Sri Lanka Data Protection Watch

06/02/2026

What is a Data Protection Impact Assessment (DPIA) Test?

A Data Protection Impact Assessment (DPIA) test is a preventive legal assessment used to identify and reduce risks to individuals when personal data is processed in a way that may seriously affect their rights and freedoms.

It is not a technical checklist or an IT audit. It is a legal accountability tool required under the General Data Protection Regulation (GDPR) and reflected in modern data protection frameworks worldwide.

What does the DPIA test examine?

First, it requires a clear description of the processing activity. This includes what data is collected, for what purpose, who is affected, how long the data is kept, and who can access it.

Second, it asks whether the processing is likely to result in high risk. High risk commonly arises in situations such as large-scale data processing, use of new technologies, profiling, automated decision-making, biometric or health data use, employee monitoring, or processing data of vulnerable individuals.

Third, the DPIA test evaluates necessity and proportionality. The organisation must show that the processing is genuinely needed and that the same objective cannot be achieved in a less intrusive way.

Finally, it requires identification of risk mitigation measures. These may include encryption, access controls, reduced retention periods, human oversight, and clear mechanisms for exercising data subject rights.

If significant risk remains even after safeguards, the organisation must consult the data protection authority before proceeding.

Why the DPIA test matters

A proper DPIA demonstrates accountability. Regulators often focus not only on whether harm occurred, but on whether risks were assessed and addressed in advance. In enforcement actions, failure to conduct a DPIA is frequently treated as a serious compliance failure.

In simple terms

A DPIA test forces organisations to think about data protection risks before harm happens, not after.

© Sri Lanka Data Protection Watch (SLDPW)

22/01/2026

Digital marketing is powerful, but it comes with responsibility. Every click, form, and ad campaign involves personal data. Names, emails, locations, browsing behaviour, and preferences are not just marketing assets.

They are part of someone’s private life. Responsible digital marketing means:
• Collecting only what is truly necessary
• Being clear about why data is collected
• Using data lawfully, fairly, and transparently
• Protecting customer information from misuse or breaches
• Respecting consent and the right to opt out

Trust is the real currency of the digital economy. Brands that respect personal data do not just comply with the law. They build credibility, loyalty, and long-term value. Smart marketing respects privacy. Ethical growth depends on it.

16/01/2026

What information must a controller provide when confirming the processing of personal data?

When a data subject asks whether their personal data is being processed, the data controller must provide clear and accurate information, including the following:

Confirmation of processing
The controller must clearly confirm whether the personal data of the data subject is being processed or not.

Purpose of processing
The controller must explain the specific purpose or purposes for which the personal data is being processed. This helps the data subject understand why their data is used.

Categories of personal data
The controller must state the categories or types of personal data that are being processed, such as identification data, contact details, or financial information.

Source of the personal data
If the personal data was not obtained directly from the data subject, the controller must disclose the source of the data. This includes stating whether the data was obtained from a third party or from a publicly accessible source, if applicable.

Consent or lawful basis
Where consent is the basis for processing, the controller must demonstrate that valid consent has been obtained from the data subject. If another lawful basis applies, it should be clearly indicated.

Transparency requirement
All information must be provided in a clear, transparent, and easily understandable manner so that the data subject can effectively exercise their rights under the Act.









# Consent

15/01/2026

12/01/2026

Rights of data subjects under Part II of the PDPA (Sri Lanka)

Part II of the Act sets out the fundamental rights of individuals over their personal data. These rights apply when data is processed by companies, organisations, or public authorities.

1. Right to be informed

You have the right to know:

Who is collecting your data

Why it is being collected

How it will be used

With whom it will be shared

This information must be given clearly and honestly.

2. Right of access

You can ask whether an organisation holds your personal data and request a copy of that data.

3. Right to rectification

If your data is incorrect, incomplete, or outdated, you can ask for it to be corrected without delay.

4. Right to erasure

You may request deletion of your personal data when:

It is no longer needed for the original purpose

It was processed unlawfully

Consent has been withdrawn and no other legal basis exists

This is often called the “right to be forgotten”.

5. Right to restrict processing

You can ask an organisation to limit how your data is used, for example while accuracy or legality is being checked.

6. Right to object

You may object to processing that causes harm or distress, especially for direct marketing or profiling purposes.

7. Right to data portability

You can request your data in a usable format and ask for it to be transferred to another service provider, where technically possible.

8. Rights related to automated decision-making

You have the right not to be subject to decisions made solely by automated systems if those decisions significantly affect you, unless allowed by law.

Why these rights matter

These rights give individuals control, dignity, and fairness in how their personal data is handled. The PDPA shifts power away from organisations and places it back with the person to whom the data belongs.

08/01/2026

Can you process personal data for personal or household use without falling under the PDPA?

Yes.

Under section 2(3)(a) of the Personal Data Protection Act, No. 9 of 2022, an individual may process personal data for personal, domestic, or household purposes without being subject to the Act.

This means that when personal data is used strictly within private life or the home, such as maintaining personal contacts, family communications, or household records, the provisions of the Act do not apply.

The PDPA is primarily designed to regulate the processing of personal data by controllers and processors engaged in commercial, professional, or organisational activities.

However, this exemption is not unlimited. If personal data is processed for purposes that go beyond personal, domestic, or household use, the Act may apply and compliance obligations can arise.

Knowing where this boundary lies is essential for lawful data use.

Follow Sri Lanka Data Protection Watch for clear and reliable updates on the PDPA.

