Bangladesh currently relies on several laws that indirectly address data protection, primarily the Digital Security Act 2018, which covers cybercrimes and unauthorized access to data. This act includes provisions against hacking, data theft, and other digital offenses, which inherently protect aspects of personal data. Additionally, sector-specific regulations may apply to certain industries, such as telecommunications and banking, imposing data handling requirements. The government is also in the process of enacting a dedicated Personal Data Protection Act (PDPA), which is expected to align more closely with international standards like GDPR. This upcoming law aims to provide a comprehensive framework for the collection, processing, storage, and transfer of personal data. Meheruba helps clients navigate this evolving landscape, ensuring compliance with existing regulations while preparing for future legal frameworks to safeguard personal data in Bangladesh. We stay updated on legislative developments to offer proactive advice.

Yes, the General Data Protection Regulation (GDPR) can apply to businesses in Bangladesh if they process personal data of individuals located in the European Union (EU) or offer goods or services to them. This extraterritorial scope means that even if a company is based entirely in Bangladesh, it may still need to comply with GDPR's strict requirements regarding data collection, storage, processing, and transfer. For example, if a Bangladeshi e-commerce site sells to customers in Germany or an IT service provider processes data for a client in France, GDPR obligations are likely triggered. Compliance involves understanding data subject rights, implementing appropriate technical and organizational measures, and potentially appointing a Data Protection Officer (DPO). Our team advises on GDPR applicability and helps implement necessary compliance measures for businesses with international operations, ensuring they meet global privacy standards.

In the event of a data breach in Bangladesh, immediate and strategic action is crucial to minimize harm and legal liabilities. Companies should first secure their systems to prevent further compromise, isolating affected systems and patching vulnerabilities. The next critical step is to assess the extent and nature of the breach, determining what data was compromised, how many individuals are affected, and the potential impact. Under the Digital Security Act 2018, there are provisions related to unauthorized access and data theft, which may necessitate reporting to law enforcement authorities. The upcoming Personal Data Protection Act will likely introduce specific breach notification requirements, similar to GDPR's 72-hour notification rule. We provide rapid response legal support, guiding clients through incident investigation, evaluating regulatory reporting obligations, drafting communications with affected parties, and implementing measures to prevent future breaches, thereby minimizing legal and reputational damage.

Meheruba assists businesses in drafting comprehensive and legally compliant privacy policies, terms of service, and data processing agreements tailored to their specific operations and the legal requirements in Bangladesh. We begin by understanding your business model, data collection practices, and target audience to ensure that the documents accurately reflect your operations. Our team ensures these documents clearly articulate how personal data is collected, used, stored, and protected, as well as outlining user rights such as access, correction, and deletion. We focus on transparency, enforceability, and alignment with both local laws (like the Digital Security Act 2018 and the anticipated PDPA) and international best practices (like GDPR), helping to build trust with customers and mitigate regulatory risks. Beyond drafting, we also advise on implementing these policies effectively across your organization and regularly updating them to reflect changes in law or business practices.