IN CONVERSATION WITH

Mr. Mohammad Sarfaraz Hyder, General Counsel, Legal Affairs, Robi Axiata PLC.

 — Interview by Barrister Moe Moe Than  

_____________________________________________________________________________________

We are delighted to feature Mr. Sarfaraz Hyder, Barrister-at-Law a prominent figure in Bangladesh’s legal corporate landscape. Robi Axizta PLC, a leading multinational and Telecommunication company, has consistently demonstrated a strong commitment to data protection. In this interview, Mr. Hyder offers a compelling overview of Robi’s initiatives for data protection while also sharing valuable reflections from his leadership experience and vision for the future.

_____________________________________________________________________________________

1. How do you currently manage personal data across the network of your company, and how do you evaluate the new Personal Data Protection Ordinance 2025 (PDPO) in terms of readiness for implantation by the MNCs at large?

At Robi Axiata PLC, we manage personal data through a structured data governance framework aligned with global best practices and tailored to the Bangladeshi regulatory environment. As a telecom and technology-driven organization, we handle large volumes of personal data. Data is collected with transparent notices and consent mechanisms, stored in secure, localized data environments with strong encryption, access controls, and audit trails. We routinely conduct Data Protection Impact Assessments (DPIAs) for new products and services, apply anonymization and pseudonymization techniques for analytics, and maintain centralized oversight through a dedicated Data Privacy Office and Data Governance Committee.

The PDPO 2025 marks a significant evolution in Bangladesh’s data protection regime. The Ordinance requires immediate compliance with its core obligations, while certain provisions are deferred for up to 18 months, subject to government notification. This phased approach provides organizations with a reasonable transition period to operationalize compliance.

From an industry perspective, readiness among MNCs is uneven. Large, regulated entities such as telecom operators are comparatively well-prepared due to existing compliance infrastructure and experience with global data protection standards. However, smaller MNCs and local enterprises may face challenges, particularly around data minimization, breach response timelines, and enhanced safeguards for sensitive data. 

2. What are the main risks a telco generally faces in data protection given Bangladesh’s cybersecurity landscape? 

Telecommunication operators in Bangladesh operate in a high-risk data protection environment due to the scale of operations and the evolving cybersecurity threat landscape. With over 180 million mobile connections nationwide, telcos are prime targets for cyber threats such as phishing, SIM-swap fraud, ransomware, API exploitation, and attacks on legacy network infrastructure. The most significant risks include large-scale personal data breaches arising from compromised credentials, unpatched systems, third-party integrations, and insider threats, particularly in areas such as SIM registration, billing platforms, and customer care systems. At an ecosystem level, challenges remain, particularly inconsistent cyber hygiene across vendors, varying levels of digital literacy, and risks within the broader supply chain. The PDPO’s breach notification and accountability requirements are therefore both timely and necessary. 

3. How does the legal department contribute in the company’s operation in ensuring personal data protection and privacy?

The Legal Department plays a central role in ensuring that personal data protection and privacy are embedded across the company’s operations. Beyond ensuring compliance with applicable laws, rules, directives, and regulatory guidance, the Legal team functions as a strategic advisor, governance enabler, and risk gatekeeper for data-related activities.

At Robi, the Legal team is deeply involved in reviewing and structuring all data-related contracts to ensure alignment with the PDPO. Overall, the Legal function acts as the integrating force between business, technology, and compliance, helping to manage risk, ensure accountability, and foster a privacy-first culture. This integrated approach not only mitigates regulatory exposure under the PDPO but also enhances customer trust and long-term business sustainability.

4. What emerging data protection and privacy trends do you think Bangladesh should face and prepare for in the next 5 years?

Over the next five years, Bangladesh will need to prepare for several significant data protection and privacy developments driven by digital transformation and the implementation of PDPO.

A key emerging trend will be the regulation of AI-driven data processing, particularly algorithmic decision-making, profiling, and automated credit scoring—areas highly relevant for the telecom and fintech ecosystem. Preventing discriminatory outcomes and ensuring transparency, explainability, and accountability in automated systems will become increasingly important.

Looking ahead, global trends suggest the emergence of privacy labeling for digital services, quantum-resilient encryption, and significantly stronger protections for children’s data, particularly as edtech and digital platforms continue to grow. From a risk perspective, Bangladesh must remain cautious of overly broad exemptions that could enable disproportionate surveillance, as well as the current shortage of skilled privacy and cybersecurity professionals. Strengthening enforcement capacity will be critical to ensuring the PDPO’s credibility and effectiveness.

QUOTE:

 “The Personal Data Protection Ordinance 2025 marks a significant evolution in Bangladesh’s data protection regime, introducing both immediate compliance obligations and a phased transition for organizations.”