Eryk Budi Pratama, profile picture
Uploaded byEryk Budi Pratama
2,357 views

Personal Data Protection in Indonesia

The document discusses personal data protection in Indonesia, highlighting regulation and technical aspects related to data privacy and cybersecurity. It emphasizes the importance of explicit consent from data owners for data processing and outlines the responsibilities of data controllers and processors. Furthermore, it presents various technical measures, such as data loss prevention and incident management strategies, alongside best practices for cyber hygiene.

Embed presentation

11 PERSONAL DATA PROTECTION Eryk B. Pratama, S.Kom, M.M, M.Kom Data Privacy & Cyber Security Consultant at Global Consulting Firm Komunitas Data Privacy & Protection Indonesia (t.me/dataprotectionid) https://medium.com/@proferyk & https://slideshare.net/proferyk Universitas Negeri Makassar Regulation and Technical Aspects
Agenda 01 Setting-up the Context 02 Regulation Aspects 03 Technical Aspects 04 Cyber Hygiene Implementation
A perspective on data breaches - Indonesia Setting-up the Context https://www.cnnindonesia.com/teknologi/20200506065657-185-500477/13-juta-data-bocor- bukalapak-dijual-di-forum-hacker https://tekno.kompas.com/read/2020/05/10/21120067/hacker-klaim-punya-data-12- juta-pengguna-bhinnekacom?page=all https://www.thejakartapost.com/news/2020/05/04/tokopedia-data-breach-exposes- vulnerability-of-personal-data.html https://www.thejakartapost.com/news/2019/09/19/lion-air-leak-puts-data- protection-in-spotlight.html Key Information Security Controls ▪ System configuration ▪ Access management ▪ Third party risk ▪ Human risks (Carelessness)
A perspective on misuse of data - Indonesia Setting-up the Context https://www.cnnindonesia.com/nasional/20200711053527-20-523446/data-pribadi- bocor-denny-siregar-bakal-gugat-telkomsel https://www.cnnindonesia.com/nasional/20200711053527-20-523446/data-pribadi-bocor- denny-siregar-bakal-gugat-telkomsel
Case Study – Personal Data Breach via Vulnerable Web Application
Data Privacy vs Data Protection Ethics & Regulation Information Security Control
Bring it in one page Setting-up the Context Regulation Technical Aspects EU General Data Protection Regulation (GDPR) US California Consumer Protection Act (CCPA) RUU Perlindungan Data Pribadi (RUU PDP) Pre-Breach Identity & Access Management Data Loss/Leakage Prevention Privilege Access Management Cyber Hygiene During & Post Breach Incident Management Crisis Management PP 71 2019 - PSTE Peraturan Kominfo No 20 2016 - Data Pribadi pada PSE
Regulation Aspects
RUU Perlindungan Data Pribadi Regulation Aspects Key Highlight ▪ Explicit Consent is required from the data owner for personal data processing. ▪ Responding timelines for Data subject rights have been separately called out in the RUU PDP. ▪ Data controller to notify the data owner and the Minister within 3 days of data breach. ▪ Penalties for non-compliance may range from Rp 20 Billion to Rp 70 Billion or Imprisonment ranging from 2 to 7 years Data Owner Data Controller Data Processor Data Protection Officer
Data Owner – Pemilik Data Pribadi Regulation Aspects Hak Pemilik Data Pribadi Pasal Deskripsi Pasal 4 meminta Informasi tentang kejelasan identitas, dasar kepentingan hukum, tujuan permintaan dan penggunaan Data Pribadi, dan akuntabilitas pihak yang meminta Data Pribadi. Pasal 5 melengkapi Data Pribadi miliknya sebelum diproses oleh Pengendali Data Pribadi. Pasal 6 mengakses Data Pribadi miliknya sesuai dengan ketentuan peraturan perundang-undangan. Pasal 7 memperbarui dan/atau memperbaiki kesalahan dan/atau ketidakakuratan Data Pribadi miliknya sesuai dengan ketentuan perundang-undangan. Pasal 8 mengakhiri pemrosesan, menghapus, dan/atau memusnahkan Data Pribadi miliknya. Pasal 9 menarik kembali persetujuan pemrosesan Data Pribadi miliknya yang telah diberikan kepada Pengendali Data Pribadi Pasal 10 mengajukan keberatan atas tindakan pengambilan keputusan yang hanya didasarkan pada pemrosesan secara otomatis terkait profil seseorang (profiling). Pasal 11 memilih atau tidak memilih pemrosesan Data Pribadi melalui mekanisme pseudonim untuk tujuan tertentu Pasal 12 menunda atau membatasi pemrosesan Data Pribadi secara proporsional sesuai dengan tujuan pemrosesan Data Pribadi Pasal 13 menuntut dan menerima ganti rugi atas pelanggaran Data Pribadi miliknya sesuai dengan ketentuan peraturan perundang-undangan.
Data Controller – Pengendali Data Pribadi Regulation Aspects Kewajiban Data Controller Pasal Deskripsi Pasal 24 ▪ wajib menyampaikan Informasi mengenai legalitas dari pemrosesan , tujuan pemrosesan , jenis dan relevansi pemrosesan, periode retensi dokumen, rincian informasi yang dikumpulkan, dan jangka waktu pemrosesan data ▪ menunjukkan bukti persetujuan yang telah diberikan oleh Pemilik Data Pribadi Pasal 25 wajib menghentikan pemrosesan Data Pribadi dalam hal Pemilik Data Pribadi menarik kembali persetujuan pemrosesan Data Pribadi Pasal 27 wajib melindungi dan memastikan keamanan Data Pribadi yang diprosesnya dengan melakukan: ▪ penyusunan dan penerapan langkah teknis operasional untuk melindungi Data Pribadi ▪ penentuan tingkat keamanan Data Pribadi dengan memperhatikan sifat dan risiko dari Data Pribadi yang harus dilindungi dalam pemrosesan Data Pribadi Pasal 28 wajib melakukan pengawasan terhadap setiap pihak yang terlibat dalam pemrosesan Data Pribadi Pasal 29 wajib memastikan pelindungan Data Pribadi dari pemrosesan Data Pribadi yang tidak sah Pasal 36 wajib melakukan pemrosesan Data Pribadi sesuai dengan tujuan pemrosesan Data Pribadi yang disetujui oleh Pemilik Data Pribadi. (Explisit / Implicit Consent) Pasal 38 Pasal 39 Penghapusan dan pemusnahan data pribadi
