Indonesia's Personal Data Protection (PDP) Law

Ensure accuracy in data processing, protect data against misuse, loss, or damage and demonstrate compliance.

SCHEDULE A DEMO REQUEST PRICING

What is the PDP Law & When Does It go Into Effect?

The Indonesia Personal Data Protection Law or PDP Law is Indonesia's approach to governing personal data processing activities for all types of businesses and industries, regardless of whether they are private or public. It is largely modeled on the European Union’s General Data Protection Regulation ("GDPR") and set to go into effect in October 2024, the law (Law No. 27 of 2022) regulates the collection, use, disclosure, and processing of personal data.

The first comprehensive regulation around data protection in the country, the law's creation was spurred in response to data breaches that demonstrated lapses in existing laws, the increased usage and collection of personal data and worldwide trends over the years towards stronger, more robust data privacy regulations.

Signed into law in 2022, Indonesia’s new privacy regulation - Law No. 27 of 2022 on Personal Data Protection (PDP Law) - is currently in its two-year transitional period. Organizations need to bring their data processing activities into compliance when handling data belonging to individuals residing in Indonesia and even outside of Indonesia if their actions have legal consequences in the country.

Who Does PDP Law Apply to?

The law is designed to govern the protection of personal data across all sectors. It applies to businesses based inside. and outside of Indonesia; whenever an individual, business, entity, or international organization processes personal data or sensitive data belonging to an Indonesian citizen or if it could involve legal repercussions inside the territory of Indonesia, PDP Law will apply.

There are partial exemptions, including in national security and defense, law enforcement, and some financial services instances.

What is Personal Data Under the PDP Law?

PDP Law outlines two main categories of personal data, including general and specific or sensitive personal data. General personal data refers to data related to identified or identifiable individuals, separately or in combination with other information, directly or indirectly, through an electronic or non-electronic system. This can include potentially lower risk data that can be found on identification documents and other general records. Specific or sensitive data is usually riskier if jeopardized.

Common general examples include:

  • Individual's full name
  • Gender
  • Nationality
  • Religion
  • Marital status

Specific or Sensitive Personal Data examples:

  • Health and medical information
  • Biometric and genetic data
  • Criminal records
  • Children's data
  • Personal financial data
  • Any other data deemed sensitive by law

What are the Requirements of the PDP Law?

The PDP Law outlines several responsibilities for organizations, including:

Organizations must process personal data only pursuant to a legal basis: Organizations must process personal data according to an enumerated set of processing principles, including that organizations must notify data subjects of the purposes for which they process personal data.

Organizations must process personal data in a limited, specific, transparent, and lawful manner, and must protect the security of personal data from unauthorized access, unauthorized disclosure, unauthorized alteration, misuse, destruction, and loss.

Organizations must be able to determine the security level of the personal data and ensure there are adequate security and protection mechanisms in place. Data controllers are required to maintain the confidentiality of the personal data collected while supervising all parties involved in processing personal data under their command, such as data processors. 

Organizations should take required measures to prevent unlawful access to personal data by using a security system for personal data processed and/or processing personal data using an electronic system in a reliable, safe, and responsible manner.

Companies that regularly transfer personal data internationally need to ensure that the recipient country's data protection standards are equivalent - or implement legally binding safeguards to protect the data - to those required by the PDP Law in order to comply with the regulation as well.

Organizations are required to appoint a Data Protection Officer under the PDP Law if they process personal data as part of their core activities or if they handle large volumes of sensitive personal data or data related to criminal convictions and offenses. DPOs will handle most aspects of complying with the PDP Law.

What are the Penalties of Failing to Comply with the PDP Law?

The PDP Law imposes strict penalties for non-compliance, emphasizing the importance of adhering to data protection standards. The penalties can be both administrative and criminal, depending on the severity of the violation: 

Administrative Fines

Organizations that fail to comply with the provisions of the PDP Law can face administrative fines of up to 2% of their annual revenue. This fine can apply to a wide range of violations, including failure to obtain proper consent, not notifying data breaches, or mishandling personal data. 

Criminal Penalties

Severe violations, such as illegal processing of personal data or intentional data breaches, can result in criminal penalties. Individuals found guilty of such offenses can face imprisonment for up to six years and fines of up to IDR 6 billion (approximately USD 400,000). Unauthorized access to personal data or transferring data without proper consent can lead to imprisonment for up to five years and fines of up to IDR 5 billion (approximately USD $330,000).

