In an era where data is the new oil, the balance between innovation and regulation has become critical. Sri Lanka’s Personal Data Protection Act (PDPA), enacted in 2022 and amended in 2025 (Act No. 22 of 2025), marks a pivotal step in protecting individuals’ privacy while enabling responsible digital transformation. As organisations increasingly rely on artificial intelligence (AI) and big data analytics, data governance emerges as a central pillar of trust and compliance. However, the rise of shadow AI — unauthorised or unsupervised AI tools used within organisations — introduces new governance and compliance challenges. Connecting these three elements—data protection, governance, and shadow AI—is essential to ensure that Sri Lanka’s data-driven growth remains secure, ethical, and compliant.

Personal Data Protection Act of Sri Lanka (PDPA)  

The Personal Data Protection Act, No. 9 of 2022, and its Amendment Act No. 22 of 2025, establish Sri Lanka’s first comprehensive data protection framework. It aligns closely with global standards like the EU General Data Protection Regulation (GDPR) and emphasises three core objectives:

1. Safeguarding individuals’ privacy rights by regulating the collection, processing, and storage of personal data.

2. Accountability of data controllers and processors through clear obligations for lawful, fair, and transparent data handling.

3. Institutional oversight via the establishment of a Data Protection Authority (DPA) empowered to enforce compliance and handle appeals.

The 2025 amendment strengthens procedural rights for data subjects and clarifies obligations related to cross-border data flows, impact assessments, and data protection officers. For example, Section 26 now mandates that controllers engaging in cross-border data flows must ensure compliance and adopt binding instruments to safeguard data rights. This legal foundation ensures that digital systems, whether AI-driven or traditional, operate within a framework of lawful processing, transparency, and individual empowerment.

Data Governance: The Bridge between Compliance and Trust  

While laws like the PDPA provide the regulatory foundation, data governance operationalises compliance. It involves creating structures, policies, and processes to ensure that data is accurate, secure, and ethically used throughout its lifecycle. Effective data governance frameworks focus on data ownership and accountability, data quality, access control, and ethical use of AI.

Under the PDPA, governance mechanisms such as Data Protection Impact Assessments (DPIAs) and Data Protection Management Programmes (DPMPs) are critical tools for compliance. The 2025 amendment empowers the Authority to issue sectoral guidelines, reinforcing the bridge between law and technology.

Shadow AI: The Emerging Challenge  

Shadow AI refers to the use of AI tools or models within an organisation without official approval, oversight, or integration into governance systems. Examples include employees using unverified AI chatbots for data analysis or departments deploying machine learning models without IT or compliance review.

While shadow AI can boost productivity, it introduces significant risks such as data privacy violations, non-compliance with PDPA obligations, and data leakage. For instance, if an employee uses a foreign AI tool that stores Sri Lankan customer data abroad without safeguards, it could breach Section 26 of the 2025 Amendment, which requires enforceable commitments for cross-border data protection.

Integrating the Three: A Unified Approach  

To protect citizens’ rights while making digital innovation possible, the organisations in Sri Lanka should adopt a triangular approach: connecting PDPA compliance with data governance and AI risk management.

a. Embedding PDPA principles in AI systems: Implement privacy-by-design and data minimisation in all models of AI.

b. Strengthening data governance frameworks: Include policies for AI tool usage and monitoring shadow AI instances.

c. Continuous compliance and audits: Conduct periodic data audits and awareness programs to ensure compliance.

d. AI transparency protocols: document how the collection, processing, and sharing of data are done to ensure accountability.

Sri Lanka’s journey toward a digitally empowered economy depends on how effectively it manages the intersection of data protection, governance, and artificial intelligence. The PDPA provides the legal backbone, data governance offers operational discipline, and confronting shadow AI ensures integrity in automation. Together, these elements form the foundation of a responsible data ecosystem—one that fosters trust, innovation, and compliance in equal measure.

(The writer is a Senior Chartered Accountant with over 20 years of professional experience, primarily
in the banking sector and holds professional qualifications in Artificial Intelligence).

 

A resilient entrepreneurship strategy

Govt. ends senior citizens special 3 % interest scheme

Govt. accelerates rebuilding Sri Lanka infrastructure drive

Apparel 2026 fears slowdown in US, Europe

ACL charting new territories

Lopsided decisions on energy

Cost of a free lunch

People’s Bank achieves massive Rs. 40.2 bn profit

An AI-Powered Platform set to redefine recruitment

HNB Assurance Delivers Industry Leading 42% Revenue (GWP) Growth and 28% Rise in Profits (PAT)

Global trucker “Dongfeng” enters Sri Lanka

Negative trends for garment exports so far in 2026

Hayleys Solar installs six units for Pussalla Meat Producers

Two local banks to merge with state banks – Fitch

Customs digital reform to fast-track FTZ Imports and Exports

LankaPay’s Awards honours Payment Technology Innovation

NDB reports all-time high earnings last year

HNB advances growth, strengthens balance sheet in 2025

ComBank appoints Hasrath Munasinghe as Executive Director/COO

NTB reports strong FY2025 with PAT of Rs. 19.3 bn

DFCC Bank profits rise in 2025

Phoenix Ogilvy dominates Sri Lanka’s creative rankings

Seylan Bank records post-tax profit of Rs. 12.1 bn in 2025

SLIM Effie Awards on March 3

SL: Golden years in golden beaches, making investment waves

Colombo bourse’s wealth effect from stocks to homes

Securing Sri Lanka’s seabed sovereignty

The economics of the Supreme Court’s US Tariff Ruling

Several accolades by world’s largest tea manufacturer

SLIIT Team wins ‘Business Plan’ competition in South Korea

Prime Lands to develop “The Elizabeth” at Otters Club 1-acre car park

State units ponder automating solutions

Hayleys Fentons wins at NCE Export Awards 2025

Sri Lanka is Emirates’ next destination for skilled technicians

Outdated quarantine laws stifle SL agriculture growth

IMF’s Dr. Woldemichael advocates for sustained reform momentum

NCE forum on social media platforms

First Capital wins big at TAGS Awards 2025

Reimagining the future of access to justice in Sri Lanka

Janashakthi Life wins Gold at TAGS Awards

Scale Up marks 10 years, launches Gapstars Group