Data Rights Defined: Bangladesh Enacts New Data Protection and Governance Framework

Two complementary regulatory gazettes governing the protection and management of digital data—often regarded as the “mineral resource” of the digital era—were officially issued on November 8. The new frameworks establish accountability for digital platforms in handling personal data, prohibit profiling of minors without explicit permission, and affirm the individual as the sole owner of their personal data.

The two gazettes are titled the Personal Data Protection Ordinance 2025 and the National Data Governance and Interoperability Architecture. Together, they aim to introduce stronger security, transparency, and accountability across the country’s digital service ecosystem. The ordinance mandates explicit consent before any personal data is collected or used and establishes an independent Data Protection Authority to enforce compliance. All institutions will be required to report data breaches, while the government will implement the NRDeX platform for secure data exchange. Modeled after the GDPR, the new regulations are expected to strengthen digital privacy and establish systemic discipline in national data infrastructure.

Under the ordinance, no organization may collect, store, or share personal data without explicit consent. Citizens will have the right to know who is collecting their data, for what purpose, and for how long. Individuals may also request access to, correction of, or deletion of their data. Unauthorized cross-border transfer of personal data will be considered a legal violation.

A specific provision addresses “sensitive personal data,” including medical, genetic, biometric, religious, political, sexual orientation-related, criminal history, and financial information. Handling such data requires elevated security safeguards and special permissions. In the event of data misuse or breach, organizations will be required to notify the authority within 72 hours, inform affected individuals, and may face significant penalties, including fines, service suspension, or license cancellation. Criminal liability may be applied to responsible officials.

The ordinance also mandates the formation of an independent Data Protection Authority, which will investigate complaints, oversee compliance, and enforce penalties. Additionally, all entities will be required to appoint Data Protection Officers to monitor internal data handling practices.

To enable secure and standardized data exchange, the Bangladesh National Data Governance and Interoperability Architecture (BNDIA) framework is being introduced, complemented by the National Responsible Data Exchange (NRDeX) platform. This system will allow government and private institutions to share necessary data with consent, reduce duplication, enhance service delivery, and improve cybersecurity through zero-trust design principles.

Under this framework, services such as opening a bank account or accessing government services will not require separate document submission; verification will occur directly from authorized databases—with the citizen’s permission. Institutions including government agencies, banks, telecom operators, and e-commerce platforms will need to upgrade systems to ensure encryption, cyber-risk management, and consent tracking.

Faiz Ahmad Taiyeb, Special Assistant to the Chief Adviser for Posts, Telecommunications and Information Technology, stated, “The reckless handling and illegal trade of personal data ends here, legally and unequivocally. Even if it comes a decade after the European GDPR, it marks a turning point. From today onward, the governance of personal data in Bangladesh must change in both practice and principle.”

He added, “We want to remind all that unregulated data exchange and unlawful monetization are now prohibited. A new era of responsible conduct for digital platforms begins. No one will be allowed to violate Bangladesh’s data sovereignty in digital commerce.”

Fahim Mashroor, Coordinator of the technology policy platform TiPAP, commented, “More important than just protection, this law legally establishes the ownership of personal data for citizens. Now an individual can benefit commercially from their data, sharing or selling it only with their consent.”

Technology policy analyst Abu Nazm Muhammad Tanvir Hossain noted that while the legislation aligns with the EU GDPR and India’s DPDP Act 2023, clearer definitions are still necessary to prevent misinterpretation or misuse. He also emphasized the need for judicial oversight to prevent abuse by state institutions and to ensure alignment with global standards to maintain international data cooperation.

The government states that these laws will strengthen digital rights, reinforce national data sovereignty, and establish a citizen-centric framework for responsible data governance in Bangladesh.

DBTech/IH/OR