Data Masking Regulation Aspects Encryption Tokenization Anonymization Pseudonymization Source: https://teskalabs.com/blog/data-privacy-pseudonymization-anonymization-encryption Pseudonymized Anonymized
Data Masking - Tokenization Regulation Aspects Source: https://blog.thalesesecurity.com/2015/02/05/token-gesture-vormetric-unveils-new-tokenization-solution/ No sensitive data is stored in the production database
Technical Aspects
Information Security Complexity – Reference Architecture Technical Aspects Source: https://www.opensecurityarchitecture.org/cms/library/patternlandscape
Information Security Complexity - Example Technical Aspects Source: https://gallery.technet.microsoft.com/Cybersecurity-Reference-883fb54c
From Simply Managing Identities to Managing Complex Relationships Technical Aspects – Identity & Access Management Identity Access Management Identity Relationship Management Source: Forrester Research
Simplifying the complexity Technical Aspects – Identity & Access Management Authoritative/Trusted Source Middleware / Identity Management Solution Target System HR Data IDM Solution Active Directory Email Server ERP Others Applications Provisioning Reconciliation Create,Update,Revoke
Access Management Basic Process Technical Aspects – Identity & Access Management Receive Request Verification Provide Rights Log and Track Access ▪ Change requests ▪ Services requests ▪ HR requests ▪ App / Script requests ▪ Valid user ? ▪ Valid request ? ▪ Request access ? ▪ Remove access ? ▪ Provide access ▪ Remove access ▪ Restrict access ▪ Check and monitor identity status ▪ Violations to Incident Management Process Business Rules, Policies, Procedures, Controls ISMS
Data Loss/Leakage Prevention Solution Technical Aspects – Data Loss Prevention A Data Loss Prevention (DLP) solution typically incorporates people, process, and technology to protect sensitive data traversing throughout an organization. Data within an organization is often categorized and protected by DLP in the following three different forms: Data in Motion Data at Rest Data in Use Data that is transmitted or moved, both through electronic or non-electronic means. Data that is actively traveling on a network, such as email or web traffic. Data that resides on a stable medium, including servers, network shares, databases, individual computers, and portable media. Data that has been obtained and are being processed or actively used. Typically, referring to data on end-user computing device or host systems. Structured Data Unstructured Data Semi-structured Data Data commonly stored in databases or applications Exists in filesystems or documents Examples of such data format types include email Data Type
Incident Management Definition Technical Aspects – Incident Management What is an IT incident? An IT incident is any disruption to an organization's IT services that affects anything from a single user or the entire business . In short, an incident is anything that interrupts business continuity. What is IT incident management? Incident management is the process of managing IT service disruptions and restoring services within agreed service level agreements (SLAs). The scope of incident management starts with an end user reporting an issue and ends with a service desk team member resolving that issue. Analyst Incident Responder Digital Forensic Incident Escalation Layer 1 (L1) Layer 2 (L2) Layer 3 (L3) Incident Classification MediumHigh Low Incident Prioritization Critical High Medium Low
Cyber Hygiene Implementation
Implement Cyber Hygiene as Foundational Action Key Takeaways What is Cyber Hygiene? Cyber hygiene refers to steps taken by users to maintain the health of their computers and devices and improve online security to prevent the theft or corruption of data. Cyber Hygiene Practices 1. Keep an inventory of the hardware and software on your network 2. Install reputable antivirus and malware software 3. Conduct cybersecurity education and awareness activities 4. Update and patch software regularly 5. Regularly back up your data and keep multiple copies 6. Limit the number of employees who have administrative privileges 7. Establish an incident response plan. 8. Establish network security and monitoring 9. Perform regular vulnerability assessment and secure configuration review 10.Implement some controls to protect and recover data if a breach occurs Keep update with regulation and cyber threat
Cyber Hygiene in Public Environment Key Takeaways Check Legitimate WIFI ID/SSID Be careful with piggyback/tailgating Don’t click malicious pop-up and URL Use VPN (if possible)
Staying Safe when Online Key Takeaways Use secured personal device Activate pop-up/Ad blocker Activate private / incognito mode Use VPN (if possible) Use strong/complex password Make Online Purchases From Secure Sites Be Careful on What You Access & Download
Thank You ☺ https://medium.com/@proferyk https://www.slideshare.net/proferyk IT Advisory & Risk (t.me/itadvindonesia) Data Privacy & Protection (t.me/dataprivid) Komunitas Data Privacy & Protection (t.me/dataprotectionid)

