The Indonesian parliament has passed the Personal Data Protection Law to regulate personal data processing in the Republic of Indonesia. Discover how Darwinbox’s all-in-one HCM platform ensures compliance with personal data protection laws, safeguarding your valuable information.
In 2021, Indonesia was left reeling from one of the most audacious data breaches that sent shockwaves across the nation.
The insurance arm of one of the largest banks in the country reported that the personal details of over two million customers were put up for sale by unidentified hackers. A cybercrime monitoring firm found that multiple computers belonging to the employees had been compromised. Even as investigations into the data breach were underway, it was reported that a collection of 460,000 documents compiled from the user data of the two million+ customers were being sold for $7000.
This was one of the biggest cyberattacks the country faced in 2021. However, this was neither the first nor the last such incident. In fact, according to the cyber security firm Kaspersky, Indonesia had seen over 11 million cyber-attacks in the first quarter of 2022. A whopping 22% increase over the previous year when it faced 9.6 million cyberattacks. The growing number of security incidents effectively placed Indonesia as #1 in Southeast Asia and #60 globally among the worst affected countries suffering due to cyberattacks. It was under this alarming backdrop that the need for a comprehensive data protection law was felt.
Learn More: How Darwinbox Enables Data Localization To Ensure Data Security in MENA
Indonesia’s Personal Data Protection Law – Everything You Should Know
Earlier, provisions on personal data protection were scattered across more than 30 different laws and regulations. It was in January 2020 that the first draft of the comprehensive Personal Data Protection Bill was released for public comment. In July 2020, the Ministry of Communication and Information Technology ('Kominfo') released a statement calling for organizations to bolster the efforts to protect personal data. Finally, after undergoing numerous rounds of consultation and amendments, the final draft of the law was passed by the House of Representatives on 20 September 2022. The final step of receiving the Presidential assent was fulfilled on 17th October 2022 which signified the enactment of law no 27 of 2022 on Personal Data Protection (PDP) Law.
The PDP Law is a significant step forward for data protection activity in Indonesia. This historic data protection law establishes responsibilities for the processing of personal data and rights for individuals in a manner similar to other international data protection laws. Most notably, some of the core aspects of the law, like the definitions of covered data and covered entities, lawful grounds, processing obligations, accountability measures, and controller-processor relationships, share some similarities with the European General Data Protection Regulation (GDPR).
The Need for a PDP Law-Compliant HRMS Platform
If you refer to the infographic above, the PDP Law stipulates a host of obligations on both the Data Controller (the party that determines the purpose and exercises control over personal data processing activities) and the Data Processor (the party that processes personal data on behalf of the controller of personal data). Most importantly, the law imposes severe administrative and criminal sanctions for violations. These sanctions range from a hefty administrative fine to even ordering complete closure of business. With these points in mind, it’s time for you to answer the pertinent question – is your current HRMS PDP Law compliant?
The Impact of PDP Law and Darwinbox's Role
As data becomes an increasingly valuable asset and countries enact more and more stringent data protection laws, companies must prioritize the protection of personal information. In fact, it wouldn’t be incorrect to say that in today’s world, data protection is not only a legal requirement, but it is also a critical element of building and maintaining trust with customers. As companies transition to meet the new PDP Law requirements, here's how Darwinbox assures end-to-end data protection for your organization.
For Data Controllers
PDP Law Obligation #1
Obtain explicit consent and maintain a log of consent from data subjects.
Business Impact
Organizations must now introduce mechanisms to obtain and track the consent of data subjects before processing personal data.
How Can Darwinbox Help
Darwinbox’s data protection policy dictates that it shall always obtain explicit consent from a data subject to collect and process its data.
- In the case of children below the age of 16, parental consent will be obtained.
- Transparent information about the usage of their personal data will be provided to the data subject at the time that consent is obtained, and their rights with regard to their data explained, such as the right to withdraw consent. This information will be provided in an accessible form, written in clear language, and will be provided free of charge.
If the personal data is not obtained directly from the data subject, then this information will be provided to the data subject within a reasonable period after the data is obtained and definitely within a month.
PDP Law Obligation #2
Supervise the data processor.
