TRW Law Firm – Global Header
Book Consultation

Data Protection & Privacy

by Tahmidur Remura Wahid | Sep 2, 2025 | Uncategorized | 0 comments

Data Protection & Privacy in Bangladesh (2025): What Companies—Local & Foreign—Must Do Now

Data Protection & Privacy in Bangladesh (2025): What Companies—Local & Foreign—Must Do Now

By TRW Law Firm — Technology, Financial Services & Cross-Border Practice (Dhaka & Dubai)

Snapshot (as of September 2, 2025 — Dhaka time)

  • Bangladesh is on the cusp of a comprehensive data-privacy regime. A Personal Data Protection Ordinance (PDPO) has been drafted/finalized at ministry level; it sets out extraterritorial scope, lawful bases, data-subject rights, breach notification, audits, and cross-border transfer/localization concepts. It has not yet been clearly gazetted into force at the time of writing, but its core design is visible and should be treated as “imminent.”
  • Cybersecurity laws have shifted. A Cyber Security Ordinance 2025 has been promulgated, replacing the Cyber Security Act 2023; it governs cyber offenses, investigations and powers. Expect overlaps with PDPO around incident handling.
  • Sectoral rules already bite. Bangladesh Bank’s ICT Security Guidelines and related circulars impose security, cloud and record-keeping obligations on banks/NBFIs; the Digital Bank Guidelines (Aug 2025) require cloud located inside Bangladesh. Telecom/ISP directions from BTRC include extended user-log retention.

Bottom line: Even before the PDPO formally lands, banks, PSPs, fintechs, telcos, platforms, exporters/importers, healthcare, e-commerce, and multinationals already carry concrete security and privacy obligations. Build for PDPO now so you’re compliant on day one.

Tahmidur Remura Wahid 155

What the PDPO is expected to require (and how to prepare)

The following reflects features consistently described in official statements and near-final English drafts in circulation. Treat specifics as directional; final text may shift.

Scope & extraterritoriality

  • In scope: any “data-fiduciary” or “processor” operating in Bangladesh; processing in Bangladesh; or processing abroad that targets or profiles people in Bangladesh (offer of goods/services or monitoring). That includes foreign companies with no entity in Bangladesh but active users there.

Personal data & sensitive data

  • Broad personal-data definition. “Sensitive personal data” typically includes biometric/genetic, health, religious/political beliefs, union membership, ethnicity, and financial data—triggering stronger protections.

Lawful bases & principles

  • Familiar principles (fairness, purpose limitation, minimization, accuracy, storage limitation, integrity/confidentiality, transparency). Expect consent, contractual necessity, legal obligation, public interest and similar bases.

Rights & governance

  • Data-subject rights (access/correction/erasure/portability).
  • Certain large or “major-importance” data-fiduciaries to appoint a Data Protection Officer (DPO) and undergo independent data audits from an approved panel.

Breach notification

  • Notify the Authority when a breach risks significant harm, with details of scope, affected data, and mitigation steps. Customer notification may be directed by the Authority.

Cross-border transfers & localization

  • Expect an adequacy/approval model, with power to suspend transfers and to classify data for local storage (e.g., national security, financial, public-safety datasets). Plan for contracts plus transfer assessments.

Regulator & enforcement

  • Enforcement via a national data authority with powers to inspect, demand records, order deletions/cessation, and fine. Fines scale with severity; appeal mechanism exists.

Existing obligations you must already meet (today)

  1. Cybersecurity framework (public law): The new ordinance enables investigations, seizures, and sanctions for cyber offenses. For companies, this intensifies your incident-response, log-retention, and cooperation duties with law enforcement.
  2. Banking/fintech (Bangladesh Bank):
  • ICT Security Guidelines: risk management, access control, encryption, outsourcing controls, secure development, and board oversight are mandatory for banks/NBFIs/PSPs.
  • Digital banks (Aug 2025): cloud must be in Bangladesh; comply with BB cloud/ICT guidelines; maintain Core Banking controls.
  • Payment services & partner networks: approval files must include a data-protection policy, consent processes, MIS/internal-control description—these are reviewed by BB.
  1. Telecom/ISP (BTRC): user-log retention requirements; SIM and subscriber governance; lawful-interception cooperation. If you’re an ISP, CDN, or platform with local POPs, align logging/retention with license terms.
  2. Other public rules touching privacy: sectoral procurement rules, RTI exceptions for personal privacy, and health/education record practices. These don’t form a full privacy regime but affect how you handle user data in practice.

Foreign companies operating in (or serving) Bangladesh: what changes

  • Extraterritorial reach: The draft PDPO catches foreign platforms, SaaS, adtech, marketplaces, fintechs, cloud and BPO providers if they offer services to or profile individuals in Bangladesh—even without a local entity.
  • Local representative & DPO: Large-scale or high-risk processors will likely need a DPO. Regulations may also require a local representative or enrolment for “major-importance” controllers.
  • Cross-border transfer controls: Prepare legal mechanisms (contractual clauses/adequacy/approvals), transfer impact assessments, and technical measures (encryption, key control) to sustain BD↔global data flows.
  • Localization pockets: If you run digital banking, payment infrastructure, or other “critical” functions, assume local hosting may be required—already explicit for digital banks and likely for future “restricted” data classes.
  • Contracts with Bangladeshi clients: Expect model clauses or PDPO-compliant DPAs, audit rights by the Authority, and data-audit obligations via approved auditors.