More Related Content

PDF
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
byEryk Budi Pratama
 
PDF
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
byEryk Budi Pratama
 
PDF
Privacy-ready Data Protection Program Implementation
byEryk Budi Pratama
 
PDF
Melihat RUU Pelindungan Data Pribadi
byICT Watch
 
PDF
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
byEryk Budi Pratama
 
PPTX
Kebijakan Perlindungan Data Pribadi Melalui RUU PDP
byUnggul Sagena
 
PDF
Keamanan Informasi dan Perlindungan Data Pribadi
byWidy Widyawan
 
PPTX
Data Protection Officer Dashboard | GDPR
byCorporater
 
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
byEryk Budi Pratama
 
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
byEryk Budi Pratama
 
Privacy-ready Data Protection Program Implementation
byEryk Budi Pratama
 
Melihat RUU Pelindungan Data Pribadi
byICT Watch
 
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
byEryk Budi Pratama
 
Kebijakan Perlindungan Data Pribadi Melalui RUU PDP
byUnggul Sagena
 
Keamanan Informasi dan Perlindungan Data Pribadi
byWidy Widyawan
 
Data Protection Officer Dashboard | GDPR
byCorporater
 

What's hot

PDF
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
byEryk Budi Pratama
 
PDF
Urgensi RUU Perlindungan Data Pribadi
byEryk Budi Pratama
 
PDF
Common Practice in Data Privacy Program Management
byEryk Budi Pratama
 
PDF
Perlindungan Data Pribadi di Indonesia
byIsmail Fahmi
 
PPT
Data loss prevention (dlp)
byHussein Al-Sanabani
 
PDF
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
byEryk Budi Pratama
 
PDF
1.1 Data Security Presentation.pdf
byChunLei(peter) Che
 
PDF
Data Loss Threats and Mitigations
byApril Mardock CISSP
 
PDF
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
PDF
DLP Data leak prevention
byAriel Evans
 
PPT
Data Protection Presentation
byIBM Business Insight
 
PDF
Data Leakage Prevention (DLP)
byNetwork Intelligence India
 
PPTX
Data Loss Prevention
byReza Kopaee
 
PDF
Enterprise Cybersecurity: From Strategy to Operating Model
byEryk Budi Pratama
 
PDF
DATA LOSS PREVENTION OVERVIEW
bySylvain Martinez
 
PPTX
Information Security Governance and Strategy
byDam Frank
 
PPTX
Data Loss Prevention from Symantec
byArrow ECS UK
 
PPTX
Legal obligations and responsibilities of data processors and controllers und...
byIT Governance Ltd
 
PPTX
Data Loss Prevention
bydj1arry
 
PDF
TOGAF 9 - Security Architecture Ver1 0
byMaganathin Veeraragaloo
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
byEryk Budi Pratama
 
Urgensi RUU Perlindungan Data Pribadi
byEryk Budi Pratama
 
Common Practice in Data Privacy Program Management
byEryk Budi Pratama
 
Perlindungan Data Pribadi di Indonesia
byIsmail Fahmi
 
Data loss prevention (dlp)
byHussein Al-Sanabani
 
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
byEryk Budi Pratama
 
1.1 Data Security Presentation.pdf
byChunLei(peter) Che
 
Data Loss Threats and Mitigations
byApril Mardock CISSP
 
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
DLP Data leak prevention
byAriel Evans
 
