Navigating the New Era of Data Privacy: A Comprehensive Roadmap for Sri Lankan Banks

To stay compliant and protect consumer trust, here is a detailed roadmap of the actions banks must take, categorized by technology and deadline. As Sri Lanka accelerates its digital economy, the financial sector finds itself at the intersection of innovation and intense regulation. To safeguard consumer trust, banks must now align with a triple-layer framework:

1. Personal Data Protection Act (PDPA) No. 9 of 2022: Focuses on the rights of “Data Subjects” (customers) and the obligations of “Data Controllers” (banks). It mandates accountability and transparency in how personal data is processed.
2. Banking Act Directions No. 16 of 2021 (and 2023 Amendments): A rigorous framework for Technology Risk Management. It sets the “how-to” for technical resilience, including SOC operations and CISO roles.
3. Baseline Security Standard (BSS): Provides the technical minimums for securing information assets, specifically addressing malware and access control.

For banking leaders and IT professionals, compliance is no longer a “check-the-box” exercise; it is a fundamental requirement for operational resilience. Here is a detailed look at what your institution must do to stay protected and compliant.

Governance and Accountability: Building the Human Firewall

Effective data protection begins with leadership. The PDPA requires banks (as “controllers”) to appoint a Data Protection Officer (DPO) to oversee compliance and facilitate data subject rights.

Under the Banking Act Directions, governance is even more specialized:

• The CISO Role: Banks must appoint a Chief Information Security Officer (CISO) as a senior management member. Domestic Systemically Important Banks (D-SIBs) must have a dedicated CISO by January 1, 2026. Other CISOs must meet qualification standards by December 31, 2024.
• The Information Security Committee (ISC): Chaired by the CEO, this committee is responsible for both strategic and operational technology risks.
• Board Responsibility: The Board must define a technology risk appetite and ensure an Internal Audit of the regulatory framework is conducted at least annually.

Critical Data Protection Techniques & Requirements

1. Malware, Ransomware, and Threat Detection

Protecting against “malicious codes” defined by the BSS as viruses, worms, and Trojans—is a mandatory baseline. The BSS and CBSL directions emphasize that banks must protect against “malicious code.”

• 24/7 Monitoring: Banks must have a Security Operations Center (SOC) to detect anomalies in real-time. This is mandatory by December 31, 2024.
• Air-Gapped Backups: To defeat ransomware, the 2023 amendments emphasize the need for immutable backups that cannot be encrypted by a spreading virus.
• Data Loss Prevention (DLP): Implementation of an industry-standard DLP tool is mandatory for all licensed banks to minimize data leakage risks.
• Endpoint Protection: The BSS mandates detection, prevention, and recovery controls against malware, supported by user awareness programs.

2. Data Encryption Techniques – The Non-Negotiable Standard

Encryption is the primary technical safeguard required by both the PDPA and the Banking Directions. Both the PDPA and CBSL Directions demand encryption, but to different extents:

Customer Data Protection: Banks must encrypt all non-public customer data.

• PDPA Requirement: Mandates “appropriate technical measures” to ensure data integrity. Encryption is explicitly cited as a tool to mitigate risk.
• CBSL Direction 16 (Section 5.4): Goes much deeper. It requires:
  • Data at Rest: All sensitive customer data in databases (like DB2 on IBM i) must be encrypted. Databases and files must use database or file-level encryption. The deadline for full compliance is December 31, 2025.
  • Data in Transit: All data moving across networks (internal or external) must use secure protocols (TLS 1.2+). Following the 2023 Amendments, the new compliance deadline is December 31, 2026.
  • Backup Encryption: Tapes or cloud backups containing customer data must be encrypted.
• Encryption Methods: Banks should follow industry standards such as AES-256 (Advanced Encryption Standard). Proprietary or weak algorithms (like DES) are no longer acceptable.
• Full Disk Encryption: Any removable media or endpoint devices (laptops, etc.) storing customer data must be encrypted. Removable media must be covered by December 31, 2023, and endpoint devices by December 31, 2026.

3. Identity and Access Management

Controlling who sees what data is vital for preventing internal breaches.

• User Access and Identity Management System: Banks must implement industry-standard systems to manage all users. The amended deadline for this is December 31, 2026.
• Privilege Reviews: Per the 2023 Amendments, banks must conduct user access privilege reviews quarterly for critical information systems and bi-annually for non-critical systems exposed to customer data.
• “Need-to-Have” Access: Privileged access must be restricted to a limited time and only when strictly necessary.

4. Security Testing and Vulnerability Management

To combat evolving cyber threats, banks must simulate attacks on their own systems.

• Vulnerability Assessments: These must be performed on production environments at least quarterly.
• Pre-implementation Testing: Any modifications to critical systems must undergo security testing (SAST/DAST) before going live. The amended deadline is December 31, 2025.
• Penetration Testing: Independent external experts must simulate real-world attacks. Testing on non-production systems was required by December 31, 2023, while testing on live production systems now has an extended deadline of December 31, 2028.
• Red Team Exercises: These holistic “maximum-effort” attempts to breach human, physical, and technology layers must be conducted by December 31, 2026.

5. Operational Resilience: Disaster Recovery (DR)

A bank’s ability to recover data after a disaster or ransomware attack is critical.

• RTO/RPO Targets: For critical systems, the Recovery Time Objective (RTO) must be less than 4 hours for D-SIBs and 6 hours for others. The Recovery Point Objective (RPO) must be zero or near-zero.
• DR Testing: Under the new 2023 Amendments, banks must test their DR arrangements by operating critical systems using DR infrastructure for a continuous period of 5 days or more at least once a year.
• International Standards: Banks must achieve certification in ISO/IEC 27001 (Information Security) and ISO/IEC 22301 (Business Continuity) by December 31, 2024.

Compliance Deadlines

Regulation	Key Deadline / Status
Banking Act Directions No. 16	Full implementation was required by March 31, 2024 (per Direction No. 5 of 2023).
PDPA No. 9 of 2022	Enforcement of Parts I, II, III, and VII (Rights & Penalties) was originally set for March 2025 but is currently in a phased rollout by the Data Protection Authority (DPA).
Incident Reporting	Per BSD Circular 2 of 2025, major cyber incidents must be reported to CBSL within 2 hours of detection.

Summary of Key Compliance Deadlines

Requirement	Deadline
General Deadline (items without extensions)	March 31, 2024
Security Operations Center (SOC)	December 31, 2024
CISO Qualifications	December 31, 2024
Data-at-Rest Encryption	December 31, 2025
Pre-implementation Security Testing	December 31, 2025
Data-in-Transit Encryption	December 31, 2026
User Access & Identity Management	December 31, 2026
Red Team Exercises	December 31, 2026
Pen-Testing (Production Systems)	December 31, 2028

The Cost of Failure

Under the PDPA, penalties can reach Rs. 10 million per violation, with the potential to double for repeat violations. Beyond the fine, the reputational damage of a data breach in Sri Lanka’s tight-knit financial market is immeasurable.

Conclusion

By meeting these deadlines and implementing these rigorous technical measures, Sri Lankan banks can ensure they remain resilient against cyber threats while fulfilling their legal obligations under the PDPA and Central Bank regulations.