Do our new data protection and governance ordinances align with growth ambitions?

The recent approval of the Personal Data Protection Ordinance, 2025, and the National Data Governance Ordinance, 2025, marks a significant milestone in Bangladesh's journey toward stronger digital data governance. These ordinances aim to safeguard citizens' privacy and ensure data sovereignty. 

However, as discussed in various forums in recent years, certain provisions in their current form raise serious concerns and merit thorough reconsideration before implementation. If not carefully reworked, these regulations could create barriers that deter global investment and undermine the innovation momentum critical to Bangladesh's digital economy.

As the country — along with the Bangladesh Investment Development Authority (BIDA) — actively seeks to attract more foreign direct investment (FDI), stringent data policies could produce unintended ripple effects that may discourage major global players like Meta or Google from investing here. 

Given the importance of maintaining an investor-friendly environment, it is crucial to strike a balance between robust data protection and a regulatory framework that supports and encourages innovation and investment. Without this balance, Bangladesh risks losing its competitive advantage in the global digital landscape.

Any entity processing the data of Bangladeshi citizens falls within the scope of the ordinances and faces significant criminal and administrative penalties for violations. While data protection is essential, the enforcement mechanisms lack sufficient nuance. The framework applies uniformly to all organisations, regardless of size or operational capacity, placing small and medium-sized enterprises on the same compliance footing as multinational corporations. 

Approximately 98% of Bangladesh's businesses are SMEs, most of which lack the technological infrastructure and capital to navigate complex data regulations — a burden likely to discourage their expansion and foreign partnerships.

Multinational companies that operate from overseas while maintaining only a liaison or representative office in Bangladesh are likely to face significant structural, legal, and operational challenges under the new data governance and personal data protection laws. 

These companies generally depend on globally integrated data systems, centralised cloud infrastructure, and cross-border processing workflows. The new regulatory environment directly conflicts with these operational models.

A primary challenge arises from mandatory data localisation. The laws require important categories of personal and operational data to be stored within Bangladesh's national data ecosystem. Companies that rely heavily on storing and processing data in international cloud regions will be forced to redesign their entire architecture. 

Since a local office typically lacks the authority, operational capacity, and investment required to build or maintain local data centres, compliance becomes technically and financially burdensome.

In addition, restrictions on cross-border data transfer severely affect companies that rely on international data routing for analytics, risk scoring, identity verification, fraud detection, or algorithmic optimisation. Many of these services are powered by centralised systems located outside Bangladesh. If outbound transfers require government approval or become limited, service quality may deteriorate, delays may occur, or essential systems may cease functioning entirely.

The laws also impose a heavy compliance burden, including mandatory registration as data fiduciaries, appointment of compliance officers, regular audits, data lifecycle documentation, and strict data-breach reporting. 

Liaison offices — traditionally limited to communication, coordination, and representation — are not equipped to handle such responsibilities. To comply, a company may need to shift from a liaison structure to a full commercial presence, thereby increasing cost, legal exposure, and operational complexity.

Moreover, the requirement to integrate with government digital platforms and national APIs may conflict with global corporate security standards. Many multinational firms maintain strict internal policies prohibiting integration with external government systems due to cybersecurity, governance, or political risk considerations.

Additional constraints arise from restrictions on profiling and algorithmic decision-making, which are central to digital platforms, financial services, mobility solutions, and cloud-based analytics. If profiling is limited or requires user-specific consent and local processing, core functionalities may weaken or become impossible to deliver.

Taken together, these issues create a scenario in which compliance costs outweigh the potential benefits of operating in Bangladesh. If the laws are enforced rigidly, multinational companies may scale back operations, limit services, or, in certain cases, withdraw entirely if their global systems cannot be adapted to Bangladesh-specific requirements. 

For a nation striving to diversify beyond traditional industries and attract foreign direct investment, this would be a self-inflicted wound.

The ordinances also mandate the establishment of a National Data Management Authority reporting to the Prime Minister or Chief Adviser, which raises doubts about independence. An authority overly influenced by political considerations risks becoming an instrument of state surveillance rather than a guardian of privacy rights. 

Furthermore, the ordinances give officials wide powers — especially to access local data for national security — making privacy protections weak. This contradiction means foreign investors may worry about data rules changing due to political shifts, making it difficult to trust that processes will remain consistent and transparent.

The next elected government in Bangladesh will face multiple challenges stemming from these data protection and governance ordinances, including ensuring credible institutional oversight, balancing national security and privacy, maintaining an attractive investment environment, and potentially revising regulatory frameworks to align with democratic governance and stakeholder interests. 

Before these ordinances become fully operational in 18 months, Bangladesh should undertake a comprehensive revision. Thoughtful regulation and innovation are not mutually exclusive — but the current ordinances prioritise control over growth.

Mamun Rashid Sketch: TBS

Mamun Rashid is the Chairman at Financial Excellence Ltd and Founding Managing Partner of PwC Bangladesh.

Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions and views of The Business Standard.