Introduction:
The Personal Data Protection Act (PDPA), No. 9 of 2022, is Sri Lanka's pioneering legislation dedicated to safeguarding personal data. Enacted on March 19, 2022, the PDPA establishes a comprehensive legal framework to regulate the processing of personal data, aligning with international standards such as the EU's General Data Protection Regulation (GDPR). In this article, let's understand the how to achieve PDPA compliance by mapping the regulatory requirements with IBM Guardium Data Protection solution capabilities.
PDPA Scope and Applicability:
The PDPA applies to:
- Processing of personal data wholly or partly within Sri Lanka.
- Entities outside Sri Lanka that offer goods or services to individuals in Sri Lanka or monitor their behavior within the country.
However, the Act does not apply to personal data processed purely for personal, domestic, or household purposes by an individual.
Key Provisions:
1. Rights of Data Subjects:
The PDPA grants individuals several rights concerning their personal data, including:
- Right to access personal data.
- Right to rectification of inaccurate data.
- Right to erasure ("right to be forgotten").
- Right to object to processing.
- Right to withdraw consent.
- Right to review automated decision-making.
2. Obligations for Controllers and Processors:
Organizations processing personal data are required to:
· Ensure lawful and transparent processing.
· Implement data protection management programs.
· Conduct data protection impact assessments in certain scenarios.
· Appoint Data Protection Officers (DPOs) under specific conditions.
· Notify the Data Protection Authority and affected individuals of data breaches.
3. Special Categories of Personal Data:
The Act provides additional protections for sensitive personal data, including information revealing racial or ethnic origin, political opinions, religious beliefs, health data, and biometric data.
4. Regulatory Authority:
The PDPA establishes the Data Protection Authority of Sri Lanka, tasked with enforcing the Act, issuing guidelines, and handling complaints related to data protection.
5. Penalties for Non-Compliance:
The Data Protection Authority is empowered to impose penalties for non-compliance:
- For the first instance, a penalty not exceeding ten million rupees.
- For subsequent non-compliances, an additional penalty of twice the amount imposed for the previous non-compliance.
Factors considered when determining penalties include the nature and duration of the violation, the number of data subjects affected, and any actions taken to mitigate damages.
Mapping PDPA Regulatory requirements with Database Activity Monitoring (DAM) capabilities:
1. Data Subject Rights (PDPA Part II)
Relevant PDPA Articles:
- Right to access, rectify, erase, restrict, object, and withdraw consent.
DAM Capabilities:
- Discovery & classification: provide comprehensive, real-time data discovery and classification across various environments, including structured and unstructured data, on-premises systems, cloud platforms, and mainframes.
- Data Access Monitoring: Track who accessed which data and when to support access requests.
- Audit Trails: Maintain detailed logs for rectification and erasure requests.
- User Activity Monitoring: Log data subject-related actions for compliance evidence.
2. Lawful Processing & Purpose Limitation (PDPA Part III)
Relevant PDPA Articles:
- Data must be processed lawfully, fairly, and for a specified purpose.
DAM Capabilities:
- Policy-Based Alerts: Alert on unauthorized queries or abnormal access patterns.
- Rule Enforcement: Detect access or changes outside of authorized business processes.
- Data Tagging: Tag sensitive fields to ensure appropriate access.
3. Security Safeguards (PDPA Section 24)
Relevant PDPA Articles:
- Data controllers/processors must implement appropriate technical and organizational measures.
DAM Capabilities:
- Real-Time Monitoring: Detect insider threats and anomalous behavior.
- Database Vulnerability Assessment: Identify security misconfigurations.
- Masking and Redaction: Mask the sensitive data dynamically without hamper.
4. Breach Notification (PDPA Section 31)
Relevant PDPA Articles:
- Notify Data Protection Authority and affected subjects upon data breaches.
DAM Capabilities:
- Anomaly Detection: Identify suspicious database activities indicating breaches.
- Incident Forensics: Provide historical data access logs to trace root causes.
- Automated Reporting: Generate reports for breach impact assessments.
5. Data Protection by Design & Default (PDPA Section 21)
Relevant PDPA Articles:
- Ensure data protection principles are built into data processing systems.
DAM Capabilities:
- Role-Based Access Controls (RBAC): Enforce least privilege access.
- Monitoring of Privileged Users: Track actions by DBAs and system admins.
- Continuous Auditing: Validate database configurations against compliance policies.
6. Data Protection Impact Assessments (PDPA Section 25)
Relevant PDPA Articles:
- Required when processing poses high risks to rights and freedoms.
DAM Capabilities:
- Risk Profiling Reports: Identify high-risk tables and access patterns.
- Access Pattern Analysis: Determine data exposure risks based on usage.
- Support for Impact Analysis: Provide evidence for DPIA documentation.
7. Record Keeping & Accountability (PDPA Section 26)
Relevant PDPA Articles:
- Maintain records of processing and demonstrate compliance.
DAM Capabilities:
- Comprehensive Logging: Centralized logs of all database access and actions.
- Tamper-Evident Logs: Ensure integrity of compliance data.
- Report Generation: Automatic periodic compliance reports.
