Navigating Sri Lanka's new data protection act
What businesses need to know about consent, breach notification, and the new powers of the regulator under the PDPA.
The xPersonal Data Protection Act introduces a fundamentally new regime for how organizations in Sri Lanka collect, store, and process personal information.
This piece walks through the act's core obligations — lawful basis, purpose limitation, data subject rights — and sets out a practical compliance roadmap for small and mid-sized businesses.
The three areas where I see clients most exposed
Consent management — most existing consent flows will not meet the standard.
Vendor contracts — your processors need new clauses, not just an addendum.
Breach response — you have a regulatory clock once you know.
Each comes with a checklist you can take to your team.
If something here applies to a decision you're about to make, get in touch for a consultation.
Book a consultation