Dimuth Atapattu appointed DG of Sri Lanka’s Data Protection Authority marks a significant step in strengthening the country’s regulatory framework for personal data protection and digital governance. The appointment took effect on March 5, according to an official statement.
Dimuth Atapattu appointed DG of Sri Lanka’s Data Protection Authority effective March 5
The designation of Dimuth Bhashitha Atapattu as Director General of the Data Protection Authority (DPA) comes at a critical juncture as Sri Lanka continues to implement and enforce its data protection regime under the Personal Data Protection Act No. 9 of 2022, as amended by Act No. 22 of 2025. The move is expected to reinforce institutional capacity and ensure stronger oversight of data privacy practices across both public and private sectors.
DPA Chairman Rajeeva Bandaranaike welcomed the appointment, expressing confidence in Atapattu’s leadership. He noted that the Board looks forward to working closely with the new Director General in advancing the Authority’s mandate to safeguard individual privacy rights while enabling responsible data-driven innovation. This balance is increasingly vital as Sri Lanka accelerates its digital transformation agenda.
The appointment of a permanent Director General is seen as a key milestone in operationalising the Authority more effectively. With growing reliance on digital platforms, data protection has become central to maintaining trust in the digital economy. Strengthening regulatory enforcement mechanisms is therefore critical to ensuring compliance with legal standards and protecting citizens from data misuse.
Atapattu brings a diverse professional background spanning both public administration and private sector engagement. A senior officer of the Sri Lanka Administrative Service (SLAS), he has held multiple leadership roles across government institutions, contributing to policy implementation and institutional development. His experience is expected to support the DPA’s strategic direction as it evolves into a fully functional, independent regulator.
In his statement following the appointment, Atapattu emphasised his commitment to building an effective and independent regulatory body. He underscored the importance of upholding the rights of data subjects while fostering a secure and trusted digital ecosystem. His vision aligns with broader national priorities aimed at strengthening governance frameworks and promoting investor confidence in Sri Lanka’s digital infrastructure.
Prior to assuming his new role, Atapattu served as Director in charge of Commercialisation and Partnerships at the Ministry of Digital Economy. In this capacity, he was involved in initiatives aimed at enhancing collaboration between the public sector and private enterprises, particularly in the technology and innovation space. His exposure to digital policy and stakeholder engagement is likely to be instrumental in his new position.
In addition to his ministerial role, Atapattu currently serves as a Board Director of the Sri Lanka Computer Emergency Readiness Team (CERT) and the LK Domain Registry. These roles have provided him with insights into cybersecurity, domain management, and incident response mechanisms—areas that are closely linked to data protection and digital resilience.
His previous career experience also includes positions at the Ministry of Defence, the Department of Motor Traffic, and the Department of Manpower and Employment. These roles have equipped him with a comprehensive understanding of public sector operations and regulatory environments, which are essential for navigating the complexities of data governance.
Beyond the public sector, Atapattu has gained international exposure through his work with Virtusa in Colombo and the United Kingdom, as well as his association with Queen’s University Belfast. This blend of local and international experience is expected to contribute to a more globally aligned approach to data protection practices in Sri Lanka.
Academically, Atapattu holds a Bachelor of Computer Science degree from the University of Colombo School of Computing, a Master of Information Systems from the University of Melbourne, and a Master of Public Administration from the Postgraduate Institute of Management at the University of Sri Jayewardenepura. His multidisciplinary academic background combines technical expertise with administrative acumen, positioning him well to address the multifaceted challenges of data protection.
The Dimuth Atapattu appointed DG of Sri Lanka’s Data Protection Authority development underscores the Government’s commitment to strengthening institutional frameworks in line with international standards. As data continues to play a central role in economic activity, the effectiveness of regulatory bodies such as the DPA will be critical in ensuring sustainable and secure digital growth.
Looking ahead, the DPA is expected to focus on enhancing compliance mechanisms, raising public awareness on data rights, and fostering collaboration with industry stakeholders. The Authority’s role in shaping a robust data protection ecosystem will be essential in supporting Sri Lanka’s ambitions to build a competitive and resilient digital economy.