Data Protection Presentation
byIBM Business Insight
 
Data Leakage Prevention (DLP)
byNetwork Intelligence India
 
Data Loss Prevention
byReza Kopaee
 
Enterprise Cybersecurity: From Strategy to Operating Model
byEryk Budi Pratama
 
DATA LOSS PREVENTION OVERVIEW
bySylvain Martinez
 
Information Security Governance and Strategy
byDam Frank
 
Data Loss Prevention from Symantec
byArrow ECS UK
 
Legal obligations and responsibilities of data processors and controllers und...
byIT Governance Ltd
 
Data Loss Prevention
bydj1arry
 
TOGAF 9 - Security Architecture Ver1 0
byMaganathin Veeraragaloo
 

Similar to Personal Data Protection in Indonesia

PPT
Personal privacy and computer technologies
bysidra batool
 
PPTX
Group 10 - PDPA II.pptx
bySuthaesh Ramash
 
PDF
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
bySymantec
 
PPTX
Ease out the GDPR adoption with ManageEngine
byManageEngine
 
PPTX
PRIVACY_SPI-Subject_3rdyear-BSITWeb.pptx
byinaresangelique
 
PPTX
Safeguarding Information: An Overview of Data Protection
bytudokimberlyann
 
PPTX
Data Privacy for Information Security Professionals Part 1
byDione McBride, CISSP, CIPP/E
 
PPTX
Privacy in India: Legal issues
bySagar Rahurkar
 
PPT
Compliance audit under the Information Technology Act, 2000
bySagar Rahurkar
 
PPTX
3A – DATA PROTECTION: ADVICE
byCFG
 
PPTX
CHAPTER 5 CYBER LAW / SECURITY MALAYSIA
bygeniusempire1110
 
PPTX
Data Privacy & Cybersecurity Compliance for Indian Companies
byconnect96
 
PDF
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
byJakeAldrinDegala1
 
PPTX
Data Privacy & Protection for the Data Privacy Act
byisulanfc
 
PPT
Data protection in_india
byAltacit Global
 
PDF
Personal Data Protection in Pharmaceutical Sector (webinar presentation)
byAnastasiya Lemysh
 
PDF
Data privacy act of 2012.pdf
byrjrremolana
 
PDF
2014-09-18 Protection of Personal Information Act readiness workshop
byPaul Jacobson
 
PPTX
Privacy (1).pptx
byEng. Ala' Zayadeen- MBA,CEH,ISO Lead Implementer, MCP
 
PDF
Examples of international privacy legislation
byUlf Mattsson
 
Personal privacy and computer technologies
bysidra batool
 
Group 10 - PDPA II.pptx
bySuthaesh Ramash
 
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
bySymantec
 
Ease out the GDPR adoption with ManageEngine
byManageEngine
 
PRIVACY_SPI-Subject_3rdyear-BSITWeb.pptx
byinaresangelique
 
Safeguarding Information: An Overview of Data Protection
bytudokimberlyann
 
Data Privacy for Information Security Professionals Part 1
byDione McBride, CISSP, CIPP/E
 
Privacy in India: Legal issues
bySagar Rahurkar
 
Compliance audit under the Information Technology Act, 2000
bySagar Rahurkar
 
3A – DATA PROTECTION: ADVICE
byCFG
 
CHAPTER 5 CYBER LAW / SECURITY MALAYSIA
bygeniusempire1110
 
Data Privacy & Cybersecurity Compliance for Indian Companies
byconnect96
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
byJakeAldrinDegala1
 
Data Privacy & Protection for the Data Privacy Act
byisulanfc
 
Data protection in_india
byAltacit Global
 
Personal Data Protection in Pharmaceutical Sector (webinar presentation)
byAnastasiya Lemysh
 
Data privacy act of 2012.pdf
byrjrremolana
 
2014-09-18 Protection of Personal Information Act readiness workshop
byPaul Jacobson
 
Privacy (1).pptx
byEng. Ala' Zayadeen- MBA,CEH,ISO Lead Implementer, MCP
 
Examples of international privacy legislation
byUlf Mattsson
 

More from Eryk Budi Pratama

PDF
How Current Advanced Cyber Threats Transform Business Operation
byEryk Budi Pratama
 
