Personal Data Protection Ordinance (PDPO) 2025: A Comparative Analysis with the GDPR

The Personal Data Protection Ordinance (PDPO) 2025 represents a landmark in Bangladesh’s journey toward a rights-based digital governance framework. Rooted in the principle that individuals are the rightful owners of their personal data, the Ordinance mirrors many features of the EU General Data Protection Regulation (GDPR)—the global benchmark for data privacy—while adapting them to local economic and institutional contexts.

A close comparison reveals that while the PDPO captures the spirit of the GDPR, it also departs from it in crucial ways, reflecting a distinct emphasis on data sovereignty, national security, and pragmatic compliance.

Strengths of the PDPO 2025

1. Recognition of Data Ownership

The PDPO establishes personal data as the property of individuals, elevating privacy to a matter of ownership rather than mere protection.
Strength: This goes beyond the GDPR’s “data subject rights” by embedding a moral and legal claim of ownership, fostering stronger personal autonomy and accountability across organizations handling data.

2. Defined Accountability and Governance Obligations

By introducing defined roles such as data fiduciary and data processor, the PDPO ensures that each actor in the data value chain bears distinct obligations. The requirements for audits, encryption, confidentiality, and minimum record retention of five years promote structured accountability.
Strength: Establishes a compliance-oriented framework suited to developing economies seeking to professionalize data handling and risk management.

3. Data Localization and Sovereignty Safeguards

The PDPO mandates that confidential or restricted data remain within Bangladesh, with cloud-stored data requiring a synchronized local copy. This reflects a clear orientation toward data sovereignty and national control.
Strength: Strengthens national cybersecurity, prevents data exploitation by external actors, and aligns with global trends toward digital sovereignty seen in countries like India and Indonesia.

4. Transitional Flexibility

The Ordinance provides an 18-month transition period before enforcement of certain provisions—such as appointment of a Chief Data Officer and imposition of administrative fines—comes into effect.
Strength: Offers organizations time to develop internal compliance capacity, refine governance structures, and implement technological safeguards before full enforcement begins.

5. Dual Liability Framework

The PDPO introduces both personal and corporate liability for unauthorized disclosure or misuse of personal data. Penalties can include imprisonment or significant fines, extending responsibility to company directors and officers if negligence or approval is established.
Strength: Embeds accountability at leadership level and deters reckless or unethical data practices.

Weaknesses and Gaps Compared to the GDPR

1. Limited Independence of the Supervisory Authority

The PDPO’s proposed National Data Governance Authority (NDGA) operates under government oversight rather than as an independent regulator.
Weakness: The lack of institutional autonomy may undermine public trust, limit impartiality in enforcement, and hinder the recognition of Bangladesh as providing an “adequate level of protection” for international data transfers—something the GDPR requires.

2. Broad and Vague Exemptions

The Ordinance grants exemptions for data processing on grounds such as national security, public order, or investigation, without clearly defined procedural safeguards.
Weakness: These open-ended provisions could override individual privacy rights and create uncertainty in enforcement.
GDPR Contrast: The EU framework restricts such exemptions through necessity and proportionality tests, overseen by independent authorities and subject to judicial review.

3. Gaps in Consent and Lawful Processing Principles

While the PDPO mandates that consent must be “explicit, informed, and revocable,” it lacks a nuanced framework for legitimate interests, automated decision-making, or profiling—core aspects of the GDPR.
Weakness: This may complicate compliance for organizations relying on data-driven automation or AI-based analytics, as there is little guidance on non-consensual lawful processing grounds.

4. Data Localization as a Compliance Burden

Mandatory data localization, while enhancing sovereignty, can increase operational costs and restrict global collaboration.
Weakness: May discourage foreign investment, limit participation in cross-border data ecosystems, and reduce competitiveness for digital enterprises seeking to operate globally.

5. Absence of Strong Data Subject Remedies

The PDPO grants individuals rights of access, correction, deletion, portability, and withdrawal of consent, but lacks detailed procedural guidance for exercising these rights or escalating grievances beyond administrative channels.
Weakness: Without judicially enforceable remedies or clear timelines for redress, data subjects may face practical barriers to enforcement, unlike under the GDPR where complaints can escalate to independent supervisory authorities or courts.

Final thought

The Personal Data Protection Ordinance (PDPO) 2025 is a forward-looking and necessary evolution in Bangladesh’s digital governance landscape. It aligns broadly with the GDPR’s objectives—enhancing transparency, accountability, and data protection—but embeds a distinctly national perspective emphasizing security, sovereignty, and gradual implementation.

However, its success will depend on how the National Data Governance Authority interprets and enforces these provisions. For global interoperability and investor confidence, Bangladesh must ensure regulatory independence, clarity of exemptions, and procedural fairness.

If effectively implemented and refined through stakeholder consultation, the PDPO could serve as a regional model for balancing privacy rights with national priorities—bridging the gap between global data protection norms and local realities.