Securing Personal Data: Navigating Sri Lanka's PDPA and ISO 27701 for Data Controllers

The Sri Lanka Personal Data Protection Act (PDPA) provides a set of controls that organizations must implement to protect individuals' personal?data. The controls specified in the Act include:

1. Data controller registration: Data controllers are required to register with the Data Protection Authority (DPA) and maintain accurate and up-to-date records of personal data processed by them.
2. Notification of data breaches: Data controllers are required to notify the DPA and affected individuals in the event of a data breach.
3. Obtaining consent: Data controllers are required to obtain the consent of individuals before collecting, using, or disclosing their personal data, and must provide individuals with the option to withdraw their consent.
4. Data protection impact assessments: Data controllers are required to conduct data protection impact assessments to identify and mitigate risks associated with the processing of personal data.
5. Data minimization: Data controllers are required to limit personal data collection, use, and disclosure to what is necessary for the specific purpose for which it is being processed.
6. Data accuracy: Data controllers are required to take reasonable steps to ensure that personal data processed by them is accurate, up-to-date, and complete.
7. Data retention: Data controllers are required to retain personal data for no longer than is necessary for the specific purpose for which it is being processed.
8. Data protection officer (DPO): Data controllers are required to appoint a DPO to oversee compliance with the Act.

Organizations can manage and certify ISO 27701 by implementing and following the controls specified in the standard. This can be done by:

1. Developing a privacy information management system (PIMS) that aligns with the controls specified in the standard.
2. Conducting a gap analysis to identify any existing controls that are not in compliance with the standard, and then developing an action plan to address the gaps.
3. Providing regular training to employees on the standard and the controls specified in it.
4. Conducting regular internal audits to ensure compliance with the standard.
5. Obtaining certification from a third-party auditor to demonstrate compliance with the standard.

In conclusion, the Sri Lanka Personal Data Protection Act (PDPA) and ISO 27701 provide a set of controls that organizations must implement in order to protect?the?personal data of individuals. The controls specified in the PDPA include data controller registration, notification of data breaches, obtaining consent, data protection impact assessments, data minimization, data accuracy, data retention,?and appointing a data protection officer (DPO). Organizations can manage and certify compliance with ISO 27701 by implementing and following the controls specified in the standard, including developing a privacy information management system (PIMS), conducting gap analysis, providing regular training, conducting regular internal audits,?and obtaining certification from a third-party auditor.

It's important to note that a data controller is defined as a person?or company?who, alone or jointly with others, determines the purposes and means of the processing of personal data. In other words, a data controller is responsible for deciding what personal data will be collected, how it will be used and shared, and ensuring that the personal data is protected. As data controllers, organizations are responsible for complying with the requirements set out in the PDPA and ISO 27701 to ensure the protection of personal data.

in addition to the controls that organizations must implement to protect personal data, the Sri Lanka Personal Data Protection Act (PDPA) also includes provisions for?data subject?rights. These rights include:

1. The right to be informed: Data subjects have the right to be informed about the collection, use, and disclosure of their personal data.
2. The right of access: Data subjects have the right to access their personal data and to be provided with a copy of it.
3. The right to rectification: Data subjects have the right to have inaccurate personal data corrected.
4. The right to erasure: Data subjects have the right to have their personal data erased in certain circumstances.
5. The right to restrict processing: Data subjects have the right to request that their personal data is not processed for certain purposes.
6. The right to data portability: Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format.
7. The right to object: Data subjects have the right to object to the processing of their personal data in certain circumstances.
8. The right not to be subject to automated decision-making: Data subjects have the right not to be subject to automated decision-making, including profiling, that produces legal effects concerning them or similarly significantly affects them.

Organizations as Data Controllers have a responsibility to respect and protect the rights of the Data subjects. It's important for organizations to have a clear process in place for responding to data subject rights requests and to provide training to employees on how to handle these requests.

In addition to these data subject rights, organizations should also comply with the controls specified in ISO 27701 to ensure the protection of personal data and to demonstrate compliance with data protection regulations. By implementing and following the controls specified in the PDPA and ISO 27701, organizations can effectively protect personal data and ensure compliance with data protection regulations while respecting the rights of data subjects.

Srilanka PDPA : https://www.parliament.lk/uploads/acts/gbills/english/6242.pdf

#dataprotection #dataprivacy #PDPA #ISO27701 #datacontrollers #datasubjectrights #compliance #SriLanka #personaldata #informationsecurity #cybersecurity #privacybydesign #riskmanagement #privacyincidentmanagement #privacycompliance