The House of Representatives of the Republic of Indonesia finally ratified the Personal Data Protection Bill (PDP Bill) into law (PDP Law) on 20 September 2022 in accordance with the regulation in Indonesia, with updates and additional clauses that are more comprehensive in accommodating personal data protection. Indonesia now joins other jurisdictions in Southeast Asia that have dedicated personal data protection laws, including Singapore and Thailand. However, the PDP Law not gone into effect yet and is not binding, as it still needs to be ratified by the President of the Republic of Indonesia within 30 days of enactment by the House of Representatives.
The PDP Law will increase the government's role and authority in enforcing and regulating the compliance and obligations of all parties who process personal data, both public and private. The government reminds all personal data controllers, both public and private, to improve their security systems, firewalls and encryption, to comply with responsibilities and maintain the personal data they manage, both general and specific, for absolute compliance with personal data protection.
Why is this Regulation Required?
Protection of personal being ratified in accordance with the law in Indonesia is necessary to have a legal basis to maintain state sovereignty, state security, and protection of personal data belonging to Indonesian citizens/foreigners residing in Indonesia, the government/public sector, and the private sector. Specific to the business sector, the presence of the PDP Law can increase consumer confidence, improve the management of corporate data security systems and encourage the growth of innovation in company management. The PDP Law has the potential to trigger an innovation race between companies to demonstrate the ability to manage data security.
The Role of the Data Protection Officer (DPO) in the Case of Data Breach
The PDP Law officially incorporates the DPO into law, apart from being a party that helps fulfill the implementation of the PDP Law, DPO also acts as a party providing advice and information to comply with the rules in the PDP Law, especially in the case of a data breach. In the event of a data breach, the duties of a DPO are to:
- Provide notification in writing no later than 3x24 hours to the subject of personal and institutional data;
- Prepare and deliver on efforts to handle and recover data breach cases;
- Evaluate and improve the company's data security strategy.
Besides that, the primary role of the DPO is to build a data security system, maintain confidentiality, protect and ensure the security of personal data, conduct surveillance, keep personal data from being accessed illegally, make recordings, and ensure accuracy, completeness and consistency of personal data.
If you, a prospective client, wants to retain a law firm filled with data protection experts, Schinder Law Firm is one of many corporate law firms in Indonesia that have handled a lot of data protection matters, with many experienced and professional civil lawyers and dispute lawyers in its arsenal, making it one of the top consulting firms in Indonesia. Feel free to contact us at info@schinderlawfirm.com for further consultation.
Author: Budi Satya Makmur