As Pakistan moves toward a comprehensive digital economy, the legal framework for data privacy is undergoing a seismic shift. For organizations handling citizen data, the transition from voluntary best practices to mandatory legal obligations is now a critical business imperative. This note outlines the salient features of the pending Personal Data Protection Bill (“PDPB”), 2023 (latest published draft, May 2023), and the “Mandatory Data Protection Measures for Organizations Handling PII” issued in August 2025 by the National Cyber Emergency Response Team (“PKCERT”) (the “PKCERT Advisory”).
For any entity – whether a private company, a firm, or a government body termed as a public service provider – that has the legal authority to decide why and how personal data is collected and used (acting as a Data Controller), the transition will require a fundamental shift in operations. Similarly, service providers who handle data solely on behalf of another organization (acting as Data Processors) will soon face independent statutory liabilities and compliance obligations.
While the PKCERT Advisory primarily refers to “entities” and “organizations,” it aligns with these definitions by imposing mandatory security measures on any entity – public or private – that collects, processes, or transmits Personally Identifiable Information (“PII”). This includes third-party and outsourced service providers, who typically function as data processors.
The Personal Data Protection Bill (PDPB), 2023: Future Obligations
If enacted, the Personal Data Protection Bill, 2023 will comprehensively regulate the collection and processing of personal data – covering activities from collection and storage to use, sharing, and deletion – while recognising informational privacy as a fundamental right.
1. Applicability
For companies, the Personal Data Protection Bill, 2023 has a broad territorial reach. It applies to any organisation that is established, registered, or operating in Pakistan and processes personal data. It also covers:
-
Foreign-incorporated entities that offer goods or services to persons in Pakistan or otherwise carry out activities directed at Pakistan (including profiling individuals in Pakistan), even where the processing is carried out digitally or from outside the country.
-
Organisations with no physical presence in Pakistan where their processing activities are subject to Pakistani law under applicable contractual or international law arrangements (for example, where data or infrastructure is located in Pakistan).
-
Any entity that collects or processes personal data of individuals who are physically present in Pakistan at the time of collection (including foreign nationals temporarily in Pakistan), subject to consistency with the privacy laws of the entity’s home jurisdiction.
2. Key Legal Definitions (Section 2)
-
Personal Data: Information that identifies a natural person, excluding anonymized or pseudonymized data.
-
Data Subject (Section 2(j)): A Data Subject is any natural person – whether a Pakistani citizen or a foreign national – whose personal information is collected, used, or stored by an organization.
-
Profiling (Section 2(dd)): Profiling is the automated use of personal data to evaluate or predict a person’s behavior, economic status, health, or social preferences.
-
Sensitive Personal Data (Section 2(kk)): Specifically includes financial records, health data, CNIC or passport numbers, biometric/genetic data, religious beliefs, criminal records, political affiliations, and ethnicity.
-
Critical Personal Data (Section 2(g)): Data retained by public service providers, identified by sector regulators, or classified by the Commission as critical to national interest.
3. Establishment of the NCPDP (Section 35)
The Bill creates the National Commission for Personal Data Protection (NCPDP) (“Commission”), an autonomous body with powers to enforce the Act, issue regulations, and decide on complaints.
4. Mandatory Registration & Governance
All data controllers and processors must register with the Commission. Organization Entities identified as “significant” must appoint a Data Protection Officer (DPO) as per Section 5(4).
5. Strict Breach Notification
In the event of a data breach, Data Controllers must notify the Commission and the affected individuals within 72 hours of becoming aware of the incident. Data Processors are similarly obligated to inform the Controller and the Commission immediately upon discovering a breach within their systems.
6. Data Residency & Cross-Border Transfer (Sections 31-32)
A critical compliance hurdle is the localization of Critical Personal Data – which includes data retained by Public Service Providers (entities handling personal data while working under the government). This data must only be processed on servers or digital infrastructure located within the territory of Pakistan. Commission may allow for other data can only be transferred abroad if the destination country offers an adequate legal regime or through approved binding contracts.
7. Operationalizing Data Subject Rights
Your internal systems must be capable of honoring citizen rights within statutory timelines:
-
Right to Erasure (Section 26): You must delete a person’s records within 14 days if the data is no longer necessary or if consent is withdrawn.