Business Impact
The PDP Law requires processors to have an agreement and perform the processing under the supervision of the controller based on the agreement.
The PDP Law leaves the ultimate responsibility for data processing with the controllers unless processing occurs outside the agreement, in which case it is the responsibility of the processor.
PDP Law Obligations #3
Business Impact
Ensure processing is in line with the consented purpose and maintain records of processing.
How Can Darwinbox Help
Under Article 20 of the PDP Law, there are six legal bases for processing personal data (whether specific or of a general nature), such as:
- Consent of the personal data subject to process the data for a specific purpose.
- Performance of obligations under a contract between the personal data controller and the personal data subject.
- Performance of a controller’s legal obligations.
- Protection of a personal data subject’s vital interests.
- Undertaking a task in the public interest or in the exercise of legal authority.
Fulfillment of a legitimate interest, considering the purpose and need of processing, and balancing the interests of the personal data controller with the rights of the personal data subject.
PDP Law Obligations #4
Ensure processing is in line with the consented purpose and maintain records of processing.
Business Impact
Under Article 20 of the PDP Law, there are six legal bases for processing personal data (whether specific or of a general nature), such as:
- Consent of the personal data subject to process the data for a specific purpose.
- Performance of obligations under a contract between the personal data controller and the personal data subject.
- Performance of a controller’s legal obligations.
- Protection of a personal data subject’s vital interests.
- Undertaking a task in the public interest or in the exercise of legal authority.
Fulfillment of a legitimate interest, taking into account the purpose and need of processing, and balancing the interests of the personal data controller with the rights of the personal data subject.
How Can Darwinbox Help
- Darwinbox shall ensure that individuals ‘consent’ to process their personal data is accepted explicitly and is freely given, as a specific, informed, and unambiguous indication of the individual’s wishes. The consent shall be provided by a clear affirmative action and shall signify an agreement to the processing of their personal data. All communication regarding consent shall be recorded and stored.
- Non-response to a communication shall not be considered as consent.
- The Controller shall be able to demonstrate that consent was obtained for the processing operation.
- In case sensitive data is being collected, explicit written consent of individuals shall be obtained unless an alternative legitimate basis for processing exists.
PDP Law Obligations #5
Notify the data owner and the Minister of any data breach.
Business Impact
According to Article 39 of the PDP Law, Controllers have a duty to prevent personal data from being accessed unlawfully. In the event of a security breach, controllers must submit written notification no later than three days to the affected data subject and the data protection authority (DPA). The notice must contain the personal data involved in the breach, when and how the breach occurred, and any remedial measures taken by the data controller to mitigate harm (Article 46). Finally, controllers may have to notify the public of the breach in certain cases.
How Can Darwinbox Help
It is Darwinbox’s policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. Where a breach is known to have occurred, which is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed within 72 hours. This will be managed in accordance with our information security incident response procedure which sets out the overall process of handling information security incidents. Darwinbox has established a formal Data Breach procedure. All staff shall be trained to follow the Data Breach procedures.
PDP Law Obligations #6
Appoint a Data Protection Officer.
Business Impact
The Controller and Processor are required to appoint a Data Protection Officer (“DPO”) if any of the conditions of the PDP Law below are met:
- Processing of Personal Data for the interest of public services.
- The nature, scope, and/or objective of the Data Controller's main activities require regular and systematic monitoring of large-scale Personal Data.
- The Data Controller’s main activities involve the processing of Specific Personal Data on a large scale and/or Personal Data relating to criminal acts.
How Can Darwinbox Help
Darwinbox maintains a dedicated Data Protection Officer (DPO) to ensure compliance at all times with the accountability principle.
PDP Law Obligations #7
The PDP Law requires a Data Controller to carry out a Data Protection Impact Assessment (“DPIA”) if the Personal Data processing carries a high potential risk for the Data Subject.
Business Impact
Data controllers that perform personal data processing with high potential risks must prepare a data protection impact assessment (DPIA). Personal data processing can be considered to possess high potential risks if it meets certain conditions. As of today, there’s no elaboration of these conditions within the PDP Law.