PDF
ICDCC 2025: Securing Agentic AI - Eryk Budi Pratama.pdf
byEryk Budi Pratama
 
PDF
Digital Leadership: How to Build Valuable Connection
byEryk Budi Pratama
 
PDF
AI Solutions for Sustainable Developmentpment_public.pdf
byEryk Budi Pratama
 
PPTX
AI Governance: Responsible and Trustworthy AI
byEryk Budi Pratama
 
PDF
Cybersecurity 101 - Auditing Cyber Security
byEryk Budi Pratama
 
PDF
Modern IT Service Management Transformation - ITIL Indonesia
byEryk Budi Pratama
 
PDF
The Rise of Data Ethics and Security - AIDI Webinar
byEryk Budi Pratama
 
PDF
Cyber Resilience - Welcoming New Normal - Eryk
byEryk Budi Pratama
 
PDF
Blockchain for Accounting & Assurance
byEryk Budi Pratama
 
PDF
Guardians of Trust: Building Trust in Data & Analytics
byEryk Budi Pratama
 
PDF
The Art of Cloud Auditing - ISACA ID
byEryk Budi Pratama
 
PDF
Cybersecurity Skills in Industry 4.0
byEryk Budi Pratama
 
PDF
Identity & Access Management for Securing DevOps
byEryk Budi Pratama
 
PDF
Cybersecurity in Oil & Gas Company
byEryk Budi Pratama
 
PDF
Industry 4.0 : How to Build Relevant IT Skills
byEryk Budi Pratama
 
PDF
Web Application Hacking - The Art of Exploiting Vulnerable Web Application
byEryk Budi Pratama
 
PDF
Emerging Technology Risk Series - Internet of Things (IoT)
byEryk Budi Pratama
 
PDF
Protecting Agile Transformation through Secure DevOps (DevSecOps)
byEryk Budi Pratama
 
PDF
IT Governance - Capability Assessment using COBIT 5
byEryk Budi Pratama
 
How Current Advanced Cyber Threats Transform Business Operation
byEryk Budi Pratama
 
ICDCC 2025: Securing Agentic AI - Eryk Budi Pratama.pdf
byEryk Budi Pratama
 
Digital Leadership: How to Build Valuable Connection
byEryk Budi Pratama
 
AI Solutions for Sustainable Developmentpment_public.pdf
byEryk Budi Pratama
 
AI Governance: Responsible and Trustworthy AI
byEryk Budi Pratama
 
Cybersecurity 101 - Auditing Cyber Security
byEryk Budi Pratama
 
Modern IT Service Management Transformation - ITIL Indonesia
byEryk Budi Pratama
 
The Rise of Data Ethics and Security - AIDI Webinar
byEryk Budi Pratama
 
Cyber Resilience - Welcoming New Normal - Eryk
byEryk Budi Pratama
 
Blockchain for Accounting & Assurance
byEryk Budi Pratama
 
Guardians of Trust: Building Trust in Data & Analytics
byEryk Budi Pratama
 
The Art of Cloud Auditing - ISACA ID
byEryk Budi Pratama
 
Cybersecurity Skills in Industry 4.0
byEryk Budi Pratama
 
Identity & Access Management for Securing DevOps
byEryk Budi Pratama
 
Cybersecurity in Oil & Gas Company
byEryk Budi Pratama
 
Industry 4.0 : How to Build Relevant IT Skills
byEryk Budi Pratama
 
Web Application Hacking - The Art of Exploiting Vulnerable Web Application
byEryk Budi Pratama
 
Emerging Technology Risk Series - Internet of Things (IoT)
byEryk Budi Pratama
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
byEryk Budi Pratama
 
IT Governance - Capability Assessment using COBIT 5
byEryk Budi Pratama
 

Recently uploaded

PDF
What Will Show Up on My Background Check
byJosh Mcdowell
 
PDF
Factories Act, 1948- Introduction, Scope, History & Provisions
byAnupriyaPrasad
 
PDF
Professional Jurisprudential Evaluation of the Commercial Court Ordinance 202...
by Judge Nazmul Hasan.
 
PDF
International Arbitration: A Comprehensive Analysis of the Global Legal Frame...
by Judge Nazmul Hasan.
 
PDF
INTERNATIONAL COMMERCIAL ARBITRATION (1).pdf
byAnupriyaPrasad
 
PDF
EMMANUEL MOUKA FOOD POISONING CAUGHT ON CCTV PETITION
byMouka Emmanuel
 
PDF
ePremium Protect_Liability to Landlord Policy_Independent Living.pdf
byTerranceCreighton1
 
PPTX
PresentationRequisites Valid Custom.pptx
bysyedazufishan
 
PDF
Best Criminal Lawyer in Delhi for Criminal Justice Support.pdf
byRight to Law
 
PDF
How Expert Neuroradiology Saved a Family from Misjudgement.pdf
byNeuro Experts
 
