In today’s digital transformation era, data security is one of the world’s important issue. Still fresh in our mind the case of leaking 87 million Facebook user data in 2017. The data of the US Facebook users was unilaterally used by certain political consulting company base in the UK for the purpose of the presidential campaign.1
To prevent data leakage that particularly can affect the company’s business operations, and even the conditions of the industrial sector and government as a whole, 2 the government of the Republic of Indonesia induce Government Regulation No. 82 of 2012, which regulates the Implementation of Electronic Transactions and Systems (PSTE/ Penyelenggaraan Sistem dan Transaksi Elektronik).
In article 17 paragraph 2 of the PSTE, it is stated that the provider of electronic systems for public services are required to place its data centers and disaster recovery centers within Indonesian region which aim to ensure law enforcement, protection and enforcement of state sovereignty over their citizens’ data.3
Thus, imply companies that provide electronic systems for public services which operates their businesses in Indonesia and currently had their data centers abroad is urged to immediately migrate their data centers within Indonesian territory. Yet, the government is able to put sanction for the company that does not follow the regulation requirement.
What is the effect of PP No. 82 to Companies in Indonesia?
Basically, data sovereignty regulation aims to create transparency for data using/mining (for example customer data) and protect the data from being stolen or manipulated by third parties outside of Indonesia’s borders, which can harm the company’s reputation and cause financial losses.
Due to the importance of data security, various countries have implemented policy on localization of data storage. One of the policies discussed by business last year was the GDPR (General Data Protection Regulation), which was designed by the European Union (which was implemented in 28 countries in Europe). Under this regulation, every company (especially those located outside the European Union) is required to provide information to its citizens regarding the use of their personal data and send notifications within 72 hours in the occurrence of a cyber-attack crisis.4
Then what is the effect of GDPR policy on the sustainability of global business? Let’s take a glimpse at study conducted by Evidon, a market research company based in New York, United States. According to their research findings, companies that have complied with GDPR regulation is found experiencing improvement in customer service. These claims derived from the increase in customer loyalty by 34%, the good image of the company by 33%, and consumer interaction by 30%.5
From the above mention findings, there is an indication that the policies implementation regarding data sovereignty support the development of business in a certain country. Particularly in Indonesia, the application of PP No. 82 also gains the pros and cons reaction from business people. There are also responses from business people regarding the implementation that contribute to the declining investment in Indonesia.
Another research carried out by the TRPC Research Firm (an information technology and technology industry consulting firm in the Asia-Pacific), the overall regulation and requirement of data localization affect in reducing Indonesia’s GDP by 0.5-0.7%, limiting the entry of investment to Indonesia by 2.3% and increasing the cost of computer needs by around 30-60%.6
These concerns of the business people were quickly responded by the government through the Ministry of Communication and Information (Kemkominfo a.k.a Kementerian Komunikasi dan Informatika) of the Republic of Indonesia by revising PP No. 82. As Telkomtelstra’s Corporate Secretary & VP Legal, I had the opportunity to participate in the discussion forum for the Revision of Government Regulation (RPP/Revisi Peraturan Pemerintah) No. 82 of 2012 concerning the Implementation of the Electronic Transaction System (PSTE/Penyelenggara Sistem Transaksi Elektronik), event held with the Minister of Communication and Information in Yogyakarta aimed to discuss recommendations on steps that should be taken by government to overcome impact from the requirement of overall data storage localization to the company’s business operations in Indonesia, by first hearing input from various supervisory agencies and sector regulators regarding data classification arrangements from each sector in Indonesia.
Revision of Government Regulation No. 82 of 2012 (“RPP No. 82/2012”) concerning Classification of Electronic Data
In the discussion forum, the Director General of Application and Information (Dirjen Aptika) of the Ministry of Communication and Information, Semuel Abrijani Pangerapan, said that one step taken by the government in responding to the debate regarding the obligation to place DC and DRC in Indonesia was to change the regulation of data center placement in Indonesia. In the Revised Government Regulation/RPP No. 82/2012 the government devised a new provision whereby the storage of data localization is arranged based on the classification of electronic data which is divided into three groups: (1)strategic electronic data, (2)high-risk electronic data, and (3)low-risk electronic data. Data that must be managed, placed and stored in the territory of Indonesia is only data included in the category of strategic electronic data.
The question is what is included in strategic electronic data? All data relating to government administration, as well as state defense and security fall into this category of strategic electronic data. Examples of data included in this category are the Population Identification Number (NIK), data on intelligence agencies, finance, energy and mineral resources, and food security. Meanwhile, for high electronic data (for example user sensitive data) and low electronic data; management, processing and storage can be carried out outside the territory of Indonesia. However, in its application, high and low classification electronic data must meet the requirements of electronic data protection, protection of personal data, and enforcement of state sovereignty.
Electronic data classification is the government initiative that we need to support together. However, from the law point of view, data sovereignty is something that must always be upheld to ensure certainty in data accessibility when law enforcement takes place, regardless the level of classification of the data. The amendment to RPP No. 82/2012 is currently in the process of harmonization among government agencies.
Use of Local Data Centers
Cloud technology is the foundation of the current and future acceleration of digital transformation and has become the backbone of many companies, especially in making a significant contribution in improving their business processes, in order to pursue efficiency and change trends of business landscape.
In addition to provide opportunities for companies to expand their business freely with controlled investments, the leading hybrid cloud solution with local data center located in Indonesia is one option to fulfill compliance with data sovereignty policy in Indonesia. This is the solution and answer that enables organizations or businesses in Indonesia to store Strategic Electronic Data that is sensitive on-premise in the Indonesian region without having to fear losing the flexible ability to carry out business development. But the next big question that arises is whether local provider can be part of the answer for this kind of needs by implementing advanced cloud technology and in accordance with global standards.
Telkomtelstra as a local company with global quality standards, or commonly known as “glocal”, provides Azure Stack solutions powered by Microsoft that help companies to meet compliance standards for data sovereignty without overriding business optimization. Companies can build consolidated, flexible data centers that have the ability to store data that can be accessed anywhere and anytime. In addition, Telkomtelstra has received accreditation from the Ministry of Communication and Information (Kominfo), as a trusted service provider for cloud requirements that comply with PP 82/2001.
Telkomtelstra helps to ensure your company’s data protection is maintained in a local data center that has been equipped with certification of ISO 27001 which is an international standard for implementing information security management system, which is known as Information Security. Regular monitoring and timely response to incidents of cyber threat with qualifications of international standard to minimize the leakage of private data.
We are ready to help your company to comply with Indonesian government regulations requirement regarding data security, while supporting the smooth business operations of your company’s.
4Telkomtelstra, Frost & Sullivan, Data Sovereignty presentation, slide 14.
6Presentasi Kementerian Komunikasi dan Informatika RI, slide 2.