This document summarizes key aspects of Indonesia's draft Personal Data Protection Bill, including definitions of data controllers, processors, and protection officers. It outlines their obligations around data collection, security, breach reporting and subject rights. Common GDPR non-compliance issues are also discussed. The document emphasizes operationalizing privacy programs through frameworks addressing areas like policies, assessments, training and incident response. It raises questions around independent oversight and government accountability for data breaches.
On Starlink, presented by Geoff Huston at NZNOG 2024
Urgensi RUU Perlindungan Data Pribadi
1. 11
RUU PERLINDUNGAN DATA PRIBADI
Eryk B. Pratama, S.Kom, M.M, M.Kom
Data Privacy & Cyber Security Consultant at Global Consulting Firm
Komunitas Data Privacy & Protection Indonesia (t.me/dataprotectionid)
https://medium.com/@proferyk & https://slideshare.net/proferyk
UPN Veteran Jakarta – Webinar DISK
The Urgency for Data Resilience and Security
2. A perspective on data breaches - Indonesia
Setting-up the Context
https://www.cnnindonesia.com/teknologi/20200506065657-185-500477/13-juta-data-bocor-
bukalapak-dijual-di-forum-hacker
https://tekno.kompas.com/read/2020/05/10/21120067/hacker-klaim-punya-data-12-
juta-pengguna-bhinnekacom?page=all
https://www.thejakartapost.com/news/2020/05/04/tokopedia-data-breach-exposes-
vulnerability-of-personal-data.html
https://www.thejakartapost.com/news/2019/09/19/lion-air-leak-puts-data-
protection-in-spotlight.html
Key Information Security
Controls
▪ System configuration
▪ Access management
▪ Third party risk
▪ Human risks (Carelessness)
3. A perspective on misuse of data - Indonesia
Setting-up the Context
https://www.cnnindonesia.com/nasional/20200711053527-20-523446/data-pribadi-
bocor-denny-siregar-bakal-gugat-telkomsel
https://www.cnnindonesia.com/nasional/20200711053527-20-523446/data-pribadi-bocor-
denny-siregar-bakal-gugat-telkomsel
4. Data Privacy vs Data Protection
Ethics & Regulation Information Security Control
5. Privacy Management Complexity
Privacy Program Management
Source: https://assets.kpmg/content/dam/kpmg/be/pdf/2017/Factsheet_DATA_PRIVACY_AND_PROTECTION_2016.pdf
6. Key Challenges
Privacy Program Management
Common Issues based on GDPR Enforcement
Lawfulness, fairness and
transparency
Processing is based on legitimate grounds and
conform to expectations.
Purpose Limitation
Data must only be collected for specified,
explicit and legitimate purposes.
Data Minimisation
Collected data must be adequate, relevant and
limited to what is necessary for the purpose.
Accuracy
Collected data must be accurate, and kept up
to date.
Storage Limitation
Data must be retained only as long as
necessary.
Integrity and Confidentiality
Data must be processed securely.
Insufficient legal basis for data
processing
Insufficient technical and organizational
measures to ensure information security
Non-compliance with general
data processing principles
Insufficient fulfilment of data
subjects rights
Insufficient fulfilment of data breach
notification obligations
7. Regulation: RUU Perlindungan Data Pribadi
Regulation Aspects
Key Highlight
▪ Explicit Consent is required from the data owner for
personal data processing.
▪ Responding timelines for Data subject rights have been
separately called out in the RUU PDP.
▪ Data controller to notify the data owner and the Minister
within 3 days of data breach.
