Abstract:
Personal data protection has become one of the hot topics in countries which process European Union citizen data after enacting General Data Protection Regulation (GDPR) from 2018 May 25. In Sri Lankan context, there are minimum limitations to handle personal data while the available regulations focused only on a few business sectors. With international influence, Sri Lanka is also in a process to establish separate legislation amendments specifically for personal data protection along with a legal draft on cyber security. The finalized act (pending approval from the parliament of Sri Lanka) on personal data protection states eight obligations for the data processor and four rights to the data subject to safeguard personal data of Sri Lankan citizens. To comply with these rights and obligations there should be properly placed processes, systems, and internal culture within the Sri Lankan institutes. In this study, it checked whether there are competencies to comply with the data protection acts in private sector higher educational institutes in Sri Lanka. Thus the research is exploratory in nature with case study approach is used. Research findings suggest there are nor or minimum compliance is there for selected data protection obligations and data subject rights. A new conceptual framework is proposed with six privacy principles and four step method to reduce the compliance gap with the local and global privacy legislations.
