As data and digital tools assume an ever-larger role in all aspects of our lives, it is increasingly important to have clear and effective rules governing the use of personal data through its life cycle and across different data ecosystems. Governments therefore are establishing a data protection regime which is a foundational step in developing a broader approach to modern digital governance that protects citizens from harm while supporting useful innovation from both the public and private sectors. These choices have direct and long-lasting consequences for economic development, whilst ensuring that citizens and their data are offered more rigorous protections and controls.

Given this scenario, Sri Lankan lawmakers approved the Personal Data Protection Bill in Parliament in  March 2022. The Bill aims to safeguard the rights of individuals and ensure consumer trust in processing of personal data. In other words this information could be residing in systems and manuals. It provides measures to protect the personal data of individuals held by banks, telecom operators, hospitals, and other personal data aggregating and processing entities, where these entities will be required to collect personal data only for specified purposes and not for any other purpose. The bill will seek to define roles and responsibilities of the various chains in the usage, storage and processing of data and also sets a penalty for failure to comply, which would be subject to the nature and the extent of non-compliance. As such, organizations large and small who fall within the scope of the law are bound to conduct their data processing and related activities as specified in the Bill,

Organizations therefore will be compelled to implement the appropriate measures to prevent unauthorized access to sensitive and confidential information, prevent malicious cyber-attacks, accidental loss, or the deletion of any confidential data. This involves putting in place a robust data security strategy that centers on people, process and technology which is embedded into the culture of the business and processes. Organizations will also need to ensure that employees are trained to understand the importance of securing sensitive and confidential information, as well as implementing the right technology to guard against both the malicious and accidental loss of data.

In this context, PwC intends to play a key role in assisting Organization’s Boards to adapt to the requirements of the Bill and help ensure that companies have a data privacy compliance program in place,  along with the right processes and controls. Assisting companies in their journey to comply with multiple data privacy laws in a business-as-usual way, they will be offering a full scope of preparations for regulatory changes in data protection from scoping and gap assessments through to implementation. These include services offered in privacy assessment services, personal data governance, contracts evaluation, privacy awareness and individual rights management, privacy enhancing security, privacy framework review, privacy strategy advisory, privacy programme development, structure, roles and operating model, data flow mapping, inventory cataloging and classification, data privacy impact assessment, global data transfer strategies and data retention policies.

Outlining the importance of local businesses transitioning to the new Privacy Regime, Nishan Mendis Technology Consulting Leader, PwC Sri Lanka stated “ to protect their organizational integrity, it is imperative that companies make data privacy a top priority. Privacy laws have significant impacts on how companies do business. Despite variations in scope, application and enforcement, cyber security and data privacy laws need to share common broad requirements and overarching goals. At PwC we will support our local companies to create digital trust which is a very important and essential criteria today for a company’s success and integrity.”

Vengadasalam Balagobi, Director, Practice Head Cyber Security and Privacy of PwC Sri Lanka added, “businesses today must be accountable for monitoring and protecting their data on a daily basis. Therefore today’s organizations need new mechanisms to build consumer trust and confidence as they address emerging challenges in business, risk management and compliance. As such, we  can help companies put data protection requirements in the context of the business and help develop the requisite steps to transforming privacy programmes, with tools and accelerators to assist the process.

Photo caption - From left to right - Nishan Mendis Technology Consulting Leader, PwC Sri Lanka ,  Vengadasalam Balagobi, Director, Practice Head Cyber Security and Privacy  PwC Sri Lanka and Yohan Jayasinghe - Consultant - Cybersecurity, Governance and Data Privacy  PwC Sri Lanka