Dimuth Bhashitha Atapattu appointed Director General of Data Protection Authority marks a key milestone in Sri Lanka’s efforts to strengthen its regulatory framework for personal data protection and digital governance.
Dimuth Bhashitha Atapattu appointed Director General of Data Protection Authority to lead privacy framework
The appointment, effective from 5 March 2026, places an experienced Sri Lanka Administrative Service (SLAS) officer at the helm of the Data Protection Authority (DPA), as the country moves to operationalise its data privacy regime under the Personal Data Protection Act No. 9 of 2022, as amended by Act No. 22 of 2025.
The designation of a permanent Director General is widely viewed as a significant institutional step towards enforcing Sri Lanka’s emerging data protection framework. With increasing digitisation across both public and private sectors, the need for a robust and credible regulatory authority has become more pronounced, particularly in ensuring compliance with data governance standards and safeguarding individual privacy rights.
Dimuth Bhashitha Atapattu appointed Director General of Data Protection Authority comes at a time when Sri Lanka is accelerating its digital transformation agenda. The DPA Board of Directors has expressed confidence in Atapattu’s leadership, citing his extensive experience across government institutions and the private sector as a strong foundation for guiding the Authority through its formative phase.
DPA Chairman Rajeeva Bandaranaike noted that the Board looks forward to working closely with Atapattu as he leads efforts to protect the privacy of individuals while also enabling responsible, data-driven innovation. This dual focus reflects the broader challenge faced by regulators globally—balancing the protection of personal data with the need to foster technological advancement and economic growth.
In his remarks following the appointment, Atapattu emphasised the importance of building an effective and independent regulator capable of upholding the rights of data subjects. He highlighted his commitment to establishing a secure and trusted digital ecosystem, which is critical for both public confidence and investor interest in Sri Lanka’s digital economy.
Dimuth Bhashitha Atapattu appointed Director General of Data Protection Authority also brings into focus his diverse professional background. Prior to this role, he served as Director in charge of Commercialisation and Partnerships at the Ministry of Digital Economy, where he was involved in initiatives aimed at advancing Sri Lanka’s digital infrastructure and innovation landscape.
In addition, Atapattu holds board positions at the Sri Lanka Computer Emergency Readiness Team (CERT) and the LK Domain Registry, organisations that play crucial roles in cybersecurity and internet governance. His previous experience spans several key government institutions, including the Ministry of Defence, the Department of Motor Traffic, and the Department of Manpower and Employment.
His exposure to the private sector further strengthens his profile, having worked at Virtusa in both Colombo and the United Kingdom, as well as at Queen’s University Belfast. This combination of public and private sector experience is expected to support a balanced and pragmatic approach to regulation, particularly in areas where technological innovation intersects with policy and compliance requirements.
Academically, Atapattu holds a Bachelor of Computer Science degree from the University of Colombo School of Computing, a Master of Information Systems from the University of Melbourne, and a Master of Public Administration from the Postgraduate Institute of Management at the University of Sri Jayewardenepura. This multidisciplinary background is aligned with the technical and administrative demands of leading a modern data protection authority.
Looking ahead, the role of the DPA will be central to implementing Sri Lanka’s Personal Data Protection Act, which is expected to be brought into operation in phases once the Authority is fully functional. The legislation aims to establish a comprehensive framework for data privacy, including provisions on data processing, consent, cross-border data transfers, and enforcement mechanisms.
Dimuth Bhashitha Atapattu appointed Director General of Data Protection Authority is therefore a critical step in advancing the country’s digital economy blueprint. By strengthening regulatory oversight and promoting responsible data governance, the DPA is expected to enhance digital trust, a key factor in attracting investment and enabling sustainable economic growth.
As Sri Lanka continues to expand its digital footprint, the effectiveness of institutions such as the Data Protection Authority will play a decisive role in shaping the country’s reputation as a secure and reliable digital hub. The leadership of Atapattu is expected to be instrumental in navigating this transition and ensuring that the benefits of digital transformation are realised while protecting the rights of individuals.