On October 1, 2024, the Data Protection Authority of Sri Lanka (DPA) announced that it had launched a public consultation on the draft rules on personal data breach notifications. The draft rules will be issued under Section 23 read with Section 52 of the Personal Data Protection Act No.9 of 2022 (PDPA).

Notification to the DPA

The draft rules provide that a controller must notify the DPA of any personal data breach that has occurred or is reasonably likely to have occurred in such form as specified in Schedule I of the draft rules, unless the personal data breach is unlikely to result in a risk, or is likely to result in a low risk, to the rights and freedoms of data subjects. A controller must notify the DPA of any personal data breach, to the extent feasible, within 72 hours after the controller (or the relevant processor or sub-processor) becomes aware that a personal data breach has occurred; or the controller has determined, or shall have reasonably determined, based on the information available to it (or the relevant processor or sub-processor) at the time that a personal data breach is reasonably likely to have occurred. However, where it is not feasible to notify the DPA within 72 hours, such notification shall be accompanied by reasons for the delay.

Notification to individuals

Moreover, a controller must notify the data subjects where the controller is of the opinion that the data subjects are affected or likely to be affected by a personal data breach that is likely to result in a high risk to rights and freedoms, in such form as may be specified in Schedule II of the draft rules. The draft rules provide that a controller must notify data subjects at the same time as the DPA with respect to the same personal data breach.

Public comments may be submitted to [email protected] by completing the feedback form until October 31, 2024.

You can read the press release here, the draft rules here, and download the feedback form here.