A New Chapter: Preparing for Indonesian Personal Data Protection Legislation

 

Data privacy regulations in Asia Pacific (APAC) are undergoing significant change, with countries across the region developing comprehensive frameworks to enforce strict standards for collecting, processing, and protecting personal information. Many governments around the world are following in the footsteps of landmark regulations like the EU's General Data Protection Regulation (GDPR) with Indonesia's Personal Data Protection (PDP) legislation being a recent example of this trend.

For companies operating in Indonesia, understanding the requirements of this new law is crucial. It introduces a range of compliance obligations and potential consequences that extend well beyond the country’s borders. In this article we outline key elements of this legislation and offer considerations for developing a robust governance and incident response capability to limit the risk of negative financial, reputational or regulatory impacts resulting from a data breach.

Expect Rigour and Reach in Data Privacy Enforcement

Under the PDP legislation, Indonesia will set up a new data protection body, the Personal Data Protection Agency. This body will have authority to enforce and implement personal data protection regulations. Its responsibilities range from developing policies and strategies to handling complaints and conducting investigations into alleged data protection violations.

This consolidated regulatory framework and approach offers important protections for Indonesian data owners – both individuals and organisations. “Until now data privacy was addressed through a patchwork of industry-specific regulations,” Adam Peckman, Aon’s Head of Risk Consulting and Cyber Solutions in APAC says. “With PDP, we now have a common reference point concerning how data privacy should be understood and practiced. This gives companies the necessary clarity and consistency about what’s expected of them when it comes to collecting, storing and using personal data and what will be the enforcement mechanisms if those expectations are not met.”

These expectations include how companies go about obtaining consent to collect and store data and standards they must meet for lawful data use. As Adam highlights, the introduction of a GDPR-style fine for data breaches means companies collecting data in Indonesia must take a rigorous approach to data and risk management to avoid major financial penalties. “A security-related administrative fine can be up to two per cent of the company’s annual revenue,” he says. “That’s a significant penalty for non-compliance.”

Reinforcing Response Protocols and Partnerships

The new regulation also places a strong emphasis on incident response, requiring companies to notify authorities and affected individuals within a strict 72-hour timeline in the event of a data breach. “Beyond the financial implications, the regulation also introduces reputational risks for companies that fail to respond effectively to data breaches,” says Adam. "It can impact brand equity, share market value, and also license to operate. For companies operating in Indonesia that are deemed to be in breach of data security and privacy obligations, this could ultimately impact access to customers and suppliers in the market.”

An effective response plan requires an approach that secures access to internal and external expertise and resources to help companies adhere to mandated protocols and timelines. “To be confident in notifying affected data subjects within that 72-hour period you’re going to need specialist expertise,” says Adam. “With an appropriate vendor you’ll have access to necessary infrastructure to coordinate a response across one of the most populous countries in the world within that timeframe. Depending on the nature of the breach and your data management strategy, you will most likely need a forensics partner to determine what data has been affected.”

Engaging with the insurance market can be an effective way to secure suitable vendors and indemnify for the insurable costs and financial losses. “They can help you review your existing cyber and directors’ and officers’ liability insurance, for example, to ensure it is adequate to transfer a share of financial and reputational risk” says Adam. “As part of this early engagement, they can also pair you with a panel of suitable vendors which can accelerate and strengthen your response capability should a data breach occur.”

Arief Rachman, Head of Financial Lines for Chubb, emphasises the importance of reviewing the whole scope of insurance cover that could be impacted by the new PDP legislation. “The PDP Law may further elevate the responsibility of boards of directors and executive management regarding data protection,” he says. “This could lead to increased scrutiny of decision-making processes and more rigorous compliance oversight, making D&O policies crucial in protecting individual directors and officers. Companies would also be wise to consider adding or enhancing their coverage for data breach response costs such as legal notifications, customer communication, forensic investigations and public relations. These are all vital activities for mitigating damage after a breach occurs.”

Increased Emphasis on Governance

These reactive measures need to be paired with a proactive risk-based framework for deploying appropriate operational and technical controls. “Companies must demonstrate they have considered and mitigated risks through data governance and security practices,” says Adam. “The regulations puts a price on data processing and retention through the new fines and penalties associated with privacy breaches. This highlights the importance of companies having the appropriate governance in place to align data-related decision-making with a clear and established risk management framework based on the PDP legislation.”

While renewed rigor in data management makes sense in the context of the new PDP regulations, it also creates an opportunity for companies to prepare for the potential for greater scrutiny of data governance and cyber controls by insurers. This can help CIO, CISOs and risk managers to work together to develop a resilient solution that is effective in mitigating and transferring the inevitable risks that are part of the continuing rise in data held and used by companies in APAC and throughout the world.