Sri Lanka's Data Protection Act (No. 9 of 2022) fundamentally changed how Sri Lankan businesses handle personal data online. All Sri Lankan businesses must comply with this law, making website compliance more crucial than ever.

At Elridhma, we ensure every website we build meets these legal requirements from day one. Here's your comprehensive guide to data protection compliance for Sri Lankan business websites.

Understanding Sri Lankan Data Protection Law


What Data is Protected?

Sri Lankan law protects any information relating to an identified or identifiable person:
  • Contact information: Names, email addresses, phone numbers
- Location data: IP addresses, postal addresses
  • Technical data: Browser information, device identifiers
- Behavioural data: Website usage patterns, preferences
  • Marketing data: Newsletter subscriptions, communication preferences

Legal Basis for Processing

Sri Lanka businesses must have a lawful basis for collecting and processing personal data:
  • Consent: Freely given, specific, informed agreement
- Contract: Processing necessary for contractual obligations
  • Legal obligation: Required by Sri Lanka or EU law
- Vital interests: Protecting someone's life or safety
  • Public task: Carrying out official functions
- Legitimate interests: Business needs that don't override individual rights

Essential GDPR Requirements for Sri Lanka Websites


Privacy Policy Requirements

Every Sri Lanka business website must have a comprehensive privacy policy that includes:

Data Controller Information:
  • Company name and registration details
- Contact information including DPO if applicable
  • Sri Lanka address and phone number

Data Collection Details:
  • What personal data you collect
- How you collect it (forms, cookies, analytics)
  • Why you need it (purpose and legal basis)
- How long you keep it

Data Sharing Information:
  • Who you share data with (third parties, processors)
- International transfers and safeguards
  • Marketing and advertising uses

Individual Rights:
  • Right to access personal data
- Right to rectification and erasure
  • Right to data portability
- Right to object to processing
  • How to exercise these rights

Cookie Consent Implementation

Sri Lanka websites must obtain clear consent for non-essential cookies:

Essential Cookies (no consent required):
  • Session management
- Security features
  • Load balancing
- Basic functionality

Non-Essential Cookies (consent required):
  • Analytics and tracking
- Marketing and advertising
  • Social media integration
- Personalisation features

Consent Requirements:
  • Clear opt-in mechanism
- Specific consent for different cookie types
  • Easy withdrawal of consent
- Regular consent renewal

Contact Form Compliance

Every contact form must include:
  • Clear purpose statement
- Legal basis for processing
  • Data retention information
- Link to full privacy policy
  • Opt-in checkbox for marketing (if applicable)

Technical Implementation for Sri Lanka Websites


Cookie Consent Solutions

Implement proper cookie consent with these features:

Consent Banner Requirements:
  • Visible on first visit
- Clear accept/reject options
  • Granular control over cookie types
- Easy access to cookie policy

Technical Implementation:
```html
<!-- Example cookie consent structure -->
<div id="cookie-consent-banner">
<p>We use cookies to enhance your experience.
<a href="/cookie-policy">Learn more</a></p>
<button id="accept-all">Accept All</button>
<button id="reject-optional">Reject Optional</button>
<button id="cookie-settings">Manage Preferences</button>
</div>
```

Data Minimisation Practices

Only collect data you actually need:
  • Remove unnecessary form fields
- Use progressive profiling for customer data
  • Implement automatic data deletion
- Regular data audits and cleanup

Security Measures

Protect personal data with appropriate technical measures:
  • SSL certificates for all data transmission
- Secure form processing
  • Regular security updates
- Access controls and user permissions
  • Data encryption for sensitive information

Specific Requirements for Different Business Types


E-commerce Websites

Online stores have additional GDPR obligations:

Customer Accounts:
  • Clear account creation consent
- Data retention for order history
  • Payment data handling (PCI compliance)
- Marketing consent separation

Order Processing:
  • Lawful basis: contract performance
- Data sharing with payment processors
  • Delivery partner data sharing
- Customer communication preferences

Service-Based Businesses

Professional services must consider:

Client Data:
  • Project-related data processing
- File sharing and collaboration
  • Client communication records
- Testimonial and case study consent

Marketing Activities:
  • Newsletter subscriptions
- Lead generation forms
  • Event registration data
- Follow-up communications

Local Businesses

Location-based services have unique considerations:

