Legal & Compliance, Cybersecurity

Sri Lanka Data Protection Law: 2026 PDPA Compliance Guide for Businesses

15th April, 2026
Updated: 25th June, 2026
17 min read
Legal & Compliance, Cybersecurity
PDPA Sri LankaData ProtectionData PrivacyGDPRCompliancePersonal Data ProtectionCybersecurity
HC

Hashtag Coders

Software Engineers & Digital Strategists

Legal Disclaimer

This article is general information for business readers - not legal advice. Statutory commencement dates and obligations should be confirmed against current Gazette notices and the Personal Data Protection Act, No. 9 of 2022 (as amended). Before making compliance decisions, have a qualified Sri Lankan lawyer or data protection practitioner review your specific processing activities. Statutory references verified against published Gazette texts as of 25 June 2026.

At a Glance - Sri Lanka Data Protection Law (June 2026)

  • Primary law: Personal Data Protection Act, No. 9 of 2022 (PDPA Sri Lanka) - enacted 9 March 2022
  • In force now: Data Protection Authority (Part V, from 17 July 2023) + related administrative Parts VI, VIII, IX, X (from 1 December 2023)
  • Not yet in force (June 2026): Data subject rights (Part II), controller/processor duties (Part III), penalties (Part VII), core processing rules (Part I)
  • Next commencement: Minister must appoint date(s) by Gazette - no substantive commencement order published as of June 2026 (Amendment Act No. 22 of 2025 removed fixed deadlines)
  • Max penalty (when Part VII applies): Up to LKR 10 million per non-compliance; repeat offences may double prior penalty
  • Also applies today: GDPR if you target EU residents · sector rules (banking, payments) · Computer Crimes Act

Introduction

Sri Lanka data protection law 2026 centres on the Personal Data Protection Act, No. 9 of 2022 - the country's standalone personal data protection Sri Lanka statute. Parliament passed it in March 2022, but implementation is phased: the regulator is operational; the day-to-day obligations most businesses worry about are still awaiting a Gazette commencement date.

This guide separates what the PDPA legally requires (when those parts take effect) from practical controls you can implement now. It covers official effective dates, data privacy regulations Sri Lanka businesses already face (including GDPR for EU-facing companies), a compliance checklist, and links to technical implementation through our cybersecurity service.

Official Sources & Legislative Status

Always verify against primary sources - commencement dates change by Gazette order:

Instrument Date Status (June 2026)
Personal Data Protection Act, No. 9 of 2022 Enacted 9 March 2022 · certified 19 March 2022 Partially in force
Gazette Extraordinary No. 2341/59 Published 21 July 2023 · Part V from 17 July 2023 ✓ In force - establishes Data Protection Authority
Gazette Extraordinary No. 2366/08 Published 8 January 2024 · Parts VI, VIII, IX, X from 1 December 2023 ✓ In force - administrative/supporting provisions
Gazette Extraordinary No. 2427/34 Published 14 March 2025 Repealed previously scheduled 18 March 2025 commencement for substantive Parts
Personal Data Protection (Amendment) Act, No. 22 of 2025 Enacted 21 October 2025 · Gazette 31 October 2025 Removed fixed grace-period timelines; remaining Parts commence on Minister-appointed Gazette date(s) - none announced as of June 2026

Regulator: Data Protection Authority of Sri Lanka (dpa.gov.lk). Monitor the Government Gazette and DPA announcements for the substantive commencement order.

What Is In Force vs What Is Pending

Understanding this split is essential for PDPA Sri Lanka planning:

PDPA Part Subject matter Force status (June 2026)
Part I Lawful processing, purpose limitation, data minimisation, retention Pending - awaiting Gazette commencement
Part II Data subject rights (access, rectification, erasure, objection, automated decisions) Pending
Part III Controller/processor obligations, DPO, breach notification, cross-border transfers Pending
Part V Data Protection Authority establishment and powers In force since 17 July 2023
Parts VI, VIII, IX, X Supporting administrative, financial, and procedural provisions In force since 1 December 2023
Part VII Administrative penalties and enforcement Pending

Practical implication: you should prepare now, but most PDPA controller obligations are not yet legally enforceable until the Minister publishes commencement date(s). Other laws (GDPR, Computer Crimes Act, sector rules) may already apply.

Section A - Legal Requirements Under the PDPA (When Substantive Parts Commence)

The following summarises the Act's text. Obligations become binding only when the relevant Parts are brought into operation by Gazette.

Territorial scope (Section 2)

The PDPA applies when processing occurs wholly or partly in Sri Lanka, or when a controller/processor is domiciled, incorporated, or established in Sri Lanka, or offers goods/services to data subjects in Sri Lanka (including targeted offering), or monitors behaviour of data subjects in Sri Lanka. Exemptions include purely personal, domestic, or household processing by an individual.

