Indonesia Moves Closer to PDP Law Enforcement Timeframe - Challenges for Indonesian Businesses

Indonesia’s PDP Law has a two-year transitional period after its enactment, meaning it will come into play in October this year. Many businesses will need to conduct an internal assessment of their personal data protection compliance and adjust their relevant practices/policies within the transitional period before relevant provisions of the PDP Law are fully enforced.

Though this is widely understood, and a number of businesses may have conducted an assessment, there is not widespread implementation of technologies and capabilities for businesses to be in a position to comply once the enforcement period commences. Additionally, there is a limited number of experienced data protection officers relevant in implementing technology, and consultancy and advisory teams from firms in Indonesia are already stretched to help businesses meet the requirements.

Most businesses are now encountering challenges to resource key positions and implement capabilities to scale to meet the PDP Law requirements by October 2024.

?Key Requirements for Businesses to meet by October 2024:

●? ? ? Definition and types of personal data

●? ? ? Scope and applicability

●? ? ? Rights of personal data subjects

●? ? ? Controller and processor of personal data

●? ? ? Lawful grounds for processing personal data

●? ? ? Data protection officer and impact assessment

●? ? ? Requirements for cross-border personal data transfer

●? ? ? Notification for data breach

●? ? ? Sanctions

Understanding these requirements as they relate to the implementation of technology is important, as to meet the requirements of the PDP law, some technologies will need earlier implementation than others. In some cases, a phased approach will be required to effectively deploy capabilities in a parallel manner to adjust for technologies with prerequisites or those that have a longer lead time for implementation. Experience has demonstrated that three (3) streams of work are usually required for a successful implementation of Technologies to help organisations meet their compliance requirements.

?Three Key Streams

• DISCOVER Classify and Understand Sensitivity
• STREAMLINE & AUTOMATE Privacy Processes
• COMPLY Consent and Incident Management

DISCOVER Classify and Understand Sensitivity

• This has implications above and beyond the privacy needs. Understanding what personal and sensitive data is held, where it is stored, how it is used in applications and processes, and why it is still held has implications for Risk, Security, Governance, and Compliance teams.
• Why is the Data still held? Are there duplicates, or are there multiple versions? These points have implications:Information Protection – as to how this information is stored and protected?Governance – why it is still being held, and the quality of the data? Risk around why there is a need to hold this information: can reducing holding reduce risk?Compliance – are we meeting all the regulatory requirements around sensitive and personal data?Privacy – can we manage Data Subject Requests (DSRs) and Breach Management and notification requirements under the PDP Law?

• Data Discovery is not enough, you need to apply sensitive data intelligence and automatically orchestrate appropriate actions to data!

STREAMLINE & AUTOMATE Privacy Processes

• Building on the data intelligence created during the discovery phase, data subject access requests can now be automated to meet the requirements of the PDP Law. Requests can be collected, authorised, and processed to meet the 72-hour response timeline.

• You need to understand what applications and processes are using personal data and ensure any orphan data is managed appropriately. This requires the creation of data maps and records of processing. By linking these applications and processes to the asset holding and processing that data can provide near real-time compliance and accurate tracking of any variations to the Privacy Impact Assessments (PIA) associated with the applications of processes.?

• Collaboration across the organisation will be required for Data Privacy Impact Assessments (DPIA), and automation will be required to scale across the business to meet the requirements of mapping all applications and processes. Additionally, the risks determined during this will need to be exposed and addressed. This will require automation and risk visualisation in an actionable dashboard so the prioritisation of risk reduction can be managed.

• Cross-border transfers need to be managed and understood. This includes controlled and uncontrolled data stores managed by third parties. This type and sensitivity of this information needs to be understood, monitored, and managed according to regulations.

COMPLY Consent and Incident Management

• Any incident, no matter how small, will be required to be tracked and assessed according to the regulation. This will require collaboration and assessments to be collected in a timely manner and the risks measured to determine reporting obligations.

• You will need to ensure that consent from the Data Subject is collected and maintained forever. This means any updates or changes are also managed, taking into account the requirements, to ensure this consent can be reported upon for data subject access requests.

Lessons Learnt from Indonesia’s Other Geographies

As well as the emergence of Modern Privacy regulations based on similar principles of GDPR, we are experiencing countries morphing these regulations into Data Protection and Privacy including Sensitive Data.

Organisations are also encountering Data Sovereignty Laws as well as banking regulations around PII and Metadata that require audit and compliance at the cloud scale.

Key Points

1. Globally, Modern Privacy Regulation is morphing into Data Privacy Regulation.
2. Technology is being developed and adopted to help organisations manage these regulations at scale and, where possible, autonomously.
3. An overlap of roles and responsibilities across Policy, Classification, and Protection is occurring, and the adoption of cloud and multi-cloud is accelerating this.

Key Insights

1. Multiple parts of the business are looking to solve similar use cases

This is resulting in time and cost impacts to the business, as often multiple vendors are being assessed, and solution overlap is often significant, impacting contracting and operating costs significantly.

1. Impending regulation enforcement is fast approaching

It takes the business significant time to assess, select, implement, and operationalise a solution. This is putting the business at compliance risk and potential brand impact compared to competitors who have taken earlier steps to meet their obligations to Consumers and Regulators. Often, the business is not ready to embrace the organisational program of work and have appropriate budgets in place to implement and operationalize a privacy program.

1. Organisational alignment is critical

Typically, we find in businesses the following stakeholder teams to deliver successful programs; please note the use of the term program versus project as a Privacy Program is ongoing and needs to be built and funded accordingly:

• Chief Data Officer or Head of Data GovernanceThe CDO works with the business owners to define the classification of and policy around business data, including sensitive data.
• Chief Information Security Officer or Head of Information Security and RiskThe CISO/CSO operates the technology to implement the protective controls and mitigations.
• Data Protection Officer or Chief Privacy OfficerThe DPO/CPO is guided by the applicable regulations for the geographies the business operates.

• Legal TeamThe legal team will be responsible for providing guidance to adherence to regulatory requirements and reporting obligations.

Conclusion

• Action is required to organisationally align via a cross-functional task force.The task force should determine priority steps to achieve compliance by October, potentially with a minimum viable product approach, andThe task Force should develop a range of Business Pro.
• Engage peers in other organisations who are already on the journey to understand best practices and learnings.
• Engage advisory and technology integration partners with the potential experience and skills to augment internal resources.
• Engage technology vendors with expertise and experience, as timely engagement and implementation will be required.
• Align technology to the regulation and adapt to business processes defined by the task force and build a plan based on the maximum level of compliance by October 2024.