PDF
2026 ICPAS Tax Guide to Members of Illinois General Assembly
byLuis Plascencia
 
PDF
FY2027 H1B Cap Filing Secrets: Why You Should Plan Now?
byVisaPro Immigration Services LLC
 
PDF
Beyond Shadow AI: The Rise of Counterparty AI Risk & NIS2 Compliance (2026 Re...
bydavidnordin4
 
PPTX
Arbitration and Conciliation Act, 1996.pptx
byadvabhi2017
 
PDF
For-Website-251231-CJP-NCM-complaint-against-Kalicharan-Maharaj-1.pdf
bysabranghindi
 
PPTX
Arts University Plymouth Transcripts
byjp47f9p04u
 
PDF
Free FY2027 H1 Visa Timeline Template - Download Now
byVisaPro Immigration Services LLC
 
PDF
85-108+Vanessa,+Gunawan+Djajaputra(1).pdf
bysianturiyohanaputri0
 
PPTX
Actus reus and mens rea - law of crimes 1
byrajivchandok786
 
PDF
Shamir hospital deciding that I do not a guardian need for guardian
byHaim R. Branisteanu
 
What Will Show Up on My Background Check
byJosh Mcdowell
 
Factories Act, 1948- Introduction, Scope, History & Provisions
byAnupriyaPrasad
 
Professional Jurisprudential Evaluation of the Commercial Court Ordinance 202...
by Judge Nazmul Hasan.
 
International Arbitration: A Comprehensive Analysis of the Global Legal Frame...
by Judge Nazmul Hasan.
 
INTERNATIONAL COMMERCIAL ARBITRATION (1).pdf
byAnupriyaPrasad
 
EMMANUEL MOUKA FOOD POISONING CAUGHT ON CCTV PETITION
byMouka Emmanuel
 
ePremium Protect_Liability to Landlord Policy_Independent Living.pdf
byTerranceCreighton1
 
PresentationRequisites Valid Custom.pptx
bysyedazufishan
 
Best Criminal Lawyer in Delhi for Criminal Justice Support.pdf
byRight to Law
 
How Expert Neuroradiology Saved a Family from Misjudgement.pdf
byNeuro Experts
 
2026 ICPAS Tax Guide to Members of Illinois General Assembly
byLuis Plascencia
 
FY2027 H1B Cap Filing Secrets: Why You Should Plan Now?
byVisaPro Immigration Services LLC
 
Beyond Shadow AI: The Rise of Counterparty AI Risk & NIS2 Compliance (2026 Re...
bydavidnordin4
 
Arbitration and Conciliation Act, 1996.pptx
byadvabhi2017
 
For-Website-251231-CJP-NCM-complaint-against-Kalicharan-Maharaj-1.pdf
bysabranghindi
 
Arts University Plymouth Transcripts
byjp47f9p04u
 
Free FY2027 H1 Visa Timeline Template - Download Now
byVisaPro Immigration Services LLC
 
85-108+Vanessa,+Gunawan+Djajaputra(1).pdf
bysianturiyohanaputri0
 
Actus reus and mens rea - law of crimes 1
byrajivchandok786
 
Shamir hospital deciding that I do not a guardian need for guardian
byHaim R. Branisteanu
 

