The compliance gap
In-house counsel at banks and fintechs report that PDPA 2023's cross-border transfer provisions, particularly around adequacy determinations and standard contractual clauses, remain difficult to operationalise absent finalised implementing rules from the Data Protection Authority. This creates a compliance-timing mismatch: institutions are expected to demonstrate readiness while awaiting regulatory clarity on mechanism.
Practical questions institutions are raising
- Whether group-wide data-sharing arrangements with regional hubs (Dubai, Singapore) qualify as adequate without a bilateral adequacy finding.
- How algorithmic decision-making disclosure obligations interact with existing SBP fintech regulation.
- What a defensible data-protection impact assessment record looks like pending finalised DPA guidance.
Key takeaway
Institutions building PDPA compliance programmes now should document a reasoned, good-faith interpretation of cross-border transfer mechanisms rather than waiting for full regulatory certainty. This is a posture CECI's forthcoming PDPA Compliance Roundtable will examine in a closed-door, Chatham House Rule setting.
