<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=231787&amp;fmt=gif">

    Indonesia Data Protection Law: Data Privacy Matters for Darwinbox

    September 6, 2023

    Stay Updated

    Darwinbox Leads the Way in Data Protection with PDP Compliance

    The Indonesian parliament has passed the Personal Data Protection Law to regulate personal data processing in the Republic of Indonesia. Discover how Darwinbox’s all-in-one HCM platform ensures compliance with personal data protection laws, safeguarding your valuable information.

    In 2021, Indonesia was left reeling from one of the most audacious data breaches that sent shockwaves across the nation.

    The insurance arm of one of the largest banks in the country reported that the personal details of over two million customers were put up for sale by unidentified hackers. A cybercrime monitoring firm found that multiple computers belonging to the employees had been compromised.  Even as investigations into the data breach were underway, it was reported that a collection of 460,000 documents compiled from the user data of the two million+ customers were being sold for $7000.

    This was one of the biggest cyberattacks the country faced in 2021. However, this was neither the first nor the last such incident. In fact, according to the cyber security firm Kaspersky, Indonesia had seen over 11 million cyber-attacks in the first quarter of 2022. A whopping 22% increase over the previous year when it faced 9.6 million cyberattacks. The growing number of security incidents effectively placed Indonesia as #1 in Southeast Asia and #60 globally among the worst affected countries suffering due to cyberattacks. It was under this alarming backdrop that the need for a comprehensive data protection law was felt.

    Learn More: How Darwinbox Enables Data Localization To Ensure Data Security in MENA

    Indonesia’s Personal Data Protection Law – Everything You Should Know

    Earlier, provisions on personal data protection were scattered across more than 30 different laws and regulations. It was in January 2020 that the first draft of the comprehensive Personal Data Protection Bill was released for public comment. In July 2020, the Ministry of Communication and Information Technology ('Kominfo') released a statement calling for organizations to bolster the efforts to protect personal data. Finally, after undergoing numerous rounds of consultation and amendments, the final draft of the law was passed by the House of Representatives on 20 September 2022. The final step of receiving the Presidential assent was fulfilled on 17th October 2022 which signified the enactment of law no 27 of 2022 on Personal Data Protection (PDP) Law.

    The PDP Law is a significant step forward for data protection activity in Indonesia. This historic data protection law establishes responsibilities for the processing of personal data and rights for individuals in a manner similar to other international data protection laws. Most notably, some of the core aspects of the law, like the definitions of covered data and covered entities, lawful grounds, processing obligations, accountability measures, and controller-processor relationships, share some similarities with the European General Data Protection Regulation (GDPR).

    Guide to Indonesia’s--PNGDownload Infographic

    The Need for a PDP Law-Compliant HRMS Platform

    If you refer to the infographic above, the PDP Law stipulates a host of obligations on both the Data Controller (the party that determines the purpose and exercises control over personal data processing activities) and the Data Processor (the party that processes personal data on behalf of the controller of personal data). Most importantly, the law imposes severe administrative and criminal sanctions for violations. These sanctions range from a hefty administrative fine to even ordering complete closure of business. With these points in mind, it’s time for you to answer the pertinent question – is your current HRMS PDP Law compliant?

    The Impact of PDP Law and Darwinbox's Role

    As data becomes an increasingly valuable asset and countries enact more and more stringent data protection laws, companies must prioritize the protection of personal information. In fact, it wouldn’t be incorrect to say that in today’s world, data protection is not only a legal requirement, but it is also a critical element of building and maintaining trust with customers. As companies transition to meet the new PDP Law requirements, here's how Darwinbox assures end-to-end data protection for your organization.

    For Data Controllers

    PDP Law Obligation #1

    Obtain explicit consent and maintain a log of consent from data subjects.

    Business Impact

    Organizations must now introduce mechanisms to obtain and track the consent of data subjects before processing personal data.

    How Can Darwinbox Help

    Darwinbox’s data protection policy dictates that it shall always obtain explicit consent from a data subject to collect and process its data.

