processed is shown to be sufficient.
There are also a few exceptions to this for commercial organizations, one of which includes consent to process overseas through a written agreement with the owners of the data.
As a global player in privacy compliance, what opportunities do you see for Obeden and how do you wish to assist companies in Sri Lanka?
Obeden has been focused on providing support for organizations as they create or review their data protection standards. With significant experience in GDPR, UK GDPR, PDPA and other data protection legalization, we see being able to provide our expertise to Sri Lankan organizations as they adapt to the new Data Privacy laws being introduced.
Both through educational opportunities and direct support and software as a service platforms, we are looking forward to providing the first Sri Lankan PDP Act solutions to the Sri Lanka market space. Protecting organizations from potential fines and helping organizations protect the Sri Lankan people’s personal information that they hold and process.