Oct

12

New Rules on Business Continuity Plans in Indonesia – What You Should Know and What you (Don’t) Have to Do

In principle, all companies should have a so-called business continuity plan – commonly known as “BCP” – in place. Business continuity planning is the process a company undergoes to create a prevention and recovery system from potential threats such as natural disasters or cyber-attacks. It is designed to protect personnel and assets and make sure they can function quickly when disaster strikes[1].

These days, there is a lot of talk about BCP with respect to COVID-19. Above all, the global pandemic has shown that many companies do not have any BCP in place. The government of Indonesia recently jumped the bandwagon by issuing a decree regarding the drafting of BCPs (the “Decree”)[2]. This has raised some questions, in particular whether it is required to have a BCP in place and more generally, what (new) obligations there are for businesses.

No obligation for not having any BCP in place in principle – yet recommended As the Decree makes it clear itself, its intention is to provide guidance for companies in preparing a BCP to protect their business continuation from the impact of the pandemic as well as to prevent the spread of the virus in their companies. It is supposed to help companies. As such, companies which do not set up their own BCP do not face any sanction.

However, companies are encourage to involve labour unions and coordinate with the Labour Inspector (Pengawas Ketenagakerjaan) when they set up the BCP. It is for this reason that we recommend that you set up a brief BCP for your company, especially when you employ 50 or more employees. Having a BCP in place will not take a lot of time and based on our experience, following recommendations like the one in the Decree will get you the goodwill from authorities, such as the Labour Inspector.

The content of a BCP as per the recommendations in the Decree The Decree splits up the BCP preparation/implementation into seven different stages:

Stage 1, Recognizing business priorities
The main products/services determine the business priorities – which in turn decide what the core business activities of your company are. The Decree makes specific reference to identifying the manpower required for these business activities. You should consider who can replace them in cases of absence.

Stage 2, Identifying pandemic risks
On a scale from 1 to 5, you should identify the risks that arise out of the Coronavirus pandemic with respect to Stage 1. You should map various scenarios, both from within your company and from the outside, which may disrupt the continuity of your business. It is recommended that you identify vulnerability points for the key functions of your company, e.g. finance, manpower, etc. Thereafter, you should take steps to prioritize and identify what can be done to control the risk.

Stage 3, Planning mitigation for pandemic risks
The Decree advises that you prepare various SOPs, implement flexible working hours, secure your supply chain, assess your HR-related policies (e.g. business travel, overtime, etc.) and occupational health and safety. You should also have a communications team.
The Decree recommends determining the risk for each threat and the actions required to mitigate such risk(s). There should be a schedule together with an identification of what resources are needed to carry out the mitigating actions and it must be clear who is responsible for what actions.

Stage 4, Identifying the response to impacts of the Coronavirus pandemic
According to the Decree, the response to the impacts of the Coronavirus pandemic should be clear. This includes (i) identifying the events that trigger the response and (ii) the response itself – what actions should be taken based on the mitigation plane with all sub-items mentioned above in Step 3?

Stage 5, Preparing and implementing the BCP
The Decree proposes that a designated team be formed specifically for the preparation of the BCP. This team should also include employees, with the responsibilities of the management and the employees clearly defined. We highly recommend that you coordinate with the Labour Inspector in setting up your plan. The authorities will not hear about you following their recommendations unless you involved them.

Stage 6, Communicating the BCP
Once the BCP has been finalized, the Decree advised to communicate it internally (both management and employees) and externally (all stakeholders including suppliers and customers).

Stage 7, Testing the BCP
You may test your BCP via simulations, etc. The Decree recommends periodical testing to keep the BCP updated.

Your advised steps and how Schinder Law Firm can assist you.
Overall, the recommendations in the Decree are rather simplified and, above all, were issued many months late[3]. Business continuity planning is the opposite of crisis planning – it happens before there is a crisis and is not simply an action during a crisis to mitigate its effects. Any company which now, many months into the global Coronavirus pandemic, starts wondering about its BCP will almost certainly face bankruptcy. This makes us wonder about the usefulness of the Decree.

There was some confusion among our clients, so we want to assure you: as noted at the outset, there is no obligation to set up a BCP. That said, it would certainly get you the authorities’ goodwill if you nevertheless set one up. Numerous free BCP templates exist on the internet and setting up a plan will not take a lot of time. Schinder Law Firm can assist you in liaising with the Labour Inspector or any other authorities to make sure that your actions are well-noticed.

________________

[1] Investopedia, Business Continuity Planning, available here (last accessed on 2020-10-06).

[2] Decree No. 312 of 2020 on the Guidelines for the Drafting of Business Continuity Plans in Facing a Disease Pandemic.

[3] As such, even the entry on Wikipedia is clearer and more detailed than the Decree.

Let Us Be Your Guide.
Our thorough understanding of local culture
ensures that your business will be in compliance
with all laws and regulations and receive
a warm welcome in the community.

Dear valued Visitor,

Data is a valuable currency in this new world. In the midst of digital transformation, the Indonesian government has taken the final decision to pass the Pelindungan Data Pribadi (PDP) Bill by September 2022. The PDP Law applies to all businesses established in Indonesia and puts the consumer in control. The task of complying with this regulation falls upon businesses.

The PDP Law affects a variety of business operations, including how your sales team prospect and how marketing initiatives are managed. Businesses have had to reassess their business procedures, applications, and forms. Additionally, all businesses that work with personal data should designate a Data Protection Officer (DPO) or data controller to oversee PDP compliance.

In line with this spirit, it gives us great pleasure to announce and share with all our esteemed clients and business associates that Schinder Law Firm is prepared to assist your company to understand the impacts of the Personal Data Protection Law (PDPL) and take the required measures to comply with the law. Our Privacy, Data Protection, and Cybersecurity practice group is a pioneer in providing data privacy law services in Indonesia. Personal data protection services include but are not limited to:

  • Assessing the existing systems, processes, and controls, etc.
  • Providing provide gap assessment on the existing systems, processes, and controls, etc.
  • Developing and ensuring contracts and agreements comply with the PDP Law
  • Developing policies, best practices, and procedures
  • Advising on the security of personal data and managing data breaches
  • Acting as the Data Protection Officer (DPO) and advising upon the appointment, role, and responsibilities of a data protection officer
  • Advising on cross-border transfers of personal data
  • Carrying out data protection impact assessments and data protection audits
  • Recommending other necessary corrective actions in order to comply with the PDP Law
  • Training on the PDP Law tailored to clients’ businesses

We look forward to many more opportunities in the year ahead with your continued support and trust. For consultation, please send us a WhatsApp or Email.

Warmest regards,
Naz Schinder
Managing Partner

Keep Up with the New Law in Indonesia: Personal Data Protection

  • Assessing the existing systems, processes and controls, etc.
  • Providing provide gap assessment on the existing systems, processes and controls, etc.
  • Developing and ensuring contracts and agreements comply with the PDPL.
  • Developing policies, best practices and procedures.
  • Advising on security of personal data and managing data breaches.
  • Acting as the Data Protection Officer (DPO) and advising upon the appointment, role and responsibilities of a data protection officer.
  • Advising on cross-border transfers of personal data.
  • Carrying out data protection impact assessments and data protection audits.
  • Recommending other necessary corrective actions in order to comply with the PDPL.
  • Training on the PDPL tailored to clients’ businesses.
Privacy, Data Protection and Cyber Security
We help our clients to understand the impact of the Personal Data Protection Law (PDPL) on their companies and take the required measures to comply with the law.