Data protection towards digital isolation?

Two new Ordinances got gazetted on the 6th November creating a single, very heavy data regime together:

● the Personal Data Protection Ordinance (PDPO) governs privacy, rights and security of personal data;
● the National Data Governance Ordinance (NDGO) governs how all data – personal and non-personal – must sit inside a state-managed interoperability and DPI stack (BNDIA, NRDEX, etc.).
Let us try to analyse the impact of these two laws on (a) global OTTs and (b) small/local data-handling businesses.

Generic Preview
Very broad scope & precedence
NDGO applies across Bangladesh to any ministry, body or private entity handling personal or other data, and to data shared between multiple institutions on a “need and purpose based” interoperable basis (Section 1(3)(b)).

PDPO defines data-fiduciary very broadly as any person deciding purposes of processing personal data.

NDGO then gives its rules overriding effect over conflicting laws (Section 3).

Impact: any business that stores customer, user or citizen data is “in scope”, and NDGO + PDPO sit at the top of the legal hierarchy. Sectoral laws become add-ons, not alternatives.

Personal data, children, and “significant data-fiduciaries”
PDPO’s personal data definition is extremely broad: names, IDs, phone numbers, financial data, location, online identifiers and physical, genetic, biometric, psychological and economic characteristics.

A child is anyone under 18 and serving them requires authorisation.

Both laws use significant data-fiduciary categories based on sovereignty impact, data volume/value, risk to rights and threats to security/public order.

Impact: most global OTTs and large local platforms will be classified as significant; even medium-sized local fintech, health, EdTech and platforms will likely fall in.

National Data Governance stack (NDGO)
NDGO defines “national data governance” as covering the whole lifecycle of state and public-interest data, including classification, processing standards, access control, security, interoperability, reuse, minimisation and destruction.

It hard-codes a Digital Public Infrastructure layer (DPI) built on “Bangladesh National Data & Interoperability Architecture (BNDIA)” and “National Responsible Data Exchange (NRDEX)”, with zero-trust security and pseudonymisation.

Impact: over time, private businesses that want to integrate with government or regulated ecosystems may be mandated to plug into BNDIA/NRDEX – with technical and contractual obligations that resemble critical infrastructure participation.

Centralised authority, attached to PMO
NDGO sets up a National Data Governance Authority as a statutory body attached to the Prime Minister’s / Chief Adviser’s Office (Section 8) with its own seal and power to sue and be sued.

A high-powered National Data Governance Policy Board, chaired by the PM/Chief Adviser and populated by key ministers and the central bank governor, sets policy direction (Section 5).

Impact: data governance becomes a top-tier sovereignty and economic issue, but also concentrates a lot of discretionary power in one administrative complex, with limited explicit judicial checks inside the ordinances themselves.

Impact on global OTTs

Extraterritorial reach and “too risky to serve” risk
NDGO explicitly contemplates extraterritorial jurisdiction for the Authority and courts where required (Section 4).

PDPO also treats foreign companies determining purposes of processing Bangladeshi personal data as data-fiduciaries.

For global OTTs, this means
staff and infrastructure located outside Bangladesh can be pulled into BD proceedings; internal global architectures must be adapted specifically for BD requirements, separate from “standard GDPR stack”.

Combined with criminal liability and imprisonment in PDPO’s offences chapter, OTTs will perceive a non-trivial personal risk for senior managers and local representatives. Many global firms will do a risk/return calculation and may decide the compliance and personal exposure is disproportionate to a mid-size market.

Resident Chief Data Officer & local governance overlay
PDPO requires every significant data-fiduciary to appoint one or more Chief Data Officers (CDOs) for personal data protection.

It also says the CDO must perform duties at a location determined by the Authority (Section 23(2)), which in practice implies a resident, locally accessible officer.

For global OTTs
this goes beyond GDPR’s “representative” model and looks like a quasi-executive officer sitting in Bangladesh but accountable for global systems; recruiting such talent and giving them real authority is costly and complex; having one officer personally exposed to criminal and civil risk in a single jurisdiction can be a deterrent.

Integration with NRDEX/BNDIA and zero-trust
OTTs that want deep integration – e.g. KYC with national ID, e-government login, social login into public services – may be required to interoperate through NRDEX with zero-trust architecture and pseudonymisation rules defined by the Authority.