Lawful bases for processing (Schedule I)

Processing is lawful only if a controller meets Schedule I conditions (and Schedule II for special categories such as health or biometric data). Legal bases include:

  • Consent - must meet Schedule III conditions when consent is the basis
  • Contract - necessary to perform a contract or pre-contract steps
  • Legal obligation - required under written law
  • Emergency - life, health, or safety of the data subject
  • Public interest / legitimate interests - as defined in the Act, with safeguards (especially for children)

Data subject rights (Part II - pending)

When Part II commences, data subjects may request (in writing, subject to Act limits):

  • Access - confirmation of processing and information per Schedule V
  • Withdraw consent - where processing is consent-based
  • Rectification or completion - of inaccurate or incomplete data
  • Erasure - in specified circumstances (e.g. data no longer necessary, unlawful processing)
  • Objection / review of automated decision-making - where applicable under the Act

Controller & processor obligations (Part III - pending)

Key legal duties in the Act text include:

  • Purpose limitation & data minimisation - specified, explicit, legitimate purposes only
  • Data Protection Officer (DPO) - appointment required in circumstances set out in the Act
  • Data protection management programme - policies, training, accountability measures
  • Personal data breach notification - controllers must notify the Authority; rules on form and timing to be prescribed
  • Cross-border transfers (Section 26) - transfers outside Sri Lanka restricted unless conditions met (adequacy, safeguards, consent, or other statutory grounds)
  • Processor contracts - written agreements governing processor handling of personal data

Penalties (Part VII - pending)

When Part VII commences, the Authority may impose administrative penalties for failure to comply with directives - up to LKR 10 million per non-compliance. For repeat non-compliance, an additional penalty of up to twice the previous amount may apply. The Authority considers gravity, duration, number of affected data subjects, and mitigation efforts.

Section B - Practical Controls (Implement Regardless of PDPA Commencement)

These are industry-standard safeguards - not a substitute for legal advice, but sound preparation for data privacy regulations Sri Lanka and international obligations:

Governance & documentation

  • Maintain a record of processing activities - what data, why, lawful basis, retention, recipients
  • Publish a clear privacy notice - collection purposes, rights, contact point, cross-border transfers
  • Execute Data Processing Agreements with vendors (email, CRM, cloud, analytics)
  • Assign an internal privacy owner (DPO or equivalent) even before legally mandated

Technical & organisational security

  • Encryption - TLS in transit; encryption at rest for databases with personal data
  • Access control - role-based access; least privilege; MFA for admin systems
  • Logging & backups - audit trails for sensitive data access; encrypted backups
  • Incident response plan - containment, evidence preservation, notification workflow
  • Secure development - input validation, dependency patching, penetration testing for customer-facing apps

Website & app specifics

  • HTTPS everywhere; secure cookie flags
  • Cookie/consent banner if you use non-essential tracking (required for GDPR; good practice locally)
  • Data subject request workflow - intake, identity verification, 30-day response target (align with GDPR if applicable)
  • Payment data - use certified gateways; never store CVV. See payment gateway integration Sri Lanka
  • E-commerce customer data - align retention with tax needs. See ecommerce development Sri Lanka

PDPA Compliance Checklist

Use this checklist to prepare before substantive Parts commence. Mark legal items as "prepare now / enforce when commenced."

Legal readiness (PDPA)

  • ☐ Map processing activities and identify lawful bases (Schedule I / II)
  • ☐ Draft or update privacy notice per Schedule VI information requirements
  • ☐ Define consent capture mechanism meeting Schedule III (if relying on consent)
  • ☐ Document cross-border transfer routes and legal grounds (Section 26)
  • ☐ Prepare data subject rights response procedures (Part II)
  • ☐ Draft processor agreements with third-party vendors
  • ☐ Plan breach notification process to DPA (Part III, Section 23)
  • ☐ Monitor Gazette for commencement date - update policies on go-live

Practical controls (implement now)

  • ☐ HTTPS, MFA, role-based access, encrypted backups
  • ☐ Vendor DPA review (AWS, Google, Mailchimp, etc.)
  • ☐ Employee privacy/security training
  • ☐ Retention schedule - delete or anonymise when no longer needed
  • ☐ PCI DSS alignment if accepting card payments (via gateway, not direct storage)
  • ☐ Annual security assessment or penetration test for public-facing systems

Other Laws Sri Lankan Businesses Already Face

The PDPA is not the only framework. Depending on your sector and customers:

