- Initial focus on educating institutions about data protection obligations
- Secretariat undergoing capacity building
- DG appointed, nearly 50 staff members recruited
Sri Lanka’s Data Protection Authority (DPA) Secretariat is set to commence operations by next month, with its initial focus on educating institutions about their data protection obligations, according to the Deputy Minister of Digital Economy.
Speaking to The Sunday Morning Business, Deputy Minister of Digital Economy Eranga Weeraratne stated that the DPA Secretariat was undergoing capacity building at present, adding that a Director General (DG) had already been appointed a few weeks ago and approximately 50 staff members recruited.
He noted that the authority was expected to have sufficient capacity to begin operations by next month.
Weeraratne further stated that the implementation and enforcement of the Personal Data Protection Act No.9 of 2022 (PDPA) would be carried out in a phased manner.
Accordingly, the DPA’s initial priority upon commencing operations will be to educate institutions on the safeguards and systems required to ensure compliance with data protection obligations.
“The authority will first focus on educating institutions on the protections they need to implement for data protection and gradually move towards enforcement thereafter,” he said.
He further revealed that the timeline for enforcement would be determined by the DPA and communicated to the ministry, and therefore he was unable to provide a specific timeframe at present for commencement of enforcement.
Responding to questions raised by The Sunday Morning Business, the Deputy Minister confirmed that the DPA’s eventual scope would extend to both private and public institutions. However, he acknowledged that in the initial phase, the focus may be limited primarily to public sector institutions.
Under the original Section 1 of the PDPA, most provisions, excluding Parts IV and V, were required to come into force between 18 and 36 months from the date of the Speaker’s certificate. Part IV was to come into operation between 24 and 48 months, while Part V was to take effect no later than the date specified for the other provisions.
However, the Personal Data Protection (Amendment) Act of 2025 repealed these fixed timelines, instead granting the minister discretion to bring all provisions of the act, other than Section 1, into operation on such date or dates as he may appoint by order published in the gazette.