DPA Secretariat to commence operations by next month, marking a key step in Sri Lanka’s data governance framework as authorities prepare institutions for compliance with evolving data protection regulations.
DPA Secretariat to commence operations by next month with focus on awareness
Sri Lanka’s long-anticipated Data Protection Authority (DPA) Secretariat is set to begin operations by next month, signaling a significant milestone in the country’s digital regulatory landscape. The move comes as part of broader efforts to operationalize the Personal Data Protection Act No. 9 of 2022, which aims to establish a comprehensive legal framework for safeguarding personal data across both public and private sectors.
According to Deputy Minister of Digital Economy Eranga Weeraratne, the DPA Secretariat is currently undergoing an intensive capacity-building phase to ensure operational readiness. A Director General has already been appointed, and nearly 50 staff members have been recruited, forming the core administrative and technical team that will oversee the authority’s initial rollout. These developments indicate that institutional groundwork is largely in place, enabling the Secretariat to transition from preparation to execution within the coming weeks.
The DPA Secretariat to commence operations by next month initiative is expected to begin with a strong emphasis on awareness and education rather than immediate enforcement. Authorities have made it clear that the first phase will prioritize guiding institutions on their data protection obligations, including the implementation of appropriate safeguards, governance frameworks, and internal compliance mechanisms. This approach reflects a strategic recognition that many organizations—particularly in the public sector—may not yet be fully equipped to meet the requirements of modern data protection standards.
From a policy design perspective, this phased implementation strategy aligns with global best practices observed in jurisdictions that have introduced similar legislation. By initially focusing on capacity-building and awareness, regulators can reduce compliance friction, minimize disruption to business operations, and foster a culture of voluntary adherence before transitioning to stricter enforcement measures.
The Personal Data Protection Act No. 9 of 2022 serves as the legal backbone for these efforts. It outlines a comprehensive set of principles governing the collection, processing, storage, and sharing of personal data. However, the timeline for its full enforcement has undergone a significant shift following the enactment of the Personal Data Protection (Amendment) Act of 2025. The amendment removed previously stipulated implementation deadlines and instead granted the minister discretionary authority to activate different provisions of the law through gazette notifications.
This regulatory flexibility introduces both opportunities and uncertainties. On one hand, it allows policymakers to align enforcement timelines with institutional readiness and economic conditions. On the other hand, it creates ambiguity for organizations attempting to plan long-term compliance strategies. Businesses, particularly those operating in data-intensive sectors such as finance, telecommunications, and e-commerce, will need to closely monitor regulatory signals to adapt their data governance frameworks accordingly.
The DPA Secretariat to commence operations by next month development also highlights the government’s broader digital economy agenda. Strengthening data protection is increasingly viewed as a prerequisite for attracting foreign investment, enabling cross-border data flows, and building trust in digital services. In an era where data breaches and cyber risks carry significant financial and reputational consequences, robust regulatory oversight can serve as both a risk mitigation tool and a competitive advantage.
In practical terms, institutions are likely to be advised on several key compliance pillars during the initial phase. These may include data minimization practices, user consent mechanisms, data breach notification protocols, and the establishment of internal data protection officers. For many organizations, especially small and medium-sized enterprises, this will require not only technical upgrades but also cultural and organizational shifts.
Importantly, while the eventual scope of the DPA will extend to both public and private entities, early implementation efforts are expected to focus more heavily on the public sector. This reflects the government’s intention to lead by example, ensuring that state institutions adhere to the same standards they will later enforce across the broader economy.
Looking ahead, the transition from education to enforcement will be a critical inflection point. The timing of this shift remains uncertain, as it will be determined by the DPA and communicated to the relevant ministry. However, the direction is clear: Sri Lanka is moving toward a more structured and enforceable data protection regime, with the DPA Secretariat playing a central role in shaping its trajectory.