    • In the case of children below the age of 16, parental consent will be obtained.
    • Transparent information about the usage of their personal data will be provided to the data subject at the time that consent is obtained, and their rights with regard to their data explained, such as the right to withdraw consent. This information will be provided in an accessible form, written in clear language, and will be provided free of charge.

    If the personal data is not obtained directly from the data subject, then this information will be provided to the data subject within a reasonable period after the data is obtained and definitely within a month.

    PDP Law Obligation #2

    Supervise the data processor.

    Business Impact

    The PDP Law requires processors to have an agreement and perform the processing under the supervision of the controller based on the agreement.

    The PDP Law leaves the ultimate responsibility for data processing with the controllers unless processing occurs outside the agreement, in which case it is the responsibility of the processor.

    PDP Law Obligations #3

    Business Impact

    Ensure processing is in line with the consented purpose and maintain records of processing.

    How Can Darwinbox Help 

    Under Article 20 of the PDP Law, there are six legal bases for processing personal data (whether specific or of a general nature), such as:

    • Consent of the personal data subject to process the data for a specific purpose.
    • Performance of obligations under a contract between the personal data controller and the personal data subject.
    • Performance of a controller’s legal obligations.
    • Protection of a personal data subject’s vital interests.
    • Undertaking a task in the public interest or in the exercise of legal authority.

    Fulfillment of a legitimate interest, considering the purpose and need of processing, and balancing the interests of the personal data controller with the rights of the personal data subject.

    PDP Law Obligations #4

    Ensure processing is in line with the consented purpose and maintain records of processing.

    Business Impact

     Under Article 20 of the PDP Law, there are six legal bases for processing personal data (whether specific or of a general nature), such as:

    • Consent of the personal data subject to process the data for a specific purpose.
    • Performance of obligations under a contract between the personal data controller and the personal data subject.
    • Performance of a controller’s legal obligations.
    • Protection of a personal data subject’s vital interests.
    • Undertaking a task in the public interest or in the exercise of legal authority.

    Fulfillment of a legitimate interest, taking into account the purpose and need of processing, and balancing the interests of the personal data controller with the rights of the personal data subject.

    How Can Darwinbox Help

    • Darwinbox shall ensure that individuals ‘consent’ to process their personal data is accepted explicitly and is freely given, as a specific, informed, and unambiguous indication of the individual’s wishes. The consent shall be provided by a clear affirmative action and shall signify an agreement to the processing of their personal data. All communication regarding consent shall be recorded and stored.
    • Non-response to a communication shall not be considered as consent.
    • The Controller shall be able to demonstrate that consent was obtained for the processing operation.
    • In case sensitive data is being collected, explicit written consent of individuals shall be obtained unless an alternative legitimate basis for processing exists.

    PDP Law Obligations #5

    Notify the data owner and the Minister of any data breach.

    Business Impact

    According to Article 39 of the PDP Law, Controllers have a duty to prevent personal data from being accessed unlawfully. In the event of a security breach, controllers must submit written notification no later than three days to the affected data subject and the data protection authority (DPA). The notice must contain the personal data involved in the breach, when and how the breach occurred, and any remedial measures taken by the data controller to mitigate harm (Article 46). Finally, controllers may have to notify the public of the breach in certain cases.

    How Can Darwinbox Help 

    It is Darwinbox’s policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data.  Where a breach is known to have occurred, which is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed within 72 hours. This will be managed in accordance with our information security incident response procedure which sets out the overall process of handling information security incidents. Darwinbox has established a formal Data Breach procedure. All staff shall be trained to follow the Data Breach procedures.

    PDP Law Obligations #6

    Appoint a Data Protection Officer.

    Business Impact

    The Controller and Processor are required to appoint a Data Protection Officer (“DPO”) if any of the conditions of the PDP Law below are met:

    • Processing of Personal Data for the interest of public services.
    • The nature, scope, and/or objective of the Data Controller's main activities require regular and systematic monitoring of large-scale Personal Data.
    • The Data Controller’s main activities involve the processing of Specific Personal Data on a large scale and/or Personal Data relating to criminal acts.

    How Can Darwinbox Help

    Darwinbox maintains a dedicated Data Protection Officer (DPO) to ensure compliance at all times with the accountability principle.