A practical compliance blueprint (works now, future-proofs for PDPO)

1) Map your data (30 days)

  • Records of Processing (RoPA): what personal data you collect in BD; purposes; lawful bases; recipients; retention; locations; processors/sub-processors.
  • Classify sensitive vs. non-sensitive; identify children’s, financial, biometric/health data.
  • Tag datasets that are exported and those hosted in BD.

2) Pick your lawful bases & consent models

  • Draft justification memos for each purpose (consent, contract, legal obligation, etc.). Be strict on marketing/analytics (separate opt-in, easy opt-out).
  • Sensitive data → require explicit consent or another clearly applicable lawful basis.

3) Stand up core policy suite

  • Privacy Policy (Bangla + English), Internal Privacy Standard, Data Retention & Destruction, Access Control, Vendor & Cloud Policy, Breach Response SOP, Data-Subject Request (DSR) SOP, BYOD/Monitoring policy (for employees).

4) Security controls tuned to local realities

  • Access (RBAC/MFA/least privilege), encryption at rest/in transit, network segmentation, event logging to meet local retention concepts, secure SDLC, third-party risk (due diligence, contract security exhibits), BCP/DR.
  • Align with Bangladesh Bank’s ICT security baseline; if you’re applying for a digital-bank license, ensure local cloud.

5) Children & special categories

  • Age-gating and parental consent where services appeal to minors.
  • Health/biometric/religion/ethnicity → use minimality + explicit consent + impact assessment before rollout.

6) Cross-border transfer governance

  • Build a Transfer Register listing: data categories, destinations, purposes, legal mechanism (contract/adequacy/approval), encryption & key management (ideally keys in BD).
  • Draft Transfer Impact Assessments that consider possible adequacy/approval and the Authority’s power to suspend/condition transfers.

7) Data-subject rights (DSR) handling

  • Single intake channel (web form/email), identity-verification steps, 15–30 day resolution targets (confirm final PDPO timelines), and an appeal/escalation path.

8) Vendor & cloud contracts

  • DPA exhibit: purpose, instructions, security measures (e.g., ISO-aligned), sub-processor approvals, assistance with DSRs/breaches, deletion/return at end.
  • Localization clause (if needed): hosting region BD; data export only under an approved mechanism.

9) Breach readiness

  • Internal “24–72-hour” detection/triage rule; notify the Authority without undue delay if significant harm is likely.
  • Decide quickly on user notification; coordinate with Bangladesh Bank for regulated institutions; retain forensic images and chain-of-custody.

10) Governance model

  • DPO (mandatory for defined classes): independent reporting line to CEO/Board; local escalation rights; tracks RoPA, DPIAs, training, and audits.
  • Board MI each quarter: incidents, DSR volumes, audit status, vendor risk, transfer register, remediation trackers.

Distribution, marketing, HR & product: where privacy risks actually appear

Sales/marketing

  • Consent for promotional SMS/email; no bundled consent. Maintain a preference center in Bangla/English.
  • Online tracking: granular cookie controls; tag-manager governance.

HR/employee monitoring

  • CCTV, access cards, GPS/telemetry on field staff → purpose-limited, with notice, retention caps, and access logs; avoid covert monitoring except where lawful and necessary.

Product & app teams

  • Privacy-by-design gates in SDLC: threat modeling; data minimization; config to disable PII logging in lower envs; privacy reviews for new analytics SDKs.
  • Defaults: end-to-end encryption for messaging; masked PII in support tools.

Procurement & finance

  • DPAs with all processors; ensure banking/BB and BTRC retention/security alignment in vendor SOWs; no uncontrolled offshore support without an assessed transfer mechanism.

Special notes for high-risk sectors

Banks, NBFIs, PSPs, MFS, Digital Banks

  • Implement the banking ICT baseline; local cloud for digital banks; Core Banking controls; incident/forensic coordination with the central bank.

Telecom/ISPs/CDNs

  • Logging/retention consistent with BTRC license conditions; identity/SIM governance; data disclosure only under proper legal process.

Healthcare & insurance

  • Treat health data as sensitive; explicit consent and strict access; audit trails for every read of medical records.

E-commerce & marketplaces

  • Transparent delivery/return flows; limit KYC to what’s necessary; escrow/shipping partners bound by DPAs; added protections for minors.

Adtech & platforms

  • Map identifiers (MAIDs, cookies, device prints); run transfer assessments for global ad supply chain; strict controls on data enrichment and sharing.

