Sri Lanka: Closed consultation on Draft Guidelines for Data Protection Management Program

On 15 October 2024, the Data Protection Authority of Sri Lanka closes its public consultation on the draft guidelines for the Data Protection Management Program (DPMP), as mandated under section 12 (2) of the Personal Data Protection Act No. 9 of 2022. The guidelines aim to guide controllers across various sectors in developing internal policy frameworks, also known as DPMPs, to comply with the Personal Data Protection Act's accountability requirements by its enforcement date of 18 March 2025. The guidelines outline and explain data controller obligations, including, for example, lawful, limited, and accurate processing. Further, the guidelines set out the components of a controller's DPMP, including maintaining records, appropriate design, conducting impact assessments, establishing complaint and breach management systems, and facilitating data subject rights. Finally, the guidelines set out and clarify key definitions from the Act.