On 6 November 2025, the interim government gazetted the Personal Data Protection Ordinance, 2025 (Ordinance No. 61 of 2025) — Bangladesh's first standalone legislation dedicated to the protection of personal data. Until this point, data privacy in Bangladesh rested on a patchwork of constitutional provisions, sectoral regulations, and the now-replaced Information and Communication Technology Act 2006. The PDPO changes this fundamentally. Businesses that collect, process, or store personal data of individuals in Bangladesh now face a clear statutory framework with real penalties, and the 18-month compliance window from the date of gazette publication is already running.
The Constitutional Foundation and the Statutory Gap It Fills
Article 43 of the Constitution of the People's Republic of Bangladesh guarantees every citizen the right to privacy of correspondence and other means of communication. This constitutional guarantee, however, remained largely aspirational in the digital context. No statute translated it into actionable obligations for data controllers until the PDPO. The Ordinance explicitly anchors itself in this constitutional right, creating a statutory mechanism to enforce what Article 43 promises. The result is that businesses can no longer rely on the absence of a specific data protection statute as a defence to privacy-invasive practices.
The predecessor legislation — the Digital Security Act 2018 and its replacement, the Cyber Security Act 2023 (itself now superseded by the Cyber Protection Ordinance 2025) — addressed cybercrime, not data governance. The PDPO fills a distinct legislative gap: it regulates the lawful collection, processing, retention, and transfer of personal data by private and public entities alike.
Core Obligations: Consent, Disclosure, and the Data Fiduciary Model
The PDPO introduces the concept of the "data fiduciary" — any entity that determines the purpose and means of processing personal data. This is the Bangladeshi equivalent of the EU GDPR's "data controller," and the obligations are comparable in weight if not in detail.
Section 6 of the Ordinance requires that consent be voluntary, specific, informed, unambiguous, and — critically — withdrawable. A blanket consent clause buried in terms of service will not satisfy this standard. Businesses must inform data subjects, at or before the point of collection, of: (a) the specific purpose for which data is collected; (b) the retention period; (c) whether and to whom data will be transferred; and (d) the process for withdrawing consent. These disclosure requirements apply to every category of personal data, not merely "sensitive" data.
The data fiduciary is also directly liable for the acts of any data processor it engages. Outsourcing data processing to a third party does not transfer compliance risk — it compounds it. Any business engaging cloud service providers, payroll processors, or CRM platforms that handle personal data must ensure contractual compliance cascades through its vendor chain.
Cross-Border Transfers and the Localisation Mandate
The PDPO imposes significant restrictions on the cross-border transfer of personal data. Data classified as "confidential" or "restricted" under the Ordinance must be stored within Bangladesh. For other categories, transfers are permitted only where the receiving jurisdiction provides an adequate level of protection — a standard the government is yet to define by notification.
This has immediate implications for multinational companies operating in Bangladesh, SaaS platforms with overseas servers, and any business using global cloud infrastructure. Until the government publishes its list of adequate jurisdictions, businesses should assume that any offshore transfer of sensitive Bangladeshi personal data carries regulatory risk. The prudent course is to begin mapping data flows now and identifying which datasets may need to be localised.
Penalties and the Compliance Timeline
The penalty regime is proportional to turnover: general contraventions attract fines of 1-2% of annual turnover, while significant data fiduciaries — a category the government will designate by notification — face fines of 2-5% of annual turnover. For a mid-sized Bangladeshi company with annual revenues of BDT 50 crore, a 2% penalty translates to BDT 1 crore. These are not nominal sums.
The 18-month compliance window from the gazette date of 6 November 2025 places the effective enforcement deadline at approximately May 2027. That may seem distant, but the work required is substantial: auditing existing data collection practices, rewriting consent mechanisms, reviewing vendor contracts, mapping cross-border data flows, and training staff. Businesses that treat compliance as a last-quarter project will find themselves exposed.
It is worth noting that, as of April 2026, no case has yet been reported under the PDPO — the enforcement apparatus is still being constituted. But the statutory obligations are already in force for the purpose of building compliant systems, and early movers will have a decisive advantage when enforcement begins.
Practical Steps for Businesses
Compliance is not a single document — it is an operational overhaul. At minimum, businesses should: (1) appoint a data protection officer or designate an internal compliance lead; (2) conduct a comprehensive data audit identifying what personal data is collected, from whom, for what purpose, and where it is stored; (3) rewrite privacy policies and consent forms to meet the PDPO's specificity requirements; (4) review all vendor and processor agreements for PDPO-compliant data processing clauses; and (5) establish a documented process for responding to data subject access and withdrawal requests.
Our senior practitioners regularly advise businesses on regulatory compliance, corporate governance, and the intersection of technology law with commercial operations. For organisations seeking to build PDPO-compliant data governance frameworks — or to assess their current exposure — early engagement with qualified legal counsel is the most cost-effective path to readiness.