PDPO 2025 Data Protection Compliance.
Personal Data Protection Ordinance (PDPO) 2025
The PDPO 2025 is Bangladesh's first comprehensive data protection legislation, modeled after the EU GDPR. It establishes legal requirements for how organizations collect, process, store, and transfer personal data of Bangladesh citizens.
Unlike Bangladesh Bank regulations that apply only to financial institutions, PDPO applies to every organization -- banks, telecoms, e-commerce platforms, healthcare providers, educational institutions, government agencies, and any business that collects customer data.
The most impactful provision is mandatory data localization: personal data of Bangladesh citizens must be stored within Bangladesh. This will force many organizations to migrate data from international cloud providers to domestic infrastructure.
PDPO applies to ALL organizations. Not just banks.
The broadest regulatory mandate in Bangladesh history. Any organization processing personal data of Bangladesh citizens must comply.
Banks & Financial Institutions
Already subject to BB regulations, but PDPO adds data localization, consent management, and right-to-erasure requirements.
Telecommunications
Telcos hold massive volumes of personal data -- call records, location data, subscriber information. PDPO requires explicit consent and localization.
E-Commerce & Retail
Customer databases, purchase history, delivery addresses, payment information. Every e-commerce platform must comply.
Healthcare
Patient records, medical history, biometric data. Healthcare providers face the highest sensitivity classification under PDPO.
Technology Companies
SaaS providers, cloud services, app developers processing user data. Must demonstrate data localization compliance.
Government Agencies
National ID, tax records, land registry. Government must comply with the same PDPO standards as private sector.
Every PDPO requirement. Mapped to a working product.
Explicit, informed consent before processing personal data. Purpose limitation. Data minimization.
Consent capture at authentication. Purpose-bound tokens. Granular consent management via OAuth 2.1 scopes.
Authorized personnel only. Role-based access. Audit trail of all data access.
42-endpoint RBAC + ABAC. Separation of duties. Time-bound access. Complete audit trail.
Personal data must be stored within Bangladesh. No unauthorized cross-border transfer.
Tier-3 DC in Dhaka. APNIC member AS 64005. Own hardware. All data stays in Bangladesh.
Personal data must be encrypted at rest and in transit. Access logging mandatory.
AES-256 encryption at rest. TLS 1.3 in transit. Immutable access logs. DAM with AI search.
Report data breaches to DPA within 72 hours. Notify affected individuals.
Automated breach detection (Aegis). Multi-channel notification -- Email, SMS, WhatsApp (BitsPath).
Individuals can request deletion of their personal data. Verifiable erasure.
Identity-verified erasure requests via Wenme. Cryptographic deletion in Professional Vault.
Appoint DPO. Maintain processing records. Conduct impact assessments.
DPO advisory. DPIA frameworks. Processing activity registers. Compliance documentation.
Personal data must stay in Bangladesh.
PDPO 2025 mandates that personal data of Bangladesh citizens be stored within Bangladesh. Organizations using international cloud providers for personal data must migrate to domestic infrastructure.
Professional Vault
Encrypted Storage
Enterprise DAM with AES-256 encryption. AI-powered search, facial recognition, metadata management. Running on KaritKarma Tier-3 infrastructure in Dhaka.
How to achieve PDPO 2025 compliance
Six steps from data mapping to full compliance. Start now -- enforcement begins May 2027.
Conduct data mapping and inventory
Identify all personal data your organization collects, processes, and stores. Document data flows, storage locations, processing purposes, legal basis, and retention periods.
Implement consent management with Wenme
Deploy Wenme as your consent management layer. OAuth 2.1 scopes map to data processing purposes. Consent is captured at authentication, stored immutably, and can be withdrawn by the data subject.
Deploy access control with Darwan
Implement Darwan for role-based access to personal data. 42 API endpoints enforce who can access which personal data, for what purpose, and for how long. Complete audit trail.
Establish data localization with Professional Vault
Migrate personal data to Professional Vault running on KaritKarma Tier-3 infrastructure in Dhaka. AES-256 encryption at rest, TLS 1.3 in transit. All data stays within Bangladesh.
Configure breach detection and notification
Deploy Aegis for automated data breach detection with BitsPath for 72-hour notification. Configure alerts via Email, SMS, WhatsApp to Data Protection Authority and affected individuals.
Appoint DPO and establish governance
Appoint a Data Protection Officer. Establish DPIA processes, maintain records of processing activities, and create data subject rights request workflows. LoneSock Consultancy provides advisory.
PDPO 2025 compliance questions
What is the PDPO 2025 (Personal Data Protection Ordinance)?
Who must comply with PDPO 2025?
What are the penalties for PDPO 2025 non-compliance?
What is the data localization requirement under PDPO?
How does PDPO 2025 compare to GDPR?
When does PDPO 2025 enforcement begin?
ব্যক্তিগত তথ্য সুরক্ষা অধ্যাদেশ (পিডিপিও) ২০২৫
পিডিপিও ২০২৫ হলো বাংলাদেশের প্রথম ব্যাপক তথ্য সুরক্ষা আইন। এই আইন অনুযায়ী, বাংলাদেশের নাগরিকদের ব্যক্তিগত তথ্য বাংলাদেশের মধ্যে সংরক্ষণ করতে হবে। তথ্য সংগ্রহের আগে সুস্পষ্ট সম্মতি নিতে হবে।
জরিমানা: বার্ষিক টার্নওভারের ১-৫%। প্রযোজ্যতা: শুধু ব্যাংক নয় -- সকল প্রতিষ্ঠান।
PDPO applies to your organization. Start compliance now.
Data localization alone requires infrastructure migration. Consent management, access control, and breach notification require technology deployment. 13 months is not as long as it sounds.