Summary table:
|
PDPA Act Provision
|
IBM Guardium Capabilities
|
|
1. Data Principal Rights
|
|
|
- Right to access, correction, erasure
|
- Tracks who accessed what data and when- Provides audit trails to support subject rights
|
|
- Enables data flow tracking and masking for correction/erasure requests
|
|
2. Consent & Lawful Processing
|
|
|
- Process personal data based on valid consent/legal use
|
- Policy-based access controls- Data classification and labelling
|
|
- Monitor for unauthorized access attempts
|
|
3. Security Safeguards
|
|
|
- Implement reasonable technical and organizational measures
|
- Real-time activity monitoring- Vulnerability scanning- Encryption validation
|
|
- Automated blocking of policy violations
|
|
4. Data Breach Notification
|
|
|
- Notify Data Protection Board and affected users
|
- Real-time alerting on suspicious activity- Built-in incident response workflows
|
|
- Supports forensic investigation and impact analysis
|
|
5. Data Protection by Design & Default
|
|
|
- Integrate safeguards at the design stage
|
- Security policies enforced across data environments- Role-based access controls (RBAC)
|
|
- Least-privilege user monitoring
|
|
6. Data Protection Impact Assessments (DPIAs)
|
|
|
- Required for high-risk processing
|
- Risk profiling and exposure analytics- Sensitive data discovery and classification
|
|
- Audit logs and access pattern analysis
|
|
7. Record-Keeping & Accountability
|
|
|
- Maintain processing records and demonstrate compliance
|
- Centralized, tamper-proof audit logs- Customizable compliance reports (DPDP, GDPR, etc.)
|
PDPA's Stance on Encryption
While the PDPA does not mandate encryption by name, it states under Section 24 (Security Safeguards):
"A controller or processor shall implement appropriate technical and organisational measures to ensure the security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage."
Encryption is one of the recognized "technical measures" under international standards (like GDPR), which the PDPA closely aligns with. It is not explicitly necessary to use third-party encryption tools to comply, however, encryption is strongly recommended as a technical safeguard under the law - and whether it's in-house or third-party depends on your organization's risk profile, resources, and capabilities.
Native Encryption vs. Third-Party Encryption
Here's a comparison of native encryption vs. third-party encryption from the perspective of data protection regulations like Sri Lanka's PDPA, India's DPDP, and general best practices in data security:
|
Criteria
|
Native Encryption
|
Third-Party Encryption
|
|
Definition
|
Encryption tools built into databases, OS, or platforms
|
Independent tools or platforms for encryption and key management
|
|
Examples
|
SQL Server TDE, Oracle Advanced Security, AWS KMS, Windows BitLocker
|
Thales CipherTrust, IBM Guardium, Vormetric, Fortanix, HashiCorp Vault
|
|
Ease of Implementation
|
✅ Easier to configure within native systems
|
❌ Often requires integration effort across multiple systems
|
|
Cost
|
✅ Usually no additional license cost
|
❌ Can be expensive (licensing, deployment, training)
|
|
Performance Impact
|
✅ Optimized for native environments
|
⚠️ May introduce latency depending on implementation
|
Key Management practices
|
PDPA Requirement
|
How Key Management Helps Achieve Compliance
|
|
Section 24 – Security Safeguards
|
- Strong encryption with secure key management prevents unauthorized access. - Centralized control ensures resilience.
|
|
Section 26 – Record-Keeping and Accountability
|
- Audit trails of key usage and changes support traceability and governance. - Ensures evidence of due diligence.
|
|
Section 31 – Data Breach Notification
|
- If encrypted data is breached but keys are protected, it reduces liability and may negate mandatory notification.
|
|
Section 21 – Data Protection by Design and by Default
|
- Key management ensures encryption is embedded from system design stage. - Enables role-based access to encrypted data.
|
|
Section 25 – Data Protection Impact Assessments (DPIAs)
|
- Demonstrates risk mitigation and technical safeguards for high-risk data processing. - Centralized KMS helps show maturity.
|
|
Purpose Limitation & Data Minimization (Part III)
|
- Key-based access controls support access limitation.- Encryption policies can be scoped per use-case or data category.
|
Key Management Lifecycle & PDPA Alignment
|
Lifecycle Stage
|
PDPA/DPDP Alignment
|
Guardium Support
|
|
Key Generation
|
Security Safeguards
|
Strong, policy-driven, compliant
|
|
Key Storage
|
Data Protection, Access Control
|
Centralized, encrypted, access-restricted
|
|
Key Distribution
|
Secure Transmission
|
Identity & role-based controls
|
|
Key Rotation
|
Risk Mitigation
|
Automated and policy-based
|
|
Key Revocation
|
Breach Containment
|
On-demand revocation & expiry policies
|
|
Key Auditing
|
Accountability, Reporting
|
Tamper-proof logs and compliance-ready reports
|
Conclusion:
IBM Guardium is a powerful enabler for PDPA compliance in Sri Lanka, especially for regulated sectors (like banking, telecom, and healthcare). It enhances visibility, enforces policies, mitigates risks, and provides the audit evidence required to demonstrate accountability under the law. IBM Guardium helps organizations in (1) Upholding Data Subject Rights (2) Lawful and Purpose-Limited Processing (3) Implementing Security Safeguards (5) Breach Notification and Incident Handling and (6) Support for Regulatory Reporting and Governance
------------------------------
Betala Shanbhag | Security Technical Specialist – IBM Data & AI
------------------------------