31/12/2025

New Year Wishes 2026 | Sri Lanka Data Protection Watch As 2026 begins, we extend our warm wishes to our community across Sri Lanka and beyond. May the year ahead bring clearer thinking, stronger institutions, and a deeper respect for privacy, trust, and accountability in the digital space. Let us move forward with care, fairness, and a shared commitment to protecting personal data in an evolving world. Wishing you a year of steady progress, informed choices, and meaningful impact. - Happy New Year 2026, Sri Lanka Data Protection Watch Team

30/12/2025

In data protection law, there are three key actors, and each has a clear role in how personal data is handled.

1. Data Subject
This is the individual whose personal data is involved.
In simple terms, it is you or anyone whose name, ID number, phone number, email, location, or other personal details are collected or used.
Examples include customers, employees, patients, students, and website users.

2. Data Controller
This is the person or organisation that decides why and how personal data is collected and used.
Simply put, the controller is the decision-maker.
Examples include companies, banks, universities, hospitals, government authorities, and online platforms.

3. Data Processor
This is the person or organisation that processes personal data on behalf of the controller.
They act only on instructions and do not decide the purpose of processing.
Examples include IT service providers, cloud service companies, payroll firms, and data analytics providers.

Understanding these roles is the first step toward responsible data protection and legal compliance.

26/12/2025

🎄 Merry Christmas from Sri Lanka Data Protection Watch 🎄

As we celebrate the season of peace, reflection, and goodwill, we extend our warmest Christmas wishes to our community, partners, and supporters.

May this festive season inspire trust, responsibility, and care in all that we do—both offline and in the digital world. We remain committed to promoting data protection awareness, privacy rights, and responsible information practices in Sri Lanka and beyond.

Wishing you and your loved ones a joyful Christmas and a peaceful New Year.

— Sri Lanka Data Protection Watch 🔐✨

24/12/2025

Cookies and Data Privacy: What You Should Know

When you visit a website, small files called cookies are often stored on your device. They help websites remember things like your login status, language choice, or items in a shopping cart. Without some cookies, many websites would not function properly.

From a data privacy perspective, cookies matter because they can contain or link to personal data. While essential cookies are needed for basic site functions, other cookies are used for analytics, tracking, and advertising. These can follow your online behavior across websites and build detailed user profiles.

This is why data protection laws require transparency. Users should be told what cookies are used, why they are used, and for how long. In many cases, especially for tracking and advertising cookies, clear and informed consent is required.

A simple rule of thumb: not all cookies are bad, but users have the right to know and to choose. Responsible use of cookies protects trust, privacy, and digital freedom.

24/12/2025

Why the Shinhan Card Data Breach Matters: Key Lessons for Businesses and Regulators

The recent data breach involving Shinhan Card, which exposed personal information linked to approximately 192,000 merchants, is a reminder that data protection risks do not arise only from hackers and malware. This incident matters because it highlights a quieter but equally serious threat: insider misuse of personal data.

Why this incident is significant

First, the scale. Even though no card numbers or bank details were leaked, the exposure of phone numbers, names, and limited personal attributes affects a large number of self-employed merchants. Such data can easily be used for phishing, social engineering, or targeted scams. In practice, personal contact data is often enough to cause real harm.

Second, the source of the breach. This was not an external cyberattack but alleged employee misconduct. That distinction is crucial. Many organisations invest heavily in firewalls and technical security while underestimating internal risks. This case shows that internal access, when poorly controlled or supervised, can undermine even strong technical systems.

Third, the regulatory dimension. The incident triggered mandatory notification to South Korea’s Personal Information Protection Commission. This reflects a broader global trend: regulators increasingly expect prompt disclosure, clear accountability, and demonstrable preventive measures, regardless of whether the breach is external or internal.

Key lessons to learn

1. Insider risk is a core data protection issue
Employee access to personal data must be strictly limited to what is necessary. Sales pressure, informal practices, or weak oversight can quickly turn legitimate access into unlawful disclosure.

2. Governance matters as much as cybersecurity
Policies, training, and internal controls are not optional add-ons. Clear rules on data use, regular audits, and real consequences for violations are essential parts of compliance.

3. “Non-sensitive” data can still cause harm
Phone numbers and basic identifiers are often treated as low risk. In reality, they are valuable tools for fraudsters. Organisations should protect them with the same seriousness as financial data.

4. Transparency helps restore trust
Shinhan Card’s public apology, breach notification, and tools for affected merchants to check their status reflect good practice. Open communication reduces uncertainty and limits secondary harm.

5. Compliance is continuous, not reactive
Reporting a breach is only the beginning. Regulators will look closely at whether preventive measures were adequate before the incident, not just how the company responded afterward.

The broader takeaway

This case is a clear example of why modern data protection law focuses on accountability. Protecting personal data is not only about stopping external attackers. It is about building systems, cultures, and controls that prevent misuse from within. For financial institutions, merchants, and regulators alike, the lesson is simple but demanding: trust depends on discipline, not just technology.

23/12/2025

Sri Lanka PDPA Compliance Checklist

This educational resource is developed by the author of Your Questions Answered: A Deep Dive into the Personal Data Protection Act No. 9 of 2022 (Sri Lanka) and is designed to support structured learning and a practical understanding of Sri Lanka’s data protection framework.

The fillable PDPA Compliance Checklist, prepared under the Personal Data Protection Act No. 9 of 2022, as amended by Act No. 22 of 2025, is intended for internal compliance reviews and regulatory readiness. It includes sector-specific tailoring to support organisations in meeting their obligations under the Act.

📥 You can download the checklist using the link below:

https://drive.google.com/file/d/1CWtpNdSb8MJ0kZ9Emn-7JWC0Q8zDuTbc/view?usp=sharing