The New Indonesian Data Protection Law and Implications for ASEAN – Webinar Summary

In September 2022, Indonesia's House of Representatives (DPR) ratified the Personal Data Protection (PDP) bill as law. This law will impact both local and international organisations that process the personal data of Indonesian citizens.

The Indonesian PDP Law will serve as an umbrella regulation to harmonise more than 32 regulations that relate to the protection of personal data. The new law covers the rights of the data subject, the types of personal data, lawful basis for processing personal data, some guidelines for the appointment of a Data Protection Officer, and criminal sanctions for violations.

Various Data Protection Regulations in Indonesia

On 14 Oct 2022, Straits Interactive and DPEX Network held a webinar on this new law and its implications for the ASEAN region. The webinar tackled its key provisions and how it compared with other data protection laws. It also discussed more practical considerations, such as the need to develop the competencies of data protection professionals, the implementation timeline, and penalties for non-compliance.

The panel of speakers were:

• Kevin Shepherdson, FIP, EXIN, GRCP; CEO of Straits Interactive
• Dr Fetri Miftach, CISA, CISM; Co-founder and Director of Xynexis International
• Dr Yudhistira Nugraha, Head of Jakarta Smart City
• Satriyo Wibowo, S.T., MBA, M.H., IPM, CCISO, CBP, CSA, ECIH, CEH, CIPT, CIPM, CIPP/E, FIP; Lead Data Protection Consultant, Xynexis International
• Andi Pramawijaya Sar, SH, MCL, CIPP/E, GRCP; Lead Consultant, Indonesia, Straits Interactive

Watch the webinar highlights video as the panelists discuss various topics regarding the Indonesian PDP Law.

To learn more about various regional laws, including those of Indonesia, Thailand, Singapore, Philippines, Malaysia and China, consider taking the modules of our Advanced Certificate in Data Protection Principles.

To watch the webinar in full, please sign up to be a DPEX Network community member, log in and visit the Events section on dpexnetwork.org, where the on-demand recording will be made available in two weeks following the webinar.

Highly influenced by GDPR, the Indonesian PDP Law could land offenders in jail

With the Indonesian PDP Law patterned after the EU’s General Data Protection Regulation, there are some important concepts which organisations must take note of.

“The applicability of the extra-territorial provision will probably be the same as the GDPR, however we don’t have the detailed guidelines from the regulator yet. But in the context of extra-territorial applicability, I think, yes, when you are offering goods and services or are monitoring the behaviour of Indonesian citizens, if you are processing their data, then, yes, the law will apply to you if you are outside Indonesia,” said Sar.

Shepherdson clarified, “It doesn’t mean that just because an Indonesian visitor comes to your website, the Indonesian law will apply. Just like GDPR, for instance, if I publish my website in Indonesian, or if I transact in Indonesian currency, then there is a potential that this law will apply to you.”

A subtle difference is also that while the GDPR imposes fines up to 4% of a company’s annual turnover, Indonesia at the moment imposes up to 2% of annual turnover.

However, the Indonesian PDP Law also contains requirements on surveillance or visual data processing, such as the use of CCTVs. Such provisions are not contained in other ASEAN laws.

“One thing is to make sure that the visual data processing devices are used for a specific purpose [with a legal basis]. Under the law, the use of CCTV should only be used for security purposes or traffic monitoring,” said Dr Yudhistira.

The Indonesian PDP Law also has brisk timelines for processing Data Subject Access Requests and withdrawal of consent – organisations are given a mere 72 hours to process such requests.

Criminal Provisions in the Indonesian PDP Law

According to the Indonesian panel of experts, another notable point is that violating the PDP Law can send you to jail. The law not only imposes a fine, but can also impose jail time, depending on the severity of the violation.

Learn more about the GDPR and how it relates to data protection regulations in the region by taking our “GDPR and Application on Asia” course here.

Data protection capabilities urgently needed – 100,000 DPOs or more

With the new law imposing significant fines and criminal sanctions, this signals the urgency to develop the skills needed to comply with the law. Research estimates that there is a shortage of around 100,000 Data Protection Officers (DPOs).

“We helped the Ministry of InfoComm do this research, and based on a typical implementation of a PDP program in an institution, the effort required and the number of staff needed … there are around 2 million registered companies in Indonesia that will be affected,” said Dr Fetri. “Which means that 100,000 DPOs will be required in Indonesia in the next three to five years.”

“There will be a national competency standard, and Indonesia is in the midst of confirming those competencies,” added Shepherdson. “From there, Indonesia will then have a roadmap towards international certification, where Indonesia will recognise international standards such as IAPP and OCEG certifications.”

According to Wibowo, the draft for the PDP Law is currently being finalised and will, in the coming weeks, be introduced at a national convention to gather final inputs.

Dr Yudhistira offered insights on the challenges of the DPO function, and why training and certification is crucial.

“The difficulty is on the operational side. Under the PDP Act, we have the principles, but it lacks the operational side. So how do we make sure that all activities comply with regulation? How to ensure that collection of personal data complies with principles? It’s not about the legal provisions [but] how do you convert the legal provisions into the operational side?”

These challenges only further emphasise the urgency to develop the relevant competencies, such that DPOs are equipped to help their organisations achieve operational compliance.

The International Association of Privacy Professionals’ Certified Information Privacy Manager (CIPM) is a world-renowned certification in personal data protection programme management. An upcoming run of this course in Indonesia (27-29 October 2022) is being offered in English and Bahasa Indonesia. Email info@ignitetech.co.id to sign up or enquire.

Implications of Indonesian PDP Law on ASEAN

For the rest of the ASEAN community, the Indonesian panel advises that it is best to prepare as early as now, during the announced two-year transition period.

According to Dr Fetri, “ASEAN companies have already established a strong [generic] data protection framework; for example, companies might have an ISO 27001 Information Security Management System (ISMS) Framework implemented as part of their management system.

“Companies can leverage the availability of this framework but expand the scope of its implementation to include their entities in Indonesia, making sure all processing of personal information, whether electronic or paper, will be included in the expansion of this ISMS.”

“Then they can integrate the existing management system with the ISO 27701 Privacy Information Management System, to ensure that all relevant controls with regards to protection of personal information are put in place.

“But by making sure that your existing framework complies with ISO 27001 and 27701, you [would be] well ahead of the existing requirements.”

The DPEX Network also offers certification courses on ISO 27001 and ISO 27701. To watch the webinar in full, please sign up to be a DPEX Network community member, log in and visit the Events section on dpexnetwork.org.

Questions on the new Indonesian PDP Law

The panel ended the webinar with some final words of advice for ASEAN and Indonesian organisations on the steps they can take moving forward. They also answered more than 40 questions from the audience, including:

• Is data localisation required under the Indonesian PDP Law?
• Will the Indonesian Government take action on the several data breaches which recently took place in Indonesia?
• Do email addresses fall under general or specific personal data? How about phone numbers?
• Does the Visual Data Processing Devices provision apply to collection and processing of images and videos for the purpose of mapping?
• Does the privacy notice need to be in the local language?

*Disclaimer: Not all Q&As can be reviewed in the webinar recording as some were answered LIVE in the chat box during the session.