Subtotal $0.00
Case of personal data breaches in Indonesia has been quite prevalent, prompting the government to pay attention to the protection of its citizens’ personal data. The latest news in May 2023 saw the ransomware group LockBit allegedly spreading 1.5 TB of customer and employee data from Bank Syariah Indonesia (BSI) to the dark web. Previously, in May 2021, 279 million data belonging to Indonesian citizens participating in BPJS Health leaked and were traded on the raidsforum.com site. In August 2022, a total of 26 million pieces of personal data, such as full names, genders, and ID numbers, were sold on the “breached” forum by an account named Bjorka. Citing a report from Identity Theft Resources, there were over 400 million cases of personal data theft in 2022.
The risk of personal data theft is often utilized for fraud, online loan applications, bank account hacking, and digital wallet breaches. Furthermore, the danger of personal data theft also escalates cases of online extortion, political manipulation, and telemarketing. On the other hand, for companies, the leakage of personal data impacts both the reputation and financial standing of the company.
In October 2022, the government enacted Law Number 27 of 2022 (PDP Law) regarding the protection of personal data. With the implementation of the PDP Law, any domestic or foreign company processing Indonesian citizens’ personal data will be affected and required to comply with the PDP Law.
This is because the processing of personal data is a crucial part of companies’ current business processes. For example, within a company, there are several departments processing personal data, such as the sales/marketing department managing customer personal data, the procurement department managing vendor personal data, the Human Resources department managing employee personal data, the IT department managing user personal data, and so on.
To understand what is meant by personal data, the PDP Law has provided a clear definition. According to the PDP Law, it consists of two parts:
- Specific personal data, such as health data, biometric data, genetic data, criminal records, child data, personal statement data, other data as stipulated in the regulations.
- General personal data, such as full names, genders, nationalities, religions, marital statuses, personal data combined to identify an individual.
With the PDP Law in place, it is important for companies, in general, to align their current personal data processing methods with the personal data processing provisions stipulated in the PDP Law. It is stated in Article 16 paragraph 1 of the PDP Law that personal data processing includes the following:
- Acquisition and collection.
- Processing and analysis.
- Storage.
- Correction and update.
- Presentation, disclosure, transfer, dissemination, or publication; and/or
- Deletion or destruction.
To comply with the PDP Law, everyone within the organization must understand their responsibilities in protecting personal data. The PDP Law itself provides a maximum of two years for companies to comply with its provisions. At present, many companies are beginning to prepare to comply with the PDP Law to avoid administrative, civil, and criminal sanctions for violations of the PDP Law.
As for the common considerations regarding data processing activities in companies are as follows:
- Reviewing the personal data processing provisions and policies to ensure compliance with the PDP Law.
- Reviewing existing contracts. If personal data processing is found in the contract, the company needs to obtain permission for processing that personal data.
- Preparing general guidelines for personal data processing to ensure compliance with the PDP Law.
- Conducting assessments to identify high-risk potential for data processing activities and the impact of implementing the PDP Law on the company.
Companies affected by this PDP Law can adopt strict data security policies, conduct personal data awareness training, implement strong IT security measures, and conduct compliance audits of the PDP Law. On the other hand, as Indonesian citizens, we must also be cautious in providing personal data to others or other organizations to prevent misuse and personal losses.
