IN CONVERSATION WITH

Mr. M Mazedul Islam, Chief Legal Officer and Company Secretary, bKash Limited

 — Interview by Barrister Tahminisha Sayarah Khan  _________________________________________________________________________________

We are pleased to present an exclusive interview with Mr. M. Mazedul Islam, Barrister-at-Law, a distinguished leader in Bangladesh’s legal and corporate arena. As a leading multinational Mobile Financial Services (MFS) provider, bKash Limited has set a strong benchmark in data protection and privacy practices. In this conversation, Mr. Islam shares insightful perspectives on bKash’s data protection initiatives, alongside reflections drawn from his leadership journey and his forward-looking vision for the organization and the industry.

Questions:

1. How do you currently manage personal data across the network of your company, and how do you evaluate the new Personal Data Protection Ordinance 2025 (PDPO) in terms of readiness for implantation by the MNCs at large?

As an MFS provider processing millions of daily transactions, data governance cannot be an afterthought, it requires layered approaches built on solid foundations: clear data classification, purpose limitation, access controls, encryption, and ongoing privacy assessments. As Bangladesh’s first comprehensive data protection law, PDPO fundamentally reframes the conversation by recognizing that data belongs to individuals, not the organizations collecting it. This shift brings us in line with international privacy standards, which frankly, was overdue.

For MFS providers, PDPO compliance means rethinking several operational areas. Consent management needs to satisfy requirements for explicit, informed authorization. Retention policies must align with data minimization principles, keeping information only as long as truly necessary. Organizations need to designate Chief Data Officers as the law mandates, and establish breach notification frameworks ready for when the independent regulator under the National Data Governance Ordinance 2025 becomes operational.

Here’s what makes this particularly challenging for our sector: we inherently process sensitive financial and biometric data, which means enhanced safeguards beyond standard protections are non-negotiable. What we really need from regulators is clarity around cross-border transfer mechanisms, these are vital for international payment infrastructure but currently lack detailed implementation frameworks.

2. What are the main risks a MFS company generally faces in data protection given Bangladesh’s cybersecurity landscape?

The threat landscape is honestly quite complex. You’ve got the obvious risks, increasingly sophisticated social engineering attacks that exploit customer trust, third-party processors whose security might not match your own standards, and compliance challenges when you’re working alongside international partners.

PDPO 2025 has materially changed the stakes. We’re now dealing with a law that imposes serious consequences: imprisonment, fines, and personal liability for directors who can’t demonstrate adequate diligence. The mandatory breach reporting requirements also mean you need robust incident response infrastructure ready to go…. you can’t build that after a breach happens.

Bangladesh’s context adds some unique wrinkles. There’s  this capability gap we’re seeing across the ecosystem. Smaller participants may not have the technical maturity to meet PDPO expectations, which potentially creates liability exposure for larger platforms. And let’s be honest about reputational risk in financial services, it’s particularly brutal.

3. How does the legal department contribute in the company’s operation in ensuring personal data protection and privacy?

Legal functions in MFS really need to operate on multiple levels simultaneously. On the contractual side, you’re structuring data processing agreements with processors and partners that incorporate all the PDPO requirements, consent frameworks, purpose limitations, security standards, breach protocols, and cross-border transfer provisions under adequate safeguards.

Product development is another critical touchpoint. Legal needs to be involved early, conducting privacy assessments that evaluate whether what we’re proposing is actually necessary and proportionate, what legal basis applies, and how we’ll meet transparency obligations through customer notices that real people can actually understand.

Operationally, the challenge is translation. You’re taking statutory language and turning it into policies people can actually implement.

Throughout all of this, there’s a delicate balance to maintain. Legal and Corporate Governance teams essentially become the nexus ensuring innovation can continue within governance frameworks that protect everyone’s interests, customers, shareholders, and the Company itself.

4. What emerging data protection and privacy trends do you think Bangladesh should face and prepare for in the next 5 years?

PDPO 2025 is just the starting point, the real work begins now as it gets implemented. Cross-border transfer mechanisms need urgent attention. The law says international flows are permitted under “certain conditions,” but we don’t yet have the detailed frameworks to operationalize that.

Algorithmic accountability is another area I expect will heat up quickly. Financial services globally are increasingly using machine learning for credit assessment, fraud detection, personalization, all areas where the potential for bias exists. PDPO has provisions on automated decision-making, but these need operationalization through technical standards.

I’d also expect to see stricter enforcement evolving: more aggressive data minimization scrutiny, comprehensive third-party risk management requirements, compressed breach notification timelines and clearer operationalization of data subject rights like portability and erasure. One thing that concerns me is the law’s exemptions for national security and investigations. These are legitimate in principle, but they need clear boundaries.

For industry, preparation means investing in privacy-preserving technologies and participating in collaborative cyber-threat intelligence initiatives. The organizations that get ahead of this will have genuine competitive advantage.