Compliance with the Personal Data Protection Law (PDP Law) of Indonesia
Indonesia has the largest economy in Southeast Asia and is ranked 16th in the world by GDP. In January 2023, there were 212.9 million internet users in Indonesia, as reported by Kepios. This figure represents an internet penetration rate of 77.0%, which is the highest in Southeast Asia. Kepios' analysis shows that internet users in Indonesia experienced a growth of 10 million (+5.2 percent) between 2022 and 2023.
The increasing number of internet users in Indonesia has raised concerns about the security of personal data. In response to these concerns, the Indonesia Personal Data Protection Law (PDP Law), was enacted on October 17, 2022. This serves as a comprehensive regulatory framework governing the collection, utilization, disclosure, and various other forms of processing of personal data. This law applies to both international organizations and governmental as well as private entities operating within Indonesia.
Who Needs to Comply?
The PDP Law applies to organizations that collect or process personal data outside of Indonesia, even if the organization is not located in Indonesia if the data relates to Indonesian citizens or if the processing has legal consequences in Indonesia.
It also adds innovative ideas, such as the duty to notify the regulator prior to and after cross-border personal data transfers. The PDP Law introduces severe penalties for personal data breaches, signalling the significance placed on data security. Individuals can face fines of up to US$400,000, while organizations can be fined up to US$4 million. In addition to monetary penalties, the law also imposes criminal consequences, including potential imprisonment of up to six years. Moreover, it grants authorities the power to seize assets and freeze commercial activities in cases of non-compliance.
What is considered “personal data” under the PDP Law?
The PDP Law defines "personal data" as information pertaining to individuals that can either directly or indirectly identify them, either on its own or in combination with other data, using electronic or non-electronic systems.
Classification of data subjects under PDP Law:
General Personal Data, which consists of full name, gender, nationality, religion, marital status, and/or other personal data which is combined to identify a person (e.g., phone number and IP address).
Specific Personal Data, which consists of health information, biometric data, genetic data, criminal records, children’s data, personal financial data, and/or any data in accordance with the provisions of the prevailing laws and regulations.
Personal Data Controller and Personal Data Processor
According to the PDP Law, a Personal Data Controller is defined as an individual, public body, or international organization that independently or jointly determines the objectives and exercises control over the processing of Personal Data
A Personal Data Processor refers to an individual, public body, or international organization that processes Personal Data on behalf of a Personal Data Controller. It is important to note that the Processor cannot independently determine the objectives or exercise control over the processing of Personal Data and can only do so after being appointed by a Controller.
The PDP Law establishes six aspects that serve as the basis for Personal Data Processing by Controllers: Consent, Contractual obligation, Legal requirement, Vital interest, Public task, and Legitimate interest.
Protect your Personal Data with Data Centric Security Approach
Data-centric security places a strong emphasis on protecting files that contain sensitive information, irrespective of their location. It ensures that the appropriate level of security measures is applied to safeguard data effectively. For optimal protection, sensitive data should be automatically identified as soon as it enters an organization's IT environment, and it should be secured using policy-based security measures throughout its lifecycle.
Data is prone to vulnerability both in transit and when it is at rest, causing comprehensive protection in both scenarios. Various methods exist to secure data in motion or at rest. Encryption plays a pivotal role in data security, serving as a widely employed technique for protecting data during transit as well as when it is stored.
By adopting a data-centric security approach, organizations can prioritize the protection of sensitive information by implementing robust security measures that cover the entire data lifecycle. Encryption, in particular, offers a crucial layer of defence to ensure data security, both when it is in motion and when it is at rest.
How can businesses comply with PDP Law?
To effectively implement a data-centric security approach, it is essential to consider the available encryption and data protection methods, the specific requirements, the applications or data that need protection, and the unique risk environment of the business.
Selecting a vendor that offers a comprehensive range of solutions and centralized key and policy management will facilitate smoother deployment and management controls as your installed base expands.