Impact
significant engineering cost to conform to government APIs and token models; centralised control over data-exchange “chokepoints” raises commercial and privacy concerns; any suspension of NRDEX tokens or approvals could instantly break business-critical flows.

Children, parental consent and product design
With “child” set at under 18, PDPO implies parental or guardian consent for key data processing, and tighter restrictions around profiling and behavioural advertising for minors.

For OTTs
most teen-heavy services (short-video, gaming, social messaging) must redesign onboarding, consent and ad-tech flows specifically for Bangladesh; in practice, verifying parental consent at scale in a mostly prepaid, shared-device market is almost impossible – creating a gap between “law on paper” and what’s technologically and culturally feasible.

Penalties based on global revenue & criminalisation
Although the fine formulas sit in later sections, the overall design clearly contemplates very large administrative penalties and imprisonment for serious or repeated non-compliance. Combined with broad definitions of “data breach” and “data-fiduciary”, this creates a perception that BD may be a “too risky to serve” jurisdiction unless the company is willing to build a bespoke compliance stack and accept high downside risk.

Impact on local enterprises
Same structural obligations, fewer resources

A small Dhaka-based startup that collects customer personal data automatically becomes a data-fiduciary under PDPO. An eCommerce and ride sharing services sufficient data-fiduciary.

NDGO says national data governance is based on shared standards, classification, access control, zero-trust security and lifecycle management.

In theory, micro-enterprises may be exempted in practice via rules, but the Ordinances themselves do not carve out a clear, simple “SME regime”. That means: expectations around consent, security, record-keeping, breach notification and cooperation with the Authority apply, at least on paper, to everyone; the cost of lawyers, auditors, data-mapping, DPO/CDO-like roles, and engineering work is prohibitive for early-stage firms.

Integration burden with state DPI
Local fintech, logistics, health, EdTech and GovTech startups will be pushed towards NRDEX/BNDIA integration if they want to use government IDs, registries or public data sources.

For them this means

Complex API, token and security requirements beyond what a two-person dev team can handle; recurring compliance audits and technical certification; dependence on Authority approvals and platform stability for basic business operations.

Risk of selective enforcement and chilling effect
NDGO concentrates policymaking and enforcement in a powerful authority and board system, with the executive chair and members appointed by the government and linked to the PMO.

For small businesses
Genuine mistakes (e.g. a misconfigured S3 bucket, or using a third-party analytics SDK without a perfect contract) can technically be violations; fear of heavy penalties, or even being dragged into Cyber Tribunal processes, may discourage experimenting with data-driven products altogether; “regulatory hawks” will thrive (checkbox consultants), but innovation may shrink.

Compliance as barrier to entry
The cost of compliance will significantly increase to run business in Bangladesh. Large banks, telcos and state platforms can absorb the cost of CDOs, audits, DPI integration and security upgrades. For small firms, those are fixed costs that make it harder to enter or survive. Over time, this could: entrench big incumbents who can afford full compliance; push innovation into the informal/grey zone (apps and services operating without proper registration or wholly offshore, beyond effective oversight); discourage foreign investment into local startups if compliance risk is seen as unmanageable.

Strategic big picture
Taken together, the PDPO and NDGO do respond to real and serious concerns: uncontrolled data brokerage, data leaks, and opaque state/private data sharing. They set out modern concepts such as data-fiduciary responsibility, pseudonymisation, zero-trust security, DPI, and interoperable public infrastructure.

But the way they are drafted – extremely broad scope, strong administrative powers attached to PMO, very demanding obligations (resident CDOs, NRDEX/BNDIA, strict child rules), and the presence of criminal sanctions – risks making Bangladesh look like a high-friction, high-liability jurisdiction for both global OTTs and local SMEs.

Unless the forthcoming rules, guidelines and enforcement practices introduce
● realistic thresholds and phase-ins,
● SME-friendly simplified regimes, and
● strong procedural safeguards and judicial oversight for Authority actions, the net effect may be paradoxical: less real investment in privacy-enhancing products, more cautious or symbolic participation by big global players, and a chilling effect on the most dynamic segment of the ecosystem – small, data-driven Bangladeshi businesses.

Abu Nazam M Tanveer Hossain: Public policy advocate