The Sri Lanakan Personal Data Protection Legislation Bill has been finalized and will be implemented over three years from the date of certification by the Speaker, providing adequate time for both the public and private sectors to implement the legislation. A Sri Lankan Data Protection Authority will also be establihsed within 18 months. The Bill established data subject rights, creates obligations for controllers and processors, and introduces administrative penalties calculated on the global turnover of the controllers.

It’s interesting to see that ever-more countries across the world are increasingly drafting regulation inspired by the GDPR. This is a concrete example of how companies can lower costs by way of the creation of a global Privacy and Data Protection Compliance Framework where, when based on the GDPR, a strong compliance posture will already be in place.