Understanding the Essentials of the Personal Data Protection Law (UU PDP) and How to Start Compliance Efforts

Tue 19 March 2024, telkomtelstra

Author: Edi Nopian Mulia, VP IT, Product & Partnership Digiserve

Law No. 27 of 2022 concerning Personal Data Protection, often referred to as the PDP Law, represents the Government’s effort to enhance privacy rights and to protect personal data in this digital era. With the escalating misuse of personal data, regulations for personal data protection have become essential. The following is a more in-depth explanation regarding the PDP Law and the initial steps that can be taken to ensure compliance with the PDP Law.

What impact will the PDP Law have on your business?

Comply or be Subject to Sanctions

Business activities involving the collecting, processing, and storing personal data must comply with the PDP Law. This includes ensuring that data is only collected with the conscious consent of everyone concerned and maintaining its accuracy and security. Violating these rules may result in fines and damage to the company’s reputation.

Additional Operational Costs

Compliance with the PDP Law requires investment in technology and Human Resources (HR). Each stage, such as data encryption and access control, requires trained resources and the right tools to implement them.

Increasing Customer Trust

Even though it has the impacts as mentioned above, the PDP Law can also increase customer trust. By demonstrating transparency in handling personal data,  the company can obtain a better position in the customer’s eyes.

What Practices Do Regulators Expect from Businesses?

Eight key aspects of the PDP Law need to be considered. Violating this provision may result in significant Company sanctions, including fines of up to 2% of the company’s annual revenues. The following are eight aspects of the PDP Law that need to be considered, along with a summary of what the Government expects  from the entities, whether individuals or organizations/companies that record and process personal data in Indonesia.

The Importance of Data Security and the Impact If a Breach Occurs

With all the points mentioned above, company data security is the main focus. Data breaches threaten the company’s finances and other aspects, such as operational disruptions and even disruption to employee morale. Further citing from several sources, the impact of data breaches includes:

  • Financial Impact: ThreatAdvice states that it costs an average of 3.86 million USD to overcome each data breach, both directly and indirectly, which is used for detection, to prevent the spread of data leaks, loss of customers, and increased costs of cybersecurity insurance.
  • Reputation Damage: Decreased customer loyalty, difficulty in gaining the trust of new customers, and relationships disruption with partners or investors.
  • Compliance with the Law: As previously mentioned, the Government, through its Personal Data Protection Law, imposes significant fines for companies that do not comply with personal data protection practices with a maximum administrative fine of up to 2% of annual revenue.
  • Operational Disruption: Reduced productivity resulting from activities such as data recovery, creating action plans, and implementing cybersecurity system improvements will require a significant amount of time and focus from the Information Technology (IT) team.

 What Actions Can You Take as an IT Leader?

Deep Understanding of the PDP Law

As an IT leader, it is very important to understand the requirements of the Personal Data Protection (PDP)  Law and understand their implication for your company.

Implementation of Data Security Measures

As the person in charge of data in the company, it is important to implement the technical steps and required management systems to ensure compliance with the PDP Law, including:

  • Data inventory and mapping: Identify all the personal data managed by the company and create an inventory so that the data lifecycle can be carried out properly.
  • Risk assessment: Conduct regular risk assessments to identify security gaps or potential data leakage points within the company. Activities such as Vulnerability Assessment and Penetration Testing (VAPT) that are carried out regularly can provide an overview of the IT security system’s strength in the company.
  • Data security: Encrypt data to protect data from data access, change, and deletion by unauthorized parties.
  • Response to data breaches: Design an attack response simulation to evaluate the company’s data security system in order to minimize the impact.

Training and Awareness

Build a data protection culture within the company to ensure that all employees are aware of the importance of data protection. Help them to understand their role in maintaining compliance by conducting regular training sessions, and regularly checking relevant regulations or actively seeking information regarding best practices in data protection.

Documentation and Reporting

Document data security policies and procedures as well as compliance with the PDP Law for a faster response to authority requests. Feel free to contact us via the following link, Contact Us, to get a consultation on how Digiserve’s cybersecurity solutions can help assess and manage your company’s data security risks.