Businesses urged to brace for landmark data privacy law from September

Sri Lankan businesses are urged to prepare for a significant shift in data privacy regulations, as the Personal Data Protection Act is set to come into effect come September.

“This means that any business utilising customer data is obligated to inform the customers about this data usage. The upcoming legislation mandates obtaining customer consent before using their data,” said AI Advisory Committee Member Sanjini Munaweera, while addressing the SME Forum organised by the Ceylon Chamber of Commerce in Colombo yesterday. 

Munaweera cautioned against common practices such as collecting contact information from the dropped business cards for unsolicited promotions, stressing that the businesses “have a responsibility to manage personal data and privacy ethically”. 

She emphasised that transparency is crucial, especially when deploying AI tools such as chatbots.

“The customers need to be informed if they are interacting with a chatbot and how their data will be used, obtaining their consent for specific uses. Clear pathways to human agents should always be available,” she added, noting these obligations apply to businesses of all sizes.

Addressing the intersection of data privacy and artificial intelligence, Munaweera pointed to the recent incidents such as a notable deepfake involving cricketer Kumar Sangakkara, as examples of AI’s potential misuse. 

“We are all potentially vulnerable. This represents a concerning aspect or the ‘dark side’ of AI,” she said. 

The AI advisory team is actively “developing policies and working to implement laws that promote responsible AI development and deployment”, focusing on adoption and education.

Meanwhile, AI Advisory Committee Chairman Dr. Romesh Ranawana echoed the call for proactive preparation.

“The Personal Data Protection Act requires obtaining consent before collecting personal data. The customers must be informed about the specific data being collected and the purposes for which it will be used,” he explained. 

He stressed that the “collected data must be used only for lawful and specified purposes”.

Dr. Ranawana also highlighted the importance of data accuracy and value. 

“To effectively leverage customer data, you must demonstrate its value to the customer. Furthermore, ensuring the accuracy of this data is your responsibility,” he asserted, adding that this is an often-overlooked accountability for companies.

The immediate first step for businesses, according to Dr. Ranawana, is clear, which is to read the Personal Data Protection Act and understand it. 

He also noted that a data protection authority is being established and would become active soon.

For CEOs and leadership, Dr. Ranawana emphasised a deep understanding of the regulations and the necessity of regular staff workshops. He issued a stark warning regarding third-party data handling.

“It’s important to note that data breaches often originate from third-party vendors with whom data is shared. Ensuring vendor compliance is essential because your company will be held liable for any data breaches that occur. This highlights the significant importance of vendor due diligence,” he added. (NF)