The GDPR guide for Sri Lankan companies: Lessons from ShoutOUT Connect


When it was passed, this piece of legislation sent shockwaves across the IT industry. 20 million Euros or 4% of global revenue, whichever is higher. The penalties are terrifying. It’ll hurt a large company and destroy a small one. So how can Sri Lankan companies deal with GDPR? That’s what we went to learn at ShoutOUT Connect.

The basics of GDPR

“In Sri Lanka, we don’t have adequate data protection laws,” said Samantha de Soysa – Attorney-at-Law/Barrister at Lincoln’s Inn. These were among her opening words at ShoutOUT Connect. And because we don’t have data protection laws, it’s important to learn from what other countries are doing. In recent times, the most important lesson has become GDPR.

Samantha de Soysa - Attorney-at-Law/Barrister at Lincoln's Inn speaking on GDPR
Samantha de Soysa – Attorney-at-Law/Barrister at Lincoln’s Inn speaking on GDPR

In case you’re lost, The General Data Protection Regulation (GDPR) is a regulation in EU law regarding data protection and privacy for individuals in the EU & EEA.  It came into effect in May earlier this year. It was passed with the aim of giving individuals control of their data along with simplifying and unifying regulations across the EU.

GDPR was a heated issue when it came to effect because of its steep fines. Violators could face a fine of 20 million Euros or 4% of their annual global revenue, whichever is highest. It’s been said that such fines were aimed at companies like Google and Facebook, which have been collecting vast amounts of personal data.  Interestingly, Google is now being accused by 7 countries of violating GDPR.

GDPR | Sri Lanka
Along with a congressional hearing, Sundar Pichai also has to deal with Google being accused of violating GDPR in 7 countries (Image credits: CNBC)

Samantha added that your personal data is more valuable than you might think. As per the Universal Declaration of Human Rights, “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation.” As such, your right to privacy should be protected by law. This is why Samantha stated that data protection shouldn’t be taken for granted by any Sri Lankan.

So what exactly is data protection?

At ShoutOUT Connect, Samantha defined it as, “A set of privacy laws, policies, and procedures that aim to minimize the intrusion into one’s privacy caused by the collection, dissemination, and storage of personal data.” Internationally, GDPR is one of the strongest data protection policies. Other countries like the UK, Hong Kong, Australia, and the Philippines have passed similarly comprehensive data protection legislation.

Unfortunately, this is not the case in Sri Lanka. The only solaces a Sri Lankan has are the Computer Crimes Act and the Right to Information Act. Yet, these laws don’t do enough to protect your data. While a hacker would get arrested for stealing your data, this isn’t the case with public officials.

GDPR | Sri Lankan startups
A police officer can freely access your data without you knowing. In countries with strong data protection laws, you’d know when they did and if unauthorized can be a violation of privacy (Image credits: Sri Lanka Guardian)

If a Sri Lankan police officer wanted to access your tax records, they could do so freely. Yet in countries, which have strong data protection laws, this isn’t the case. Estonia is a prime example where citizens can view who accessed their records. If an Estonian citizen identifies someone having accessed their records without authorization, they can report it as an invasion of Personal Privacy & Data Security.

But in Sri Lanka, we can do nothing. That’s what data protection and the lack of it means for you. With strong protection legislation like GDPR, your right to data protection becomes enshrined in law. As such, you have the power to take action against absolutely anyone (including the state) for misusing your data. Samantha argued that this is the global trend and one we must also accept.

How GDPR classifies companies

Currently, there are two main types of companies defined by GDPR. The first of these are data controllers. A data controller determines why personal data is collected and how exactly it will be collected. Employees within the company processing personal data, fulfill the tasks of the company as a data controller. Additionally, they should also appoint a data protection officer.

The second of these are data processors. These companies process data on behalf of data controllers. As such, they’re usually an external third party. However, in the case of groups of undertakings, one undertaking may act as the processor for another undertaking. Additionally, it’s imperative that such companies have a data protection agreement with controllers.

GDPR requires there be clear agreements between data controllers and processors. These agreements must clearly list out the responsibilities of the two parties. But there are instances where companies can also be classified as a joint controller. This is where two organizations jointly determine the reasons for collecting personal data and how it’ll be collected.

The responsibilities of GDPR

Samantha shared at ShoutOUT Connect that the regulations come into effect whenever a Sri Lankan company or entity of any nature does any commerce in the EU. This includes instances where the person whose data is being collected, doesn’t need to pay for the goods and services. Another instance GDPR comes into effect is when the monitoring of the behaviors of EU citizens inside the EU.

Asanka Nissanka - CTO of ShoutOUT speaking at ShoutOUT Connect on GDPR
Asanka Nissanka – CTO of ShoutOUT

Once GDPR becomes applicable, there are six key principles that apply to the data. They are as follows:

  • The data must be processed in a lawful, fair, and transparent manner
  • The data must be collected for specific, explicit, and legitimate purposes
  • The data must be adequate and limited to what is necessary
  • The data must be accurate and kept up to date
  • The data can only be kept for a specific period of time barring a few exceptions
  • The data must be processed in a manner that offers adequate security

Whatever decisions a Sri Lankan company takes with regards to personal data must adhere to these principles. Asanka Nissanka – CTO of ShoutOUT added that the most important thing is consent. “Information like an IP address can be related to a person. So even if you use cookies, you need to get consent,” he explained.

