The need to protect our data
According to global consumer surveys, personal data privacy has become a significant concern worldwide. Around 86% of consumers consider data privacy important and expect meaningful privacy rights online. In Bangladesh, citizens have similarly been facing challenges regarding personal data protection and are demanding strong privacy laws.
In this context, Bangladesh has recently enacted the Personal Data Protection Act 2026 to protect individuals’ personal information and data. This Act ensures legal protection of identifiable personal data of individuals, including National Identity Card (NID) information, medical records, passports, birth certificates, bank account information, addresses, and mobile numbers.
Under section 5 of the Act, a data controller or processor (the person/company deciding why and how data will be used) may process one’s personal data only when the data subject (the person whose data is being used) gives their consent. The consent must be freely given and cannot be obtained through coercion. Besides, the data controller must inform the data subjects why their data is collected, how long it will be kept, whether it will be shared/transferred, and how consent can be withdrawn. However, there are some exceptional circumstances in which personal data may be processed without consent, such as for the performance of a contract, defence in court, protection of life or health, where the data has been voluntarily made publicly available.
Another layer of protection is provided for sensitive data under section 7. Sensitive Personal Data means highly private information such as health records, biometric data, religious beliefs, political opinions, sexual orientation, criminal records, etc. These data can only be processed with the explicit consent and in some other limited circumstances, such as for contractual, employment-related, healthcare-related, legal, or public-interest purposes, specified by the Act. In cases of children or mentally unstable persons, consent must be given by the guardian. Moreover, under sections 10 and 11, the data subject may, by submitting a written request, access their personal data, obtain a copy of it, and know how it is being used.
Additionally, section 16 keeps the data confidential. It says that data cannot be shared for a different purpose than the purpose for which the data was collected without the data subject’s consent. Entities handling personal data must also implement appropriate technical and organisational security measures to protect personal data from loss, misuse, unauthorised access, destruction, or alteration. Similarly, as per section 18, a data controller cannot keep personal data longer than necessary for the purpose for which it was collected. However, in exceptional cases (such as public interest, scientific research, historical research, or statistical purposes), personal data may be retained beyond the prescribed retention period.
If a personal data breach occurs, section 20 requires the data controller to notify the authority within the prescribed time and in the prescribed manner. Under sections 25 and 26, the authority is responsible for ensuring proper implementation of this law. It protects data subjects’ rights, prevents violations, issues directions to data controllers and processors, and takes enforcement measures where necessary. The government may also impose a fee or charge on any entity earning profit from using Bangladeshi citizens’ personal data.
Importantly, if a data subject’s rights are violated, the data subject may file a complaint with the authority. Where the authority finds that a violation has occurred, it may impose an administrative fine of up to BDT 25 lakh. If the violator is a Significant Data Controller, the fine may go up to BDT 50 lakh. The authority may also order compensation for the person who has suffered loss. Furthermore, where a company violates the rights, the Authority may impose administrative fines on the directors, managing directors, officers, or employees responsible for the violation. However, a person or organisation dissatisfied with a fine or compensation order, may appeal to the Tribunal established under the ICT Act within 30 days.
Lastly, a law can protect personal data only on paper, but awareness, accountability, and enforcement are what protect it in practice. The success of the Personal Data Protection Act 2026 will depend on how effectively it is implemented, how seriously organisations safeguard personal information, and how well citizens understand and exercise their privacy rights. Bangladesh must now move beyond legislation and build a culture where personal data is treated with the same care and respect as any other asset.
The writer studies at the Bangladesh University of Professionals.
Comments