Pakistan's Data Protection Law: What Businesses Actually Need to Know

The Personal Data Protection Act is here. Here's what it requires, who it covers, and what you need to do before the deadline.

Pakistan's Personal Data Protection Act (PDPA) represents the country's most significant data regulation to date. If your business collects, stores, or processes information about individuals — customers, employees, users — the PDPA affects you.

Here's a plain-language breakdown of what it means in practice.

Who It Covers

The PDPA applies to any person or organisation that:

Collects personal data of Pakistani residents, or
Processes personal data of Pakistani residents

This includes businesses operating outside Pakistan if they're handling data of people in Pakistan. Yes, this means the law has extraterritorial reach — similar to Europe's GDPR.

What Counts as Personal Data

Broadly defined to include any information that identifies or could identify a specific person:

Names, addresses, phone numbers, email addresses
National identity numbers (CNIC)
Financial information
Health data (given special "sensitive" status)
Biometric data
Location data
Online identifiers (IP addresses, cookies)

Sensitive personal data — health, financial, religious, political, biometric — attracts additional requirements and restrictions.

Key Obligations

Lawful Basis for Processing

You need a lawful basis for every category of personal data you process. The main options:

Consent — explicit, informed, freely given, and withdrawable
Contract — processing necessary to perform a contract with the individual
Legitimate interests — a genuine business need that doesn't override individual rights
Legal obligation — required by law

Relying on consent? It needs to be specific to each purpose, in plain language, and genuinely optional.

Data Subject Rights

Individuals have the right to:

Know what data you hold about them
Request correction of inaccurate data
Request deletion ("right to be forgotten")
Restrict or object to processing
Data portability (get their data in a usable format)

You need processes to handle these requests within defined timeframes.

Data Protection Officer

Certain organisations are required to appoint a Data Protection Officer (DPO) — typically those processing sensitive personal data at scale, or public bodies.

Data Breach Notification

If you suffer a data breach that's likely to result in harm to individuals, you must notify both the Personal Data Protection Authority (PDPA) and affected individuals within specific timeframes.

Cross-Border Transfers

Transferring personal data outside Pakistan requires either:

The recipient country has "adequate" data protection (a determination made by the Authority)
Appropriate safeguards are in place (contractual clauses, binding corporate rules)
Specific exceptions apply (consent, contract necessity)

Common Compliance Gaps

Based on how similar legislation has been implemented elsewhere, the most common gaps tend to be:

Privacy notices that don't actually explain processing purposes clearly
Consent mechanisms that bundle consent for multiple purposes
Vendor contracts that don't address data processing requirements
No process for handling data subject requests
HR data overlooked — employment data is personal data too
Website cookies treated as administrative rather than compliance matter

What to Do Now

A practical starting point:

Data mapping — identify what personal data you hold, where it lives, and what you do with it
Lawful basis review — for each category of data, what's your basis?
Privacy notice update — does your privacy policy actually explain your processing?
Vendor assessment — do your contracts with data processors include appropriate clauses?
Breach response plan — do you have a documented plan for notifying the Authority and individuals?

Getting Legal Advice

Data protection compliance is fact-specific. The right approach for a fintech company processing financial data is different from what a law firm needs for client records.

If you need to advise clients on PDPA compliance — or navigate it yourself — LawyerUp's assistant can help research the specific provisions applicable to your sector and draft compliance documentation.

Questions about PDPA compliance? Contact our team or search the regulations in LawyerUp.

Here's a plain-language breakdown of what it means in practice.

Who It Covers

The PDPA applies to any person or organisation that:

Collects personal data of Pakistani residents, or
Processes personal data of Pakistani residents

This includes businesses operating outside Pakistan if they're handling data of people in Pakistan. Yes, this means the law has extraterritorial reach — similar to Europe's GDPR.

What Counts as Personal Data

Broadly defined to include any information that identifies or could identify a specific person:

Names, addresses, phone numbers, email addresses
National identity numbers (CNIC)
Financial information
Health data (given special "sensitive" status)
Biometric data
Location data
Online identifiers (IP addresses, cookies)

Sensitive personal data — health, financial, religious, political, biometric — attracts additional requirements and restrictions.

Key Obligations

Lawful Basis for Processing

You need a lawful basis for every category of personal data you process. The main options:

Consent — explicit, informed, freely given, and withdrawable
Contract — processing necessary to perform a contract with the individual
Legitimate interests — a genuine business need that doesn't override individual rights
Legal obligation — required by law

Relying on consent? It needs to be specific to each purpose, in plain language, and genuinely optional.

Data Subject Rights

Individuals have the right to:

Know what data you hold about them
Request correction of inaccurate data
Request deletion ("right to be forgotten")
Restrict or object to processing
Data portability (get their data in a usable format)

You need processes to handle these requests within defined timeframes.

Data Protection Officer

Certain organisations are required to appoint a Data Protection Officer (DPO) — typically those processing sensitive personal data at scale, or public bodies.

Data Breach Notification

If you suffer a data breach that's likely to result in harm to individuals, you must notify both the Personal Data Protection Authority (PDPA) and affected individuals within specific timeframes.

Cross-Border Transfers

Transferring personal data outside Pakistan requires either:

The recipient country has "adequate" data protection (a determination made by the Authority)
Appropriate safeguards are in place (contractual clauses, binding corporate rules)
Specific exceptions apply (consent, contract necessity)

Common Compliance Gaps

Based on how similar legislation has been implemented elsewhere, the most common gaps tend to be:

Privacy notices that don't actually explain processing purposes clearly
Consent mechanisms that bundle consent for multiple purposes
Vendor contracts that don't address data processing requirements
No process for handling data subject requests
HR data overlooked — employment data is personal data too
Website cookies treated as administrative rather than compliance matter

What to Do Now

A practical starting point:

Data mapping — identify what personal data you hold, where it lives, and what you do with it
Lawful basis review — for each category of data, what's your basis?
Privacy notice update — does your privacy policy actually explain your processing?
Vendor assessment — do your contracts with data processors include appropriate clauses?
Breach response plan — do you have a documented plan for notifying the Authority and individuals?

Getting Legal Advice

Data protection compliance is fact-specific. The right approach for a fintech company processing financial data is different from what a law firm needs for client records.

Questions about PDPA compliance? Contact our team or search the regulations in LawyerUp.

Pakistan's Data Protection Law: What Businesses Actually Need to Know

Who It Covers

What Counts as Personal Data

Key Obligations

Lawful Basis for Processing

Data Subject Rights

Data Protection Officer

Data Breach Notification

Cross-Border Transfers

Common Compliance Gaps

What to Do Now

Getting Legal Advice

Connect

Pakistan's Data Protection Law: What Businesses Actually Need to Know

Who It Covers

What Counts as Personal Data

Key Obligations

Lawful Basis for Processing

Data Subject Rights

Data Protection Officer

Data Breach Notification

Cross-Border Transfers

Common Compliance Gaps

What to Do Now

Getting Legal Advice

Connect