Quick Overview: To comply with the PDP law, you must follow these steps: First, data controllers and processors must update their contracts and policies. Second, evaluate the risks and effects of processing data. Third, safeguard data security and confidentiality. Fourth, obtain consent from data subjects. Fifth, Register with the PDPA. Last, abide by cross-border data transfer regulations.
This year, personal data is a concern. This is because personal data is frequently the focus of cybercrime in the digital space, particularly in Indonesia. Especially in the financial technology and e-commerce sectors, data theft incidents have happened in the last year. Mr. President Joko Widodo was particularly concerned about this then. He made laws to protect personal information in the digital ecosystem. This applies to any organization or entity that handles the personal information of Indonesian nationals. In compliance with the PDP Law, data controllers and processors are required to obtain consent, notify individuals, safeguard data, and respect the rights of data subjects, among other duties and obligations.
Therefore, it is important to understand the rules and its implications for your business or organization and to take the necessary steps to ensure compliance. This article will provide an overview of the Law, its key provisions, and how to comply.
What is the Personal Data Protection Law?
Indonesia recently enacted a new law regulating the protection of personal data in electronic and non-electronic systems. The Personal Data Protection Law (UU PDP) was signed by President Joko Widodo on October 17 2022. This law is the first law in Indonesia that regulates personal data protection. It aims to provide more significant, strict and integrated protection for the rights and interests of data subjects.
This regulation applies to every person, public body or international organization that collects, processes, stores and transfers personal data of Indonesian citizens. The government provided a two-year transition period for data controllers and data processors to adapt and comply with the law.
Why is the PDP Law important?
The PDP Law is important because it regulates the rights and obligations of data subjects, controllers and processors regarding personal data. Personal data is any information relating to an identifiable individual, such as name, address, identification number, etc. The PDP Law also covers certain personal data, such as sensitive data (religion, ethnicity, etc.), children and personal financial data. This special personal data requires a higher level of consent from the data subject.
In addition, this regulation gives data subjects the right to:
- Access, correct, delete, restrict, reject and transfer personal data.
- The right to be forgotten.
- The right to compensate for losses caused by a data breach.
- Be informed about the purposes, scope, methods, duration and location of the processing of personal data.
- Withdraw their consent at any time.
The Law imposes various obligations on data controllers and processors, such as:
- Obtain valid consent from data subjects, apply data protection principles (such as lawfulness, fairness, accuracy, relevance, etc.).
- Ensure data security and confidentiality.
- Notify data breaches.
- Carry out data protection impact assessments.
- Appoint a data protection officer, keep records of processing activities.
- Comply with cross-border data transfer rules.
It also requires data controllers and processors to register with the Personal Data Protection Authority (PDPA). This new independent institution will supervise and enforce the law.
What are the consequences of violating the PDP Law?
The PDP Law provides various sanctions and penalties for violations of the PDP Law, depending on the severity and impact of the violation. The sanctions and penalties include:
- Administrative sanctions, such as warnings, fines, temporary suspension or revocation of registration, temporary or permanent prohibition of processing activities, or deletion or destruction of personal data.
- Criminal sanctions, such as imprisonment for up to seven years or fines up to IDR 70 billion (approximately USD 4.9 million) for intentional or negligent violations that cause harm, loss, or interference with the rights and interests of data subjects.
- Civil sanctions, such as compensation for material or immaterial damages suffered by data subjects due to violations of the PDP Law.
How to comply with the PDP Law?
The PDP Law is a new and complex law that will affect many aspects of personal data processing in Indonesia. Therefore, data controllers and data processors should take the following steps to comply with the PDP Law:
- Review and update their policies, procedures, contracts, and agreements related to personal data processing to ensure they align with the PDP Law.
- Conduct data protection impact assessments to identify and mitigate the risks and impacts of personal data processing on data subjects.
- Implement appropriate technical and organizational measures to ensure data security and confidentiality, such as encryption, pseudonymization, access control, etc.
- Obtain valid and informed consent from data subjects for personal data processing, especially for specific personal data, and provide clear and easy ways for data subjects to exercise their rights and withdraw their consent.
- Notify data breaches to the PDPA and data subjects within 72 hours of becoming aware of the breach, and take remedial actions to prevent or mitigate the harm.
- Register with the PDPA and appoint a data protection officer to liaise with the PDPA and data subjects and to monitor and ensure compliance with the PDP Law.
- Comply with the cross-border data transfer rules, such as ensuring adequate levels of protection in the destination country, obtaining consent from data subjects, and entering into data transfer agreements with foreign data controllers or data processors.
The PDP Law is a law that aims to protect the rights and interests of personal data in Indonesia. Data controllers and data processors must be aware of the PDP Law and take the necessary steps to comply with the PDP Law in the two-year transition period. By complying with the PDP Law, data controllers and processors can improve their reputation, trust and competitiveness in the Indonesian digital space. Follow for other related news, more companies worried cybersecurity today. Check it out!