Google My Business:
  • Customer review management
- Location tracking disclosure
  • Photo and video consent
- Social media integration

Local Marketing:
  • Community event data
- Local directory listings
  • Partnership data sharing
- Referral program information

Creating Compliant Privacy Policies


Essential Sections for Sri Lanka Businesses


1. Data Controller Details
```
[Company Name] is the data controller for your personal information.

Registered Address: [Full Sri Lanka Address]
Company Number: [Companies House Number]
Contact: [Email] | [Phone]
Data Protection Officer: [Contact if applicable]
```

2. Data Collection and Use
```
We collect personal information when you:
  • Complete our contact forms
- Subscribe to our newsletter
  • Create an account
- Make a purchase
  • Use our website (through cookies)

We use this information to:
  • Respond to your enquiries
- Process orders and payments
  • Send marketing communications (with consent)
- Improve our website and services
  • Comply with legal obligations
```

3. Data Sharing and Transfers
```
We may share your data with:
  • Payment processors (for orders)
- Email marketing platforms (with consent)
  • Analytics providers (Google Analytics)
- Legal advisors (when required)

International transfers are protected by:
  • Adequacy decisions
- Standard contractual clauses
  • Certification schemes
```

Cookie Policy Requirements

Separate detailed cookie policy covering:
  • Types of cookies used
- Purpose of each cookie
  • Retention periods
- How to manage cookie preferences
  • Third-party cookie information

Ongoing Compliance Management


Regular Review Process

GDPR compliance requires ongoing attention:

Monthly Tasks:
  • Review data collection practices
- Update privacy policy if needed
  • Check cookie consent functionality
- Monitor data subject requests

Quarterly Tasks:
  • Full privacy policy review
- Data audit and cleanup
  • Staff training updates
- Vendor compliance checks

Annual Tasks:
  • Complete data protection impact assessment
- Review data retention schedules
  • Update consent mechanisms
- Legal requirement updates

Handling Data Subject Requests

Prepare procedures for common requests:

Access Requests:
  • Verify identity
- Provide data within 30 days
  • Include all personal data held
- Explain processing purposes

Deletion Requests:
  • Assess legal obligations
- Consider legitimate interests
  • Delete data where required
- Confirm completion

Rectification Requests:
  • Verify correct information
- Update all relevant systems
  • Notify third parties if necessary
- Confirm changes made

Common GDPR Mistakes to Avoid


Pre-Ticked Consent Boxes

Never use pre-ticked boxes for consent:
  • All consent must be actively given
- Separate consent for different purposes
  • Clear withdrawal mechanisms
- Regular consent renewal

Bundled Consent

Don't bundle consent with terms and conditions:
  • Separate privacy consent from service terms
- Granular consent options
  • Optional services separately consented
- Clear explanation of consequences

Inadequate Privacy Policies

Avoid generic, unclear privacy policies:
  • Specific to your business activities
- Written in plain English
  • Regularly updated
- Easily accessible

Working with GDPR-Compliant Web Developers


Questions to Ask Your Developer

- Do you implement cookie consent by default?
  • How do you handle contact form compliance?
- What security measures do you include?
  • Do you provide privacy policy templates?
- How do you ensure ongoing compliance?

Uveriqo's GDPR Approach

We build GDPR compliance into every website:
  • Built-in cookie consent: Professional consent management
- Compliant contact forms: Proper consent and data handling
  • Security by design: SSL, secure hosting, regular updates
- Privacy policy creation: Tailored to your business
  • Ongoing support: Compliance monitoring and updates

The Cost of Non-Compliance


GDPR fines can be substantial:
  • Up to €20 million or 4% of annual turnover
- Reputation damage
  • Loss of customer trust
- Legal costs and proceedings

However, compliance also brings benefits:
  • Increased customer trust
- Better data management
  • Competitive advantage
- Reduced security risks

Conclusion


GDPR compliance for Sri Lanka business websites isn't just about avoiding fines—it's about building trust with your customers and handling their data responsibly. While the requirements may seem complex, working with experienced web developers who understand Sri Lanka data protection law makes compliance straightforward.

The key is building compliance into your website from the start rather than trying to retrofit it later. This approach is more cost-effective and ensures your business is protected as you grow.

Need help ensuring your Sri Lanka business website is GDPR compliant? Contact Uveriqo today. We build compliance into every website we create and can audit your existing site for any compliance gaps.