Personal Data Protection in Indonesia

  • 1.
    11 PERSONAL DATA PROTECTION ErykB. Pratama, S.Kom, M.M, M.Kom Data Privacy & Cyber Security Consultant at Global Consulting Firm Komunitas Data Privacy & Protection Indonesia (t.me/dataprotectionid) https://medium.com/@proferyk & https://slideshare.net/proferyk Universitas Negeri Makassar Regulation and Technical Aspects
  • 2.
    Agenda 01 Setting-up theContext 02 Regulation Aspects 03 Technical Aspects 04 Cyber Hygiene Implementation
  • 3.
    A perspective ondata breaches - Indonesia Setting-up the Context https://www.cnnindonesia.com/teknologi/20200506065657-185-500477/13-juta-data-bocor- bukalapak-dijual-di-forum-hacker https://tekno.kompas.com/read/2020/05/10/21120067/hacker-klaim-punya-data-12- juta-pengguna-bhinnekacom?page=all https://www.thejakartapost.com/news/2020/05/04/tokopedia-data-breach-exposes- vulnerability-of-personal-data.html https://www.thejakartapost.com/news/2019/09/19/lion-air-leak-puts-data- protection-in-spotlight.html Key Information Security Controls ▪ System configuration ▪ Access management ▪ Third party risk ▪ Human risks (Carelessness)
  • 4.
    A perspective onmisuse of data - Indonesia Setting-up the Context https://www.cnnindonesia.com/nasional/20200711053527-20-523446/data-pribadi- bocor-denny-siregar-bakal-gugat-telkomsel https://www.cnnindonesia.com/nasional/20200711053527-20-523446/data-pribadi-bocor- denny-siregar-bakal-gugat-telkomsel
  • 5.
    Case Study –Personal Data Breach via Vulnerable Web Application
  • 6.
    Data Privacy vsData Protection Ethics & Regulation Information Security Control
  • 7.
    Bring it inone page Setting-up the Context Regulation Technical Aspects EU General Data Protection Regulation (GDPR) US California Consumer Protection Act (CCPA) RUU Perlindungan Data Pribadi (RUU PDP) Pre-Breach Identity & Access Management Data Loss/Leakage Prevention Privilege Access Management Cyber Hygiene During & Post Breach Incident Management Crisis Management PP 71 2019 - PSTE Peraturan Kominfo No 20 2016 - Data Pribadi pada PSE
  • 8.
  • 9.
    RUU Perlindungan DataPribadi Regulation Aspects Key Highlight ▪ Explicit Consent is required from the data owner for personal data processing. ▪ Responding timelines for Data subject rights have been separately called out in the RUU PDP. ▪ Data controller to notify the data owner and the Minister within 3 days of data breach. ▪ Penalties for non-compliance may range from Rp 20 Billion to Rp 70 Billion or Imprisonment ranging from 2 to 7 years Data Owner Data Controller Data Processor Data Protection Officer
  • 10.
    Data Owner –Pemilik Data Pribadi Regulation Aspects Hak Pemilik Data Pribadi Pasal Deskripsi Pasal 4 meminta Informasi tentang kejelasan identitas, dasar kepentingan hukum, tujuan permintaan dan penggunaan Data Pribadi, dan akuntabilitas pihak yang meminta Data Pribadi. Pasal 5 melengkapi Data Pribadi miliknya sebelum diproses oleh Pengendali Data Pribadi. Pasal 6 mengakses Data Pribadi miliknya sesuai dengan ketentuan peraturan perundang-undangan. Pasal 7 memperbarui dan/atau memperbaiki kesalahan dan/atau ketidakakuratan Data Pribadi miliknya sesuai dengan ketentuan perundang-undangan. Pasal 8 mengakhiri pemrosesan, menghapus, dan/atau memusnahkan Data Pribadi miliknya. Pasal 9 menarik kembali persetujuan pemrosesan Data Pribadi miliknya yang telah diberikan kepada Pengendali Data Pribadi Pasal 10 mengajukan keberatan atas tindakan pengambilan keputusan yang hanya didasarkan pada pemrosesan secara otomatis terkait profil seseorang (profiling). Pasal 11 memilih atau tidak memilih pemrosesan Data Pribadi melalui mekanisme pseudonim untuk tujuan tertentu Pasal 12 menunda atau membatasi pemrosesan Data Pribadi secara proporsional sesuai dengan tujuan pemrosesan Data Pribadi Pasal 13 menuntut dan menerima ganti rugi atas pelanggaran Data Pribadi miliknya sesuai dengan ketentuan peraturan perundang-undangan.
  • 11.
    Data Controller –Pengendali Data Pribadi Regulation Aspects Kewajiban Data Controller Pasal Deskripsi Pasal 24 ▪ wajib menyampaikan Informasi mengenai legalitas dari pemrosesan , tujuan pemrosesan , jenis dan relevansi pemrosesan, periode retensi dokumen, rincian informasi yang dikumpulkan, dan jangka waktu pemrosesan data ▪ menunjukkan bukti persetujuan yang telah diberikan oleh Pemilik Data Pribadi Pasal 25 wajib menghentikan pemrosesan Data Pribadi dalam hal Pemilik Data Pribadi menarik kembali persetujuan pemrosesan Data Pribadi Pasal 27 wajib melindungi dan memastikan keamanan Data Pribadi yang diprosesnya dengan melakukan: ▪ penyusunan dan penerapan langkah teknis operasional untuk melindungi Data Pribadi ▪ penentuan tingkat keamanan Data Pribadi dengan memperhatikan sifat dan risiko dari Data Pribadi yang harus dilindungi dalam pemrosesan Data Pribadi Pasal 28 wajib melakukan pengawasan terhadap setiap pihak yang terlibat dalam pemrosesan Data Pribadi Pasal 29 wajib memastikan pelindungan Data Pribadi dari pemrosesan Data Pribadi yang tidak sah Pasal 36 wajib melakukan pemrosesan Data Pribadi sesuai dengan tujuan pemrosesan Data Pribadi yang disetujui oleh Pemilik Data Pribadi. (Explisit / Implicit Consent) Pasal 38 Pasal 39 Penghapusan dan pemusnahan data pribadi
