By: Staff Writer
April 14, Colombo (LNW): As Sri Lanka accelerates its journey toward a digital economy, the operationalisation of the Data Protection Authority (DPA) represents both progress and a test of institutional readiness. While the Government’s digital transformation agenda is gaining momentum, the effectiveness of data protection mechanisms will play a determining role in shaping its success.
The DPA, expected to commence operations shortly, has been structured with an initial team and leadership already in place. However, its early focus will be limited to awareness-building rather than enforcement of the Personal Data Protection Act No. 9 of 2022. This reflects a recognition that many organisations are not yet equipped to meet compliance standards.
Sri Lanka’s digital transformation plan encompasses a wide range of initiatives from digitising government services to promoting digital payments and enhancing connectivity. These efforts are designed to improve efficiency, transparency, and economic growth. However, they also significantly increase the volume and sensitivity of personal data being processed across both public and private sectors.
In this context, the absence of immediate enforcement creates a paradox. While digital systems expand rapidly, the regulatory safeguards meant to protect them are still being phased in. This gap could expose individuals and institutions to data breaches, misuse, and cyber risks, potentially undermining confidence in digital platforms.
The decision to remove fixed implementation timelines through the 2025 amendment adds another layer of complexity. By granting discretionary power over when provisions come into force, the framework gains flexibility but loses predictability. For businesses, this uncertainty complicates compliance planning, while for citizens, it raises concerns about when their data rights will be fully protected.
Deputy Minister Eranga Weeraratne has indicated that the DPA will eventually oversee both public and private sectors, though initial efforts may concentrate on government institutions. This sequencing is logical, but it underscores the need for a clear roadmap to ensure comprehensive coverage.
For Sri Lanka’s digital transformation to succeed, data protection must evolve in parallel. Key priorities should include:
Establishing definitive timelines for enforcement phases
Building institutional expertise in data governance and cybersecurity
Encouraging early compliance through incentives and guidelines
Strengthening collaboration between regulators and digital service providers
Ultimately, the DPA’s role extends beyond compliance it is central to building a trusted digital ecosystem. Without strong and timely safeguards, the benefits of digital transformation may be overshadowed by risks, slowing adoption and limiting economic potential.
Sri Lanka stands at a pivotal moment. The foundations of a digital future are being laid, but their durability will depend on how effectively data protection is implemented in practice, not just in policy.