How Can Darwinbox Help
Darwinbox shall conduct a Data Protection Impact Assessment (DPIA) to identify and minimize the privacy risks of ongoing or new projects or policies, to ensure that potential problems are identified at an early stage, and to address them at the earliest without any impact to the organization. Darwinbox shall conduct a DPIA as defined by Darwinbox Procedure for Data Protection Impact Assessment.
For Data Processors
PDP Law Obligations #1
Maintain confidentiality, accuracy, and consistency of personal data.
Business Impact
Data processors have to ensure the accuracy, completeness, and consistency of personal data, including “conducting verification”.
How Darwinbox Can Help
Darwinbox has a policy to ensure that any personal data processed is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. Further, Darwinbox also has a documented breach and incident response policy. This policy ensures that any incident where the data confidentiality, integrity, and availability have been compromised, will be communicated to the customer. The root causes of the breach will be analyzed, and a report from Darwinbox CISO will be issued accordingly.
PDP Law Obligations #2
Maintain records of data processing.
Business Impact
Data processors have to ensure the accuracy, completeness, and consistency of personal data, including “conducting verification”.
How Darwinbox Can Help
Darwinbox maintains records and maintains a data processing inventory. This is a formal list of the processing activities and their purpose. Darwinbox shall ensure that this Data Processing list is aligned with Darwinbox's business. These records may contain:
- The name and contact details of the controller.
- Controller's representative and the data protection officer (if applicable)
- Purposes of the processing.
- Description of the categories of data subjects and of the categories of personal data.
- Categories of recipients to whom the personal data have been or will be disclosed
- including recipients in third countries or international organizations.
- Where applicable, transfers of personal data to a third country or an international
- organization, including the identification of that third country or international
- organization and, along with the documentation of suitable safeguards.
- Envisaged time limits for erasure of the different categories of data.
- A general description of the technical and organizational security measures.
PDP Law Obligations #3
Prevent unauthorized processing and access to personal data in an invalid manner.
Business Impact
Data processors must ensure the accuracy, completeness, and consistency of personal data, including “conducting verification”.
How Darwinbox Can Help
Darwinbox shall not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this. Individuals may ask that we correct inaccurate personal data relating to them.
PDP Law Obligations #4
Appoint a Data Protection Officer
Business Impact
The Controller and Processor are required to appoint a Data Protection Officer (“DPO”) if any of the conditions of the PDP Law below are met:
- Processing of Personal Data for the interest of public services.
- The nature, scope, and/or objective of the Data Controller's main activities require regular and systematic monitoring of large-scale Personal Data.
- The Data Controller’s main activities involve the processing of Specific Personal Data on a large scale and/or Personal Data relating to criminal acts.
How Darwinbox Can Help
Darwinbox maintains a dedicated Data Protection Officer (DPO) to ensure compliance at all times with the accountability principle.
For Cross-Border Data Transfer
PDP Law Obligations
#1. The rate of data protection should be equal to or higher than the bill.
#2. The data controller should ensure that "there is adequate and binding personal data protection."
#3. There should be explicit approval from the data subject.
Business Impact
The transfer of data outside Indonesia is governed by Article 56 of the PDP Law. The law requires controllers to ensure that the country where the data recipient is located has a level of data protection equal to or higher than the PDP Law.
How Darwinbox Can Help
Darwinbox will ensure that all relationships it enters into that involve the processing of personal data are subject to a documented contract that includes the specific information and terms required by the PDP Law.
Further, Darwinbox supports sensitive Personal Identifiable Information (PII) data to be hosted locally within the region. Moreover, this data is encrypted, preventing access or readability in a human-readable format or open text format.
Charting the Path Ahead
The Personal Data Protection Law is a significant lead ahead for data protection in Indonesia. It gives Indonesian citizens more control over their personal data and imposes a number of obligations on businesses and organizations that collect, process, or store personal data.
As the ‘Data Controller’, you are likely planning your way forward to be compliant with the PDP Law. In your journey, you will need the right HRMS platform. Darwinbox is the best option for you as it comes 100% PDP Law compliant right out of the box. Book a demo with us today!
Find out more about why the Personal Data Protection Law-compliant Darwinbox is perfect for your business. Book a demo today!
Speak Your Mind