    PDP Law Obligations #7

    The PDP Law requires a Data Controller to carry out a Data Protection Impact Assessment (“DPIA”) if the Personal Data processing carries a high potential risk for the Data Subject.

    Business Impact

    Data controllers that perform personal data processing with high potential risks must prepare a data protection impact assessment (DPIA). Personal data processing can be considered to possess high potential risks if it meets certain conditions. As of today, there’s no elaboration of these conditions within the PDP Law. 

    How Can Darwinbox Help

    Darwinbox shall conduct a Data Protection Impact Assessment (DPIA) to identify and minimize the privacy risks of ongoing or new projects or policies, to ensure that potential problems are identified at an early stage, and to address them at the earliest without any impact to the organization. Darwinbox shall conduct a DPIA as defined by Darwinbox Procedure for Data Protection Impact Assessment.

    For Data Processors

    PDP Law Obligations #1

    Maintain confidentiality, accuracy, and consistency of personal data.

    Business Impact

    Data processors have to ensure the accuracy, completeness, and consistency of personal data, including “conducting verification”. 

    How Darwinbox Can Help

    Darwinbox has a policy to ensure that any personal data processed is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. Further, Darwinbox also has a documented breach and incident response policy. This policy ensures that any incident where the data confidentiality, integrity, and availability have been compromised, will be communicated to the customer. The root causes of the breach will be analyzed, and a report from Darwinbox CISO will be issued accordingly.

    PDP Law Obligations #2

    Maintain records of data processing.

    Business Impact

    Data processors have to ensure the accuracy, completeness, and consistency of personal data, including “conducting verification”.

    How Darwinbox Can Help

    Darwinbox maintains records and maintains a data processing inventory. This is a formal list of the processing activities and their purpose. Darwinbox shall ensure that this Data Processing list is aligned with Darwinbox's business. These records may contain:

    • The name and contact details of the controller.
    • Controller's representative and the data protection officer (if applicable)
    • Purposes of the processing.
    • Description of the categories of data subjects and of the categories of personal data.
    • Categories of recipients to whom the personal data have been or will be disclosed
    • including recipients in third countries or international organizations.
    • Where applicable, transfers of personal data to a third country or an international
    • organization, including the identification of that third country or international
    • organization and, along with the documentation of suitable safeguards.
    • Envisaged time limits for erasure of the different categories of data.
    • A general description of the technical and organizational security measures.

    PDP Law Obligations #3

    Prevent unauthorized processing and access to personal data in an invalid manner.

    Business Impact

    Data processors must ensure the accuracy, completeness, and consistency of personal data, including “conducting verification”. 

    How Darwinbox Can Help

    Darwinbox shall not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this. Individuals may ask that we correct inaccurate personal data relating to them.

    PDP Law Obligations #4

    Appoint a Data Protection Officer

    Business Impact

    The Controller and Processor are required to appoint a Data Protection Officer (“DPO”) if any of the conditions of the PDP Law below are met:

    • Processing of Personal Data for the interest of public services.
    • The nature, scope, and/or objective of the Data Controller's main activities require regular and systematic monitoring of large-scale Personal Data.
    • The Data Controller’s main activities involve the processing of Specific Personal Data on a large scale and/or Personal Data relating to criminal acts.

    How Darwinbox Can Help

    Darwinbox maintains a dedicated Data Protection Officer (DPO) to ensure compliance at all times with the accountability principle.

    For Cross-Border Data Transfer

    PDP Law Obligations

    #1. The rate of data protection should be equal to or higher than the bill.

    #2. The data controller should ensure that "there is adequate and binding personal data protection."

    #3. There should be explicit approval from the data subject.

    Business Impact

    The transfer of data outside Indonesia is governed by Article 56 of the PDP Law. The law requires controllers to ensure that the country where the data recipient is located has a level of data protection equal to or higher than the PDP Law.

    How Darwinbox Can Help 

    Darwinbox will ensure that all relationships it enters into that involve the processing of personal data are subject to a documented contract that includes the specific information and terms required by the PDP Law.

    Further, Darwinbox supports sensitive Personal Identifiable Information (PII) data to be hosted locally within the region. Moreover, this data is encrypted, preventing access or readability in a human-readable format or open text format.