▪ Penalties for non-compliance may range from Rp 10 Billion
to Rp 70 Billion or Imprisonment ranging from 2 to 7 years
Data Owner Data Controller Data Processor Data Protection Officer
8. Data Controller – Pengendali Data Pribadi
Regulation Aspects
Kewajiban Data Controller
Pasal Deskripsi
Pasal 24 ▪ wajib menyampaikan Informasi mengenai legalitas dari pemrosesan , tujuan pemrosesan , jenis dan relevansi
pemrosesan, periode retensi dokumen, rincian informasi yang dikumpulkan, dan jangka waktu pemrosesan data
▪ menunjukkan bukti persetujuan yang telah diberikan oleh Pemilik Data Pribadi
Pasal 25 wajib menghentikan pemrosesan Data Pribadi dalam hal Pemilik Data Pribadi menarik kembali persetujuan
pemrosesan Data Pribadi
Pasal 27 wajib melindungi dan memastikan keamanan Data Pribadi yang diprosesnya dengan melakukan:
▪ penyusunan dan penerapan langkah teknis operasional untuk melindungi Data Pribadi
▪ penentuan tingkat keamanan Data Pribadi dengan memperhatikan sifat dan risiko dari Data Pribadi yang
harus dilindungi dalam pemrosesan Data Pribadi
Pasal 28 wajib melakukan pengawasan terhadap setiap pihak yang terlibat dalam pemrosesan Data Pribadi
Pasal 29 wajib memastikan pelindungan Data Pribadi dari pemrosesan Data Pribadi yang tidak sah
Pasal 36 wajib melakukan pemrosesan Data Pribadi sesuai dengan tujuan pemrosesan Data Pribadi yang disetujui oleh Pemilik
Data Pribadi. (Explisit / Implicit Consent)
Pasal 38
Pasal 39
Penghapusan dan pemusnahan data pribadi
9. Data Protection Officer – Fungsi Perlindungan Data Pribadi
Regulation Aspects
▪ harus ditunjuk berdasarkan kualitas profesional, pengetahuan mengenai hukum
dan praktik pelindungan Data Pribadi.
▪ dapat berasal dari dalam dan/atau luar Pengendali Data Pribadi atau Prosesor Data Pribadi.
▪ menginformasikan dan memberikan saran untuk Data Controller dan Data Processor
▪ memantau dan memastikan kepatuhan terhadap Undang-Undang ini dan kebijakan Pengendali Data
Pribadi atau Prosesor Data Pribadi
▪ memberikan saran mengenai penilaian dampak pelindungan Data Pribadi dan memantau kinerja
Data Controller dan Data Processor
▪ berkoordinasi dan bertindak sebagai narahubung untuk isu yang berkaitan dengan pemrosesan Data
Pribadi
▪ Dalam melaksanakan tugas, harus memperhatikan risiko terkait pemrosesan Data Pribadi, dengan
mempertimbangkan sifat, ruang lingkup, konteks, dan tujuan pemrosesan
Data Privacy Officer Data Protection Officer
10. Common Mistakes in Data Privacy – GDPR Enforcement [SAMPLE]
Regulation Aspects
https://www.enforcementtracker.com/
Common Issues
▪ Insufficient legal basis for data
processing
▪ Insufficient technical and organizational
measures to ensure information
security
▪ Non-compliance with general data
processing principles
▪ Insufficient fulfilment of data subjects
rights
▪ Insufficient fulfilment of information
obligations
▪ Insufficient fulfilment of data breach
notification obligations
▪ Insufficient cooperation with supervisory
authority
11. Operationalize Data Protection Regulation
Privacy Program Management
▪ Privacy Vision & Mission
▪ Privacy Program Scope
▪ Develop & Implement Framework
▪ Develop Privacy Strategy
▪ Privacy Team & Governance Model
▪ Inventories & Record
▪ Record of Processing Activities
▪ Impact Assessment
▪ Vendor/Third Party Assessment
▪ Privacy in Mergers, Acquisitions, &
Divestiture
Privacy Policy
▪ Privacy Notices & Policies
▪ Choice, Consents, and Opt-out
▪ Data Subject Request
▪ Handling Complaint
Training & Awareness
Privacy by Design &
Privacy by Default
Incident Management
Monitoring & Auditing Program Performance
Privacy Governance Data Assessment Data Subject Rights
Privacy Program Management is the structured approach of combining several disciplines into a framework that allows an organization to
meet legal compliance requirements and the expectations of business clients or customer while reducing the risk of a data breach. The
framework follows program management principles and considers privacy regulations from around the globe.
12. Independent Data Protection Supervisor
Big Questions
“ Can government be sued if there is a data and privacy breach? “