Page 22 - KDU Law Journal Volume 4 Issue 2
P. 22

KDU Law Journal                                  Volume 04 Issue II
                                                              September, 2024
             Obligations of the data fiduciary Section 8 (4)  and (5)  of the
                                                        43
                                                                44
             act  require  that  the  data  fiduciary  must  ensure  the  security  and
             integrity of personal data. To ensure security, the data fiduciary
             must implement security measures to protect against data breaches
             and unauthorized  access and maintain  detailed  records of data
             processing activities.Lastly, the act introduces strict penalties for
             non-compliance, including hefty fines and potential legal action.
             By imposing these consequences, the act seeks to encourage
             businesses and organizations  to take data protection  seriously
             and prioritize  the  privacy  rights of individuals. These  measures
             ensure compliance with the act but also serve as a deterrent against
             negligence or misconduct in handling personal data. Overall, the
             Digital Personal Data Protection Act 2023 represents a significant
             step forward in strengthening the rights of individuals  in the
             digital space and promoting responsible data practices. However,
             it comes with several limitations  that  need continuous review
             and refinement. Firstly, the Act grants the government substantial
             leeway to exempt any of its agencies from the provisions of the
             Act. This raises concerns about the potential for misuse, especially
             regarding surveillance  and privacy. Secondly, limited  scope of
             applicability, the Act primarily applies to digital data and does not
             comprehensively address non-digital data. In an era where data is
             increasingly integrated across digital and physical platforms, this
             limitation could leave a significant gap in data protection. Thirdly,
             the Act mandates data breach notifications, but it does not specify
             stringent timelines or the exact nature of information that must be
             disclosed to affect individuals. This lack of specificity can hinder
             effective response and remediation efforts.

             43  Section 8(4) - A data Fiduciary shall implement appropriate technical and organizational
             measures to ensure effective observance of the provisions of this Act and the rules made
             thereunder. Supra note 36.
             44  Section (6) - A Data Fiduciary shall protect personal data in its possession or under its
             control, including in respect of any processing undertaken by it or on its behalf by a Data
             Processor, by taking reasonable security safeguard to prevent personal data breach. Supra
             note 34.
                                                             law.faculty@kdu.ac.lk
                                          15
   17   18   19   20   21   22   23   24   25   26   27