Navigating the New PDPA

Disclaimer: The views expressed here are based on my own knowledge as an HR professional. I am not a legal officer, and this is not legal counsel.

As someone who works at the HR, I’ve always believed that trust and transparency are key to building a thriving workplace. The Personal Data Protection Act (PDPA) of Sri Lanka is poised to redefine how organizations manage and safeguard sensitive employee information. Since I'm still sorting through all the specifics of this legal framework, I'd like to share my initial impressions from an HR standpoint—and promise you I'll be keeping you posted with more observation as I progress.

What the PDPA means for HR

In essence, the PDPA mandates personal data to be processed fairly, accurately, and securely. To HR practitioners, this is not yet another compliance box to be checked; it's a reminder to go back and review all areas of our practice—from recruitment and onboarding to performance management and exit procedures. Here are some highlights that really stood out to me:

• Enhanced Data Governance: HR activities must now incorporate robust data protection measures. This involves the protection of sensitive employee data not only from being exposed but also handled in a privacy-conscious and compliant way based on strict law.
• Employee Transparency and Privacy: The PDPA empowers the employees by offering them greater power over their own personal information. HR departments shall be required to write open-ended policies on collecting, storing, and processing information, thus having a stronger level of trust along the company.
• Data Protection Officers: For those with significant data processing, the presence of a dedicated Data Protection Officer could become an imminent necessity. HR will undoubtedly be involved in liaising with these officers to ensure the internal procedures continue to be compliant.
• Continuous Training and Awareness: As we make this shift to these new regulations, it's crucial that all of us—HR staff to all employees—understand the basics of data protection. Continuous training and transparency can minimize risks and foster a culture of responsibility.

Embracing the Change: Challenges and Opportunities

Adopting the PDPA might seem like a complex shift, especially for organizations that have long relied on traditional HR practices. But to me, this is an opportunity for us to redo and even improve on processes within. What I am weighing is:

• Reviewing and Revising Policies: It is the right time to reassess our current HR policies. This entails redefining data retention times, enhancing consent processes, and setting more specific procedures for processing employee requests relating to their data.
• Collaborating Across Departments: Compliance isn’t solely an HR challenge—it’s a company-wide effort. I’m excited about the prospect of working closely with IT, legal, Operations and compliance teams on data protection strategies.
• Building a Culture of Trust: People feel good about where they work when they think that their own information is treated well. It puts the whole workplace on the right level. This is not just avoiding lawsuits; it's about building our employer brand and creating a space where people feel safe.

A Note for the Future

I'm also still on my PDPA learning curve, and I plan to share more detailed articles as I gain deeper insights into the PDPA and its broader implications for HR and beyond. Your feedback, questions, and insights are valuable to me as we all navigate our way through this shifting landscape.

Please feel free to connect and comment—let's learn and grow together in this new data protection era!

- Suhail Mohamud -