Cross-border transfers: workable playbook for foreign groups

  1. Pick a lawful mechanism consistent with PDPO’s adequacy/approval approach; implement Bangladesh-specific DPA clauses and transfer assessments.
  2. Engineer technical safeguards: encryption in transit/at rest, key custody in BD, tokenization, differential privacy for analytics.
  3. Limit scope: keep operational PII in BD; export pseudonymized analytics where possible.
  4. Be ready for suspensions: the Authority may order cessation/suspension of foreign transfers; keep a BD-region failover for critical services.

Enforcement & exposure

  • Administrative fines scale with severity and recurrence; the Authority can order deletion, stop processing, or halt outbound data flows; appellate route exists.
  • For regulated sectors (banking/telecom), sector supervisors can take parallel action for security/control failures.

90-Day Bangladesh Privacy Implementation Plan

Days 1–30 — Stabilize

  • Appoint Privacy Lead/DPO-designate; publish a CEO note committing to PDPO-readiness.
  • Build your RoPA, Data Map, and Transfer Register; tag sensitive and child data.
  • Issue/update Privacy Policy (Bangla+English) and Breach SOP; align your security baseline with banking ICT guidance or equivalent.

Days 31–60 — Institutionalize

  • Execute DPAs with all processors; add localization and transfer clauses.
  • Launch a DSR portal; standardize identity-verification and turnaround times.
  • Run DPIAs for high-risk products (biometric onboarding, geo-tracking, health/financial profiling).
  • Draft cookie/SDK governance; switch to consent-based marketing.

Days 61–90 — Assure

  • Tabletop a data breach and practice Authority notification.
  • Internal privacy audit (or external readiness check) against PDPO and sector rules; fix gaps.
  • Board dashboard: incidents, DSRs, audits, vendor risk, transfer inventory, remediation.

Templates you can adapt (short-form)

Data Processing Addendum (DPA) — key clauses

  • Purpose & documented instructions; Bangladesh-specific definitions (“data-fiduciary”, “processor”).
  • Security: recognized controls (e.g., ISO-aligned), encryption, logging, vulnerability management, secure development.
  • Sub-processors: disclosure + approval; flow-down of obligations.
  • Transfers: lawful mechanism + transfer assessment; stop/suspend on Authority order.
  • Audit & assistance: allow Authority-mandated audits; assist with DSRs and breaches.
  • Exit: data return/deletion; verified by certificate.

Breach-notice checklist (internal 24-hour pack)

  • What happened; when detected; systems/data impacted; individuals affected; encryption status; containment; likelihood of harm; proposed notifications; law-enforcement/regulator contact; remediation; lessons learned.

Privacy-by-Design gate (product)

  • Data minimization; purpose test; sensitive-data review; default privacy settings; logging; retention; DPIA decision; transfer check; localization feasibility; rollback plan.

FAQs

Is PDPO already in force?
Not yet. As of September 2, 2025, government statements and public drafts indicate a finalized draft ordinance with imminent adoption. Build now to avoid a scramble on commencement.

We’re a foreign SaaS with Bangladesh users but no BD entity—are we covered?
Yes. The draft applies extraterritorially to services offered to or profiling people in Bangladesh. Expect to appoint a DPO (if classed), sign DPAs, and implement a transfer mechanism.

Can we keep using global clouds?
Generally yes with lawful transfer mechanisms and strong technical safeguards—however, some sectors (e.g., digital banks) require local cloud. Future classifications could localize certain “restricted” datasets.

How long do ISPs/platform POPs need to retain logs?
Follow your license terms and BTRC directions, which have moved toward extended user-log retention. Confirm the exact durations applicable to your license.

How TRW helps (end-to-end)

  • PDPO-ready program: privacy policy stack, RoPA/DPIA, DSR workflows, transfer kits, Bangla-first notices and consent UX.
  • Banking/fintech privacy & security: align to banking ICT guidelines, digital-bank localization, incident playbooks, regulator liaison.
  • Cloud & cross-border strategy: lawful transfer architecture, encryption/key custody in BD, vendor & sub-processor contracting.
  • Telecom/ISP compliance: log retention, LEA interface SOPs, lawful disclosure, and audit readiness.
  • Training: role-based (engineering, product, marketing, branch ops), in Bangla & English.
  • Audits & readiness assessments: mock inspections, document rooms, and remediation plans built to withstand scrutiny.

Contact TRW Law Firm
Phones: +8801708000660 · +8801847220062 · +8801708080817
Emails: [email protected] · [email protected] · [email protected]
Offices: Dhaka — House 410, Road 29, Mohakhali DOHS • Dubai — Rolex Building, L-12 Sheikh Zayed Road

One last thought

If you engineer privacy into operations now—data maps, governance, contracts, security baselines, and transfer controls—you’ll be compliant on day one of PDPO, smoother with Bangladesh Bank and BTRC, and far more resilient when breaches or audits strike. The window before full adoption is the best time to get this right.

Loading…

Loading… | 5 MIN READ | BY TAHMIDUR REMURA WAHID