    Charting the Path Ahead

    The Personal Data Protection Law is a significant lead ahead for data protection in Indonesia. It gives Indonesian citizens more control over their personal data and imposes a number of obligations on businesses and organizations that collect, process, or store personal data.

    As the ‘Data Controller’, you are likely planning your way forward to be compliant with the PDP Law. In your journey, you will need the right HRMS platform. Darwinbox is the best option for you as it comes 100% PDP Law compliant right out of the box. Book a demo with us today!

    Find out more about why the Personal Data Protection Law-compliant Darwinbox is perfect for your business. Book a demo today!

    FAQs

    In today's digital age, the protection of personal data has become increasingly crucial. With the rise of technology and the prevalence of online services, individuals are sharing their personal information more than ever before. This has led to the need for robust and comprehensive legislation to safeguard the privacy and security of personal data. Indonesia’s Personal Data Protection (PDP) Law is a step towards ensuring the safety of your data privacy.

    PDP Law refers to a set of regulations and principles that govern the collection, use, storage, and disclosure of personal data. Its main objective is to protect the privacy and rights of individuals in relation to their personal information. PDP Law outlines the obligations and responsibilities of organizations and data controllers in handling personal data, ensuring transparency, and providing individuals with control over their own information.

    PDP Law encompasses several key principles and provisions that guide the handling of personal data. Individuals are granted specific rights, such as the right to access and correct their personal information, as well as the right to withdraw consent for its use. Organizations and data controllers are obligated to handle personal data securely, ensuring its confidentiality and integrity. Consent and purpose limitation are important aspects of PDP Law, requiring organizations to obtain explicit consent from individuals for data processing and limiting the use of personal data to the specified purpose. Additionally, PDP Law imposes strict requirements for reporting and notifying individuals in the event of a data breach.

    The implementation of PDP Law brings numerous benefits and implications for individuals, businesses, and organizations. One of the primary advantages is the protection of personal data and privacy rights. PDP Law ensures that individuals have control over their personal information and that it is handled with utmost care and confidentiality.

    Moreover, PDP Law enhances trust and confidence in digital services. When individuals have confidence that their personal data is being protected, they are more likely to engage in online transactions and share information with organizations. This, in turn, leads to increased participation in the digital economy and fosters a healthy business environment.

    However, PDP Law also poses challenges for businesses and organizations. Compliance requirements are stringent, and failure to adhere to the law can result in severe penalties. Organizations must invest in data governance and risk management practices to ensure compliance and avoid potential reputational and financial damage. On the other hand, PDP Law also presents opportunities for data-driven innovation. By implementing robust data protection measures, organizations can build trust with their customers and leverage data for insights and innovation.

    To ensure compliance with PDP Law, organizations must take certain steps. First, conducting data protection impact assessments can help identify and address potential risks to personal data. Implementing privacy-by-design principles ensures that data protection is embedded in the design and development of systems and processes. Establishing data protection policies and procedures provides clear guidelines for employees to follow. Lastly, training employees on data protection best practices is crucial to ensure that everyone understands their responsibilities and obligations.

    Data protection authorities play a vital role in enforcing PDP Law. They investigate complaints and data breaches, ensuring that individuals' rights are upheld. In cases of non-compliance, data protection authorities have the power to impose fines and sanctions, motivating organizations to prioritize data protection.

    PDP Law shares similarities and differences with other international data protection regulations. While the core principles of protecting personal data remain consistent, variations exist in the specific requirements and enforcement mechanisms. These differences have implications for cross-border data transfers and international business operations. Organizations operating across different jurisdictions must navigate the complexities of compliance with multiple data protection laws.

    As technology continues to evolve, new challenges and trends emerge in the realm of data protection. Evolving technologies, such as artificial intelligence and the Internet of Things, bring new complexities and risks to personal data. Balancing privacy rights with data-driven innovation becomes a challenge that requires careful consideration. In response to these emerging challenges, PDP Law may require amendments and updates to ensure its effectiveness and adaptability.

    View all posts

    Stay Updated

    Speak Your Mind

    Subscribe and stay up to date