New Personal Data Protection Law in Indonesia: What’s Next for Corporations?

The enactment of Law No. 27 of 2022 on Personal Data Protection (“Law 27/2022”) has been one the most talked about topics in Indonesia. From corporations to small businesses, many are wondering how they can comply with this new regulation, especially because non-compliance will likely be subjected to a quite hefty sanctions.

In this respect, below are several efforts that organisations can take to comply with Law 27/2022.

1. Conduct Assessment on the Current Data Processing Practice

This activity requires organisations to inventory the type and origin of the personal data collected during the organisations’ operations. In doing so, an organisation may need to review all the documents, products, or outputs that potentially contain personal data and check where the personal data is collected and who has access to the personal data. At the end, the organisation will be able to map out its processing activities, from collection to the deletion of the personal data collected.

2. Prepare Privacy Policy and Internal Policy for Processing Personal Data

Under Law 27/2022, organisations are required to prepare a document that informs users on information, such as: (i) the type of personal data collected, (ii) the purpose of the data collection, (iii) the legal basis for processing the personal data, (iv) retention period, and others. Such information can be made in the form of a privacy policy. If an organization is yet to have this document, then it must start to prepare one. However, if an organization already has one, it might be the time to revisit the privacy policy to ensure compliance with Law 27/2022.

Furthermore, organisations also need to prepare a document to be used as an internal guideline for processing of personal data. This document is usually prepared in the form of a Standard Operational Policy (SOP). This SOP typically includes: (i) delegation of responsibilities in processing personal data, (ii) how to respond to a request from the data subject, (iii) responses in the event of failure of personal data protection, (iii) period of personal data storage, etc.

3. Provide Communication Channels for Users

An organisation must provide communication channels for users to submit complaints or exercise their rights as data subjects. This communication channel needs to be informed to users. The communication channel can be in the form of email, hotline, SMS, or others.

4. Prepare Documentations

To carry out obligations under Law 27/2022, organisations may need to prepare documentations that can be used as a standard for internal use. Examples of documentation needed following the issuance of Law 27/2022 includes: (i) consent form; (ii) form on request from users to exercise their rights as data subjects; (iii) notification letter on failure to protect personal data; and (iv) agreements with third party processors.

Note that certain form of processing of personal data requires an organization to conduct Data Processing Impact Assessment (“DPIA”). A company must be prepared with the procedures and documentations for the DPIA.

5. Conduct Training for Individuals Processing Personal Data

Organisations that process personal data are recommended to provide regular training for individuals involved in the processing activities. Employees across divisions within an organization must understand the importance of protecting personal data. This includes giving in-depth knowledge of the organisation’s internal data processing policies and technical skills to secure organisation’s personal data processing activities from cyber security threats.

6. Appoint a Data Protection Officer (“DPO”)

Organisation which fits the following criteria needs to appoint a DPO: (i) processes personal data for public services purposes; (ii) core activities require regular and systematic monitoring of personal data on a large scale; and (iii) processes a large-scale of personal data and/or personal data relating to criminal offenses.

If an organisation fits the above criteria, then it should appoint a DPO. Even if the organisation is not legally required to appoint a DPO, should it have the resource to do so, it is still recommended to appoint a DPO to handle personal data matters.

Since we are currently in the transition period, organisations still have two years to adapt their personal data processing practices. However, as indicated on multiple occasions, the Indonesian Government has expected organisations to start adhering (to the extent possible) to the provisions under Law 27/2022 during this transition period.

If you want to understand further how your organisation should comply with Law 27/2022, feel free to reach us via email at danny.kobrata@kk-advocates.com or office@kk-advocates.com.