OneTrust is a tool that Asanka recommended for Sri Lankan companies to know what cookies a website is using. He added that ShoutOUT used this tool and was surprised to find how many cookies their website used. But it must be possible for that consent to be withdrawn as easily as it is given.

Under GDPR it should be easy to give and withdraw consent (Image credits: Maketoonist)
Under GDPR it should be easy to give and withdraw consent (Image credits: Maketoonist)

Additionally, for children under 13, parental consent is necessary. But once consent is given, companies must ensure the data they collect is adequate and limited. How does one define this? Asanka answered this by saying, “The adequate level of data is defined by the processes you do.” And these processes must be clearly defined in your privacy agreements.

Privacy policies & data breaches

When GDPR came into effect, you likely saw a flood of emails. “Hi! We’ve updated our privacy policy!” said the subject of the email. From Facebook to Google to names you never heard of, these emails kept coming one after another. While annoying at the time, today we can’t blame these companies for spamming us.

When GDPR came into effect, you likely saw these notifications because the privacy policy is an important document under GDPR (Image credits: Popular Science)

GDPR considers the privacy policy to be one of the most important documents of a company. Traditionally, these have been boring agreements. Filled with pages of confusing legal jargon that everyone ignored. However, with the new regulations, this changed. Now companies must ensure that their privacy policies have simple easy to understand language.

Of course, it’s tough to define what constitutes as easy to understand. But in the event of a data breach or violation, the courts will debate this. Furthermore, in the event of a breach, a company has 72 hours after it becomes aware. Within this timeframe, it must notify the supervisory authority without undue delay. If the company is a data processor, then it must notify every data breach to the data controller.

In June 2017, Equifax found it had been hacked. They waited until September to announce the hack, which affected millions. Under GDPR they’d have only gotten 72 hours to report it (Image credits: AP Photo/Mike Stewart)

However, companies don’t need to inform users unless their data has been affected. The official GDPR website states, “If the data breach poses a high risk to those individuals affected then they should all also be informed unless there are effective technical and organizational protection measures that have been put in place or other measures that ensure that the risk is no longer likely to materialize.”

The technical details

As such, organizations need to take security seriously due to GDPR. This doesn’t simply mean ensuring technical security measures are in place. It also requires non-technical measures to ensure accountability and governance. This ranges from having clear contracts with data processors to clear documentation of systems.

With GDPR companies now need to take data privacy and protection even more seriously (Image credits: Digital Sense)
With GDPR companies now need to take data privacy and protection even more seriously (Image credits: Digital Sense)

Most importantly, Sri Lankan companies and those globally that want to enter the EU market now need to prioritize data protection when designing software. Asanka shared the basics of how this can be done at ShoutOUT Connect. The basic technical tips he shared were:

  • Isolate your infrastructure
  • Encrypt all the data
  • Ensure data stored temporarily will be automatically
  • Connect to distant resources on secure connections
  • Keep secrets away from the code

Ultimately, GDPR doesn’t list out any specific technical and other measures. This has given many companies freedom but also has resulted in some confusion. Asanka admitted at ShoutOUT Connect that this is a challenge. Yet, a simple way to overcome it, which he suggested was to meet the requirements of security certifications. Some examples of certifications he shared were ISO 27018, ISO 27001, and PCI DSS.

With GDPR, the challenges of utilizing platforms like AWS was questionable initially. But it’s actually still possible provided a few requirements are met (Image credits: TechSpot)

But when it comes to the technical details we can’t ignore cloud computing. Over the years, we’ve seen cloud providers like AWS become a popular choice for software infrastructure for many Sri Lankan companies. However, since it came into effect, GDPR has stated that the data of EU citizens must be stored within the EU.

But at ShoutOUT Connect, Asanka pointed out an exception that your data can be stored in any country. In some countries, the data can be stored and transferred outside the EU without any additional safeguards. This is the because these countries have been declared as offering an adequate level of protection through a European Commission decision.

Both Samantha and Asanka argued that GDPR was an opportunity for organizations to be better and offer better data protection

But if a country has not received this declaration, a data transfer can still take place. But as per the official GDPR website, this can only be, “through the provision of appropriate safeguards and on condition that enforceable rights and effective legal remedies are available for individuals.”

It’s also possible to store your data in a country without meeting the above requirements. In such instances, the GDPR official website states, “a transfer can be made based on a number of derogations for specific situations for example, where an individual has explicitly consented to the proposed transfer after having been provided with all necessary information about the risks associated with the transfer.”

So what else can you do to survive GDPR?

To quote Asanka, “GDPR is still new and court cases are still ongoing. With these hearings, the laws will be amended over time.” Yet despite the challenge, Asanka looks at it as an opportunity. Samantha agreed and added that Sri Lankan companies should ensure that their employees are ready to protect the data of their customers. And since we lack any form of data protection laws, it’s somewhat comforting to know that private companies will take our data more seriously. Even if it’s only because they wish to enter the lucrative European market. For more information about GDPR click here.


Please enter your comment!
Please enter your name here