Framework When it applies Key point
GDPR (EU) Offering goods/services to EU residents or monitoring their behaviour Fines up to €20M or 4% global turnover; enforceable now regardless of PDPA status
Computer Crimes Act, No. 24 of 2007 Unauthorized access, interception, misuse of computer data Criminal liability for unlawful data access - independent of PDPA
Right to Information Act, No. 12 of 2016 Public authorities Public-sector transparency; interacts with personal data handling by state bodies
Banking / CBSL licensee rules Licensed banks, finance companies, payment institutions Sector-specific confidentiality and IT security expectations - confirm with your regulator
PCI DSS Card payment processing Contractual requirement from card networks; use certified gateways to reduce scope

GDPR essentials (if you have EU customers)

GDPR is already enforceable against Sri Lankan controllers targeting EU data subjects. Minimum steps: lawful basis documentation, privacy policy, data subject rights process, cookie consent for non-essential tracking, DPAs with processors, breach notification within 72 hours to EU supervisory authority where required, and cross-border transfer mechanisms (SCCs) when storing EU data outside the EEA.

Implementation Costs (Indicative)

Budget ranges for SMEs preparing for PDPA and GDPR overlap. Legal review costs vary by firm.

Item SME Mid-market
Privacy policy + processing register (with legal review) LKR 75K–200K LKR 200K–500K
Cookie consent / website compliance LKR 25K–80K LKR 100K–250K
Security assessment / pen test LKR 150K–350K LKR 400K–1M
Technical controls (encryption, access, logging) LKR 200K–600K LKR 800K–2.5M
Ongoing managed security / DPO support LKR 25K–75K/month LKR 100K–300K/month

Conclusion

Sri Lanka data protection law 2026 is defined by the PDPA - enacted but not fully operational. The Data Protection Authority exists; substantive controller obligations and penalties await Minister-appointed commencement date(s). Prepare now using the legal/practical split above, especially if you also serve EU customers under GDPR.

Hashtag Coders implements technical privacy controls - encryption, access management, secure development, breach response tooling - through our cybersecurity service. We work alongside your legal counsel; we do not provide legal opinions on statutory interpretation.

Frequently Asked Questions

Is the PDPA fully in force in Sri Lanka in 2026?

No. As of June 2026, Parts establishing the Data Protection Authority (Part V, from 17 July 2023) and related administrative Parts (VI, VIII, IX, X, from 1 December 2023) are in force. Substantive provisions - data subject rights, controller obligations, penalties - are pending a Gazette commencement date. Amendment Act No. 22 of 2025 removed previously fixed deadlines.

What is the maximum fine under the PDPA?

When Part VII commences, the Authority may impose administrative penalties up to LKR 10 million per instance of non-compliance with a directive, with potential doubling for repeat offences. These provisions are not yet enforceable until commenced by Gazette.

Do small businesses get an exemption under the PDPA?

The Act does not provide a general exemption based on employee count or revenue. Limited exemptions exist for personal/domestic household processing. Sector-specific rules may add obligations. Confirm your status with qualified counsel.

Do I need GDPR compliance if I am only in Sri Lanka?

Only if you offer goods or services to, or monitor, individuals in the European Economic Area - including EU tourists booking your hotel or Europeans buying from your online store. Purely domestic Sri Lankan operations without EU targeting are not subject to GDPR, but may still face PDPA and other local rules.

When will the remaining PDPA provisions take effect?

The Minister in charge must appoint date(s) by Order published in the Government Gazette. No such order for substantive Parts had been published as of June 2026. Monitor dpa.gov.lk and official Gazette publications.

What should I do before the PDPA fully commences?

Complete a data inventory, publish a privacy notice, secure vendor DPAs, implement technical controls (encryption, access, backups), train staff, and establish a breach response plan. Have a Sri Lankan lawyer review your processing map against the Act text.

Prepare for PDPA - Implement Controls Now

Security assessments, encryption, access controls & incident response - technical implementation alongside your legal counsel.

Request Security Assessment Cybersecurity Services

Disclaimer: This article is based on information obtained from publicly available online sources and is provided for general informational purposes only. Although reasonable efforts have been made to ensure accuracy, some information may be incomplete, outdated, or incorrect. This article does not constitute legal advice and has not been presented as legally reviewed. Before relying on or publishing this information, please consult a qualified Sri Lankan data protection lawyer and verify the latest laws, regulations, and Gazette notices published by the Data Protection Authority of Sri Lanka.

Ready to get started?

Turn these insights into real results for your business

Hashtag Coders specialises in delivering exactly the solutions discussed in this article. Let's talk about your project - the first consultation is completely free.

No commitment requiredFree initial consultationServing clients in Sri Lanka & globallyTransparent pricing