Compensation for Damages

In addition to fines and penalties, organizations may also be required to compensate individuals who have suffered damages due to a data breach or misuse of their personal data.

What Should Organizations Do to Adhere to the PDP Law?

If they haven't already, organizations that process personal data in Indonesia should begin preparing to comply with the PDP Law today. Some steps organizations can take include:

Reviewing what data flows are currently in place. Is data being classified as its being collected and processed?

Reviewing processes around conducting data protection impact assessments. Does your business have a Data Protection Officer (DPO)?  In some scenarios, failure to appoint a DPO when required can lead to sanctions, potential fines, or written warnings, along with the suspension of data processing.

Ensuring there are processes in place for responding to data subject requests and data breach notifications.

Implementing appropriate organizational and technical security measures to ensure personal data is protected.

Are you collecting, using, or selling personal data? Your organization needs to identify a lawful basis to process personal data and like GDPR, obtain consent from the data subject you're collecting data from.

How to Comply with the PDP Law?

To ensure compliance with PDP Law, organizations must process data in a way that ensures security, including protection against unauthorized or illegal processing and against accidental loss, destruction, or damage. 

Implementing a data loss prevention (DLP) solution like Digital Guardian can help organizations achieve best practices when it comes to personal data protection, including a desired outcome of the PDP Law: Protecting processed data against unauthorized or unlawful access, disclosure, alteration, misuse, loss or damage.

Like many data privacy regulations of late, Indonesia’s PDP Law borrows several elements of the European Union's General Data Protection Regulation or GDPR. Digital Guardian, which can help automatically identify GDPR regulated data and protect it, in use, in transit and at rest, can help organizations demonstrate compliance with PDP obligations as well.

Fortra's Data Protection Solutions

Fortra's Data Protection solutions aid in safeguarding personal data by identifying it and classifying it based on PDP or organizational classification standards. Metadata used can help automate how its handled in the future, whether it can be deleted, accessed, or modified. By clearly classifying personal data, organizations who process it can handle it more responsibly and confidently.
Fortra's Data Classification Solutions

Fortra’s Data Classification solutions help meet PDP by applying both visual labels and labeling to a file’s metadata to protect and control its use. By adding classification, users can better determine how a given piece of data should be treated, handled, stored, and eventually deleted. Classification adds streamlined functionality as well as enhanced data security and compliance.

PDP Law states that processors must ensure that personal data is not used for any other purpose outside the services it was intended for. Data Loss Prevention from Digital Guardian aids PDP compliance by enabling organizations to effectively discover, monitor and control personal data transmitted on the network, in use on workstations, or at rest in workstations, network servers, and cloud storage. Data is appropriately protected against unauthorized transmission, dissemination, use, and storage, while the analytics and reporting functionality can provide key documentation to demonstrate PDP compliance.

Learn more about how Fortra can help with PDP compliance:

DOWNLOAD DATASHEET

Benefits of Using Fortra Solutions to Help with PDP

enhanced visibility icon

Find and Protect Personal Data

Data is categorized under the PDP Law as either general personal data or specific, also known as sensitive, personal data. According to the law, this is anything that needs special protection, including health data and information, biometric data, genetic data, criminal records, minor’s data, financial data, and other personal data. Digital Guardian can effectively discover, monitor, and control specific types of data, ensuring it stays accurate, complete, and consistent so it can be handled safely.

comprehensive protection icon

Secure Data Processing Efforts

Article 35 of Indonesia’s new data privacy law requires the controller and the processor to protect and ensure the security of processed personal data. Digital Guardian has technical measures designed to protect personal data that’s transmitted over the network, in use on workstations or at rest on workstations, network servers, and stored in the cloud. 

cross-platform-icon

Facilitate Safe Data Transfers

Under the PDP Law, personal data controllers must ensure that countries outside the jurisdiction of Indonesia that receive the transfer of personal data have a level of data protection equal or higher than the PDP Law. Organizations looking to block data from being transferred can use policies to meet regulatory requirements by ensuring it can't be moved to unauthorized locations.

Related Resources

See Fortra Solutions in Action

GET A DEMO