  • 12.
    Data Masking Regulation Aspects Encryption Tokenization Anonymization Pseudonymization Source:https://teskalabs.com/blog/data-privacy-pseudonymization-anonymization-encryption Pseudonymized Anonymized
  • 13.
    Data Masking -Tokenization Regulation Aspects Source: https://blog.thalesesecurity.com/2015/02/05/token-gesture-vormetric-unveils-new-tokenization-solution/ No sensitive data is stored in the production database
  • 14.
  • 15.
    Information Security Complexity– Reference Architecture Technical Aspects Source: https://www.opensecurityarchitecture.org/cms/library/patternlandscape
  • 16.
    Information Security Complexity- Example Technical Aspects Source: https://gallery.technet.microsoft.com/Cybersecurity-Reference-883fb54c
  • 17.
    From Simply ManagingIdentities to Managing Complex Relationships Technical Aspects – Identity & Access Management Identity Access Management Identity Relationship Management Source: Forrester Research
  • 18.
    Simplifying the complexity TechnicalAspects – Identity & Access Management Authoritative/Trusted Source Middleware / Identity Management Solution Target System HR Data IDM Solution Active Directory Email Server ERP Others Applications Provisioning Reconciliation Create,Update,Revoke
  • 19.
    Access Management BasicProcess Technical Aspects – Identity & Access Management Receive Request Verification Provide Rights Log and Track Access ▪ Change requests ▪ Services requests ▪ HR requests ▪ App / Script requests ▪ Valid user ? ▪ Valid request ? ▪ Request access ? ▪ Remove access ? ▪ Provide access ▪ Remove access ▪ Restrict access ▪ Check and monitor identity status ▪ Violations to Incident Management Process Business Rules, Policies, Procedures, Controls ISMS
  • 20.
    Data Loss/Leakage PreventionSolution Technical Aspects – Data Loss Prevention A Data Loss Prevention (DLP) solution typically incorporates people, process, and technology to protect sensitive data traversing throughout an organization. Data within an organization is often categorized and protected by DLP in the following three different forms: Data in Motion Data at Rest Data in Use Data that is transmitted or moved, both through electronic or non-electronic means. Data that is actively traveling on a network, such as email or web traffic. Data that resides on a stable medium, including servers, network shares, databases, individual computers, and portable media. Data that has been obtained and are being processed or actively used. Typically, referring to data on end-user computing device or host systems. Structured Data Unstructured Data Semi-structured Data Data commonly stored in databases or applications Exists in filesystems or documents Examples of such data format types include email Data Type
  • 21.
    Incident Management Definition TechnicalAspects – Incident Management What is an IT incident? An IT incident is any disruption to an organization's IT services that affects anything from a single user or the entire business . In short, an incident is anything that interrupts business continuity. What is IT incident management? Incident management is the process of managing IT service disruptions and restoring services within agreed service level agreements (SLAs). The scope of incident management starts with an end user reporting an issue and ends with a service desk team member resolving that issue. Analyst Incident Responder Digital Forensic Incident Escalation Layer 1 (L1) Layer 2 (L2) Layer 3 (L3) Incident Classification MediumHigh Low Incident Prioritization Critical High Medium Low
  • 22.
  • 23.
    Implement Cyber Hygieneas Foundational Action Key Takeaways What is Cyber Hygiene? Cyber hygiene refers to steps taken by users to maintain the health of their computers and devices and improve online security to prevent the theft or corruption of data. Cyber Hygiene Practices 1. Keep an inventory of the hardware and software on your network 2. Install reputable antivirus and malware software 3. Conduct cybersecurity education and awareness activities 4. Update and patch software regularly 5. Regularly back up your data and keep multiple copies 6. Limit the number of employees who have administrative privileges 7. Establish an incident response plan. 8. Establish network security and monitoring 9. Perform regular vulnerability assessment and secure configuration review 10.Implement some controls to protect and recover data if a breach occurs Keep update with regulation and cyber threat
  • 24.
    Cyber Hygiene inPublic Environment Key Takeaways Check Legitimate WIFI ID/SSID Be careful with piggyback/tailgating Don’t click malicious pop-up and URL Use VPN (if possible)
  • 25.
    Staying Safe whenOnline Key Takeaways Use secured personal device Activate pop-up/Ad blocker Activate private / incognito mode Use VPN (if possible) Use strong/complex password Make Online Purchases From Secure Sites Be Careful on What You Access & Download
  • 26.
    Thank You ☺ https://medium.com/@proferyk https://www.slideshare.net/proferyk ITAdvisory & Risk (t.me/itadvindonesia) Data Privacy & Protection (t.me/dataprivid) Komunitas Data Privacy & Protection (t.me/dataprotectionid)