-
Right to Access (Section 16): You must confirm if data is being processed and provide a copy in an intelligible form within 30 days of a request.
-
Right to Data Portability (Section 29): You must provide data in a machine-readable format so the subject can transmit it to another provider.
8. Enforcement and Penalties
The PDPB 2023 introduces a tiered penalty structure to ensure compliance:
-
General unlawful processing: Processing or disclosing personal data without lawful basis or required safeguards may attract fines up to USD 125,000, increasing to USD 250,000 for repeat violations.
-
Sensitive personal data breaches: Unlawful handling of highly private data (e.g., financial, health, biometric, or identity data) may result in fines up to USD 500,000.
-
Critical personal data breaches: Violations involving nationally sensitive or regulator-designated data, including localisation requirements, may incur fines up to USD 1,000,000.
-
Revenue-Based Fines: For corporate entities, the Commission may impose fines up to 1% of their annual gross revenue in Pakistan or $200,000 USD, whichever is higher.
-
Failure to comply or remedy: Non-compliance with Commission directions or failure to rectify violations may lead to fines up to USD 2,000,000, along with possible suspension or cancellation of registration.
9. The PKCERT Advisory: Mandatory Security Measures
While the Bill provides the legal framework, the PKCERT Advisory establishes the immediate technical and process-oriented mandates for organizations handling Personally Identifiable Information (PII).
-
Mandatory Data Classification: Organizations must categorize all datasets into four sensitivity tiers: Public, Internal, Confidential, and Restricted. This prevents the vulnerability of “treating all records equally”.
-
Encryption Standards: Organizations are required to are required to implement Encryption to scramble data and make it unreadable to unauthorized parties. You must secure PII “at rest” (stored on databases/hard drives) using AES-256 standards and “in transit” (moving across networks) using TLS 1.2+ protocols.
-
Access Management & MFA: To prevent unauthorized access, you must enforce Multi-Factor Authentication (MFA) – a security process requiring two or more proofs of identity – for all administrative or privileged accounts.
-
Identity & Access Management:
-
Role-Based Access Control (RBAC): Access to the employee of the Organization must be granted based on the principle of “least privilege”.
-
Access Management & MFA: To prevent unauthorized access, you must enforce Multi-Factor Authentication (MFA) – a security process requiring two or more proofs of identity – for all administrative or privileged accounts.
-
Password Security: Plaintext storage is prohibited; passwords must be stored using salted hashing methods like bcrypt or Argon2.
-
-
Operational Requirements:
-
Data Minimization: Entities must only collect the minimum PII required for their specific business needs.
-
Incident Response: Organizations must maintain and regularly rehearse a documented breach response plan, including protocols for communicating with PKCERT.
-
Vendor Risk Management: Third-party providers handling PII must be audited and bound by strict contractual data protection obligations.
-
10. Strategic Recommendations
In light of these developments, we advise our clients to immediately initiate a Data Classification Audit. This strategic step resolves the critical vulnerability of treating all data records equally, which significantly increases exposure risk. By operationalizing the PKCERT sensitivity tiers – categorizing information as Public (for general disclosure), Internal (organizational use), Confidential (moderate harm if leaked), or Restricted (highly sensitive PII) – organizations can focus their highest security resources on their most sensitive assets.
Crucially, this audit allows for the specific identification of data categories that carry the highest legal and financial risk. In particular, organizations can isolate datasets that are subject to heightened regulatory controls such as localization mandates, explicit consent thresholds, enhanced security safeguards, and breach-notification sensitivities. These include:
-
datasets whose compromise could trigger national-interest or sector-regulatory implications
-
highly private personal datasets whose misuse or disclosure would expose the organization to the highest penalty tiers under the forthcoming law
Identifying these specific categories ensures they are processed in accordance with strict localization and explicit consent requirements, reducing the risk of statutory penalties and regulatory action. Classification results can also be applied to access controls, vendor arrangements, retention schedules, and breach-response procedures, so that the highest-risk data is consistently handled within strong governance frameworks.
An effective audit also supports data minimization by highlighting outdated, duplicative, or unnecessary records for secure disposal. This reduces risk, improves data quality, and streamlines readiness for mandatory registration and oversight by the forthcoming Commission, as organizations can clearly demonstrate what personal data they hold, why it is held, where it is stored, and how it is protected.
