A Conversation About the Data Privacy Act

This conversation is a composite of three I have had with three different CIOs across BFSI, retail, and SaaS in the past six months. The questions recur; the answers do too. I have set them down here in roughly the order they get asked. Where the answer required a digression into a related international privacy regime, I have kept the digression because the international context is exactly what helps the Bangladeshi reader place the Act inside a frame they can use.

You start with a data-flow map. Not a spreadsheet of systems — a diagram, end-to-end, for the three highest-volume personal-data categories in your business. Where it enters, where it processes, where it stores, where it backs up, where it leaves, and which third parties touch it on the way through. Without that artefact, every other conversation is theoretical. And by third parties, I mean every SaaS subprocessor, every analytics service, every help-desk vendor, every backup integration. These are exactly the entities the regulator’s first information request will name.

The Act does not force you into one. It does make the compliance story considerably simpler when you use one — locality, residency, and sovereignty alignments fall out of the deployment model rather than being layered on after. Customers who use a hyperscaler can comply. Most find that the vendor renegotiations and the cross-border-transfer audits cost more than the migration would have. The honest answer is that the choice depends on your workload’s data classification and your tolerance for audit overhead — and the migration cost has come down meaningfully in the last two years.

Five operational shifts, in roughly the order they hit you:

Not where you expect. The instinct is that this is a cloud problem. It is mostly an application problem. The Act forces work into the data model — fields that store personal data need classification metadata, retention policies need code paths that actually delete, consent state needs to be addressable per identity. Each of these is application work, not infrastructure work. The infrastructure work is real but bounded; the application work is open-ended.

The framing is broadly aligned. The vocabulary — controller, processor, sensitive category, lawful basis — is shared with GDPR, PDPA, DPDPA, and PIPL. The cross-border-transfer regime is more specific to Bangladesh than any of those. The enforcement posture currently appears closer to Singapore’s PDPA than to the EU’s GDPR — proportionate, dialogue-led, educative for the first cycle of major findings. That posture will harden over time.

Three triggers we have observed so far. A material breach with personal data exposure. A complaint from a citizen exercising their access or erasure rights. And a thematic review — where the regulator selects a sector and reviews multiple institutions against a common framework. The last category is the one most institutions are not preparing for, and is where most of the early enforcement action will land.

Inventory. Flow map. Sovereignty audit. DPO scoping. In that order. Each is a discrete deliverable with a named owner and a date. None of them is glamorous; all of them are necessary; and the sequence matters more than the speed.