In response to the increased number of attacks targeting the personal data of millions of Indonesian citizens, the government passed the first Personal Data Protection (PDP) Law in 2022. For example, a breach of the General Elections Database resulted in the compromise of the personal data of 105 million people. At the same time, 26 million customers of IndiHome were reportedly affected by another suspected incident.
The PDP Law is an effort to enhance the existing regulatory framework on personal data protection; it signifies the development of policies on personal data protection and confidentiality and strengthens the right to privacy. Businesses and individuals under the PDP Law’s jurisdiction must establish data protection and access management strategies to comply with the law’s requirements.
Overview of the Personal Data Protection Law Requirements
PDP Law is the first comprehensive law in Indonesia to govern personal data protection in electronic and non-electronic systems. The PDP Law has 76 articles across 16 chapters. These articles extensively cover data ownership rights, prohibitions on data use, and collecting, storing, processing, and transferring Indonesian citizens' data.
The law shall apply to any individual and business, public agency, or international organization that carries out legal actions in Indonesia. The PDP Law has extraterritorial reach since it applies to any individual or organization carrying out lawful activities outside the Indonesian jurisdiction, provided these actions have legal consequences in Indonesia and for citizens residing outside the country.
It also introduces new concepts, including the requirement for notifying the regulator of any cross-border personal data transfers (both before and after the transfer). The new law goes further by introducing criminal sanctions for personal data breaches. Violators of the PDP Law can face criminal charges, like financial penalties, imprisonment, or other legislative and administrative sanctions.
Controllers, Processors and other relevant parties who process personal data have two years to comply with the provisions of the PDP Law.
Indonesia PDP Law & Data-Centric Security ApproachA data-centric security approach is integral to virtually every worldwide data compliance regulation and standard and is a foundational best practice. The defining characteristic of data-centric security is that protection is applied to the data, independent of the data’s location.
Data-centric security focuses on protecting the files containing sensitive information and applying the appropriate form of protection no matter where the data resides. For security to be adequate, data must be safeguarded automatically; businesses should identify sensitive information as soon as it enters their ecosystem and secure it with policy-based protection throughout the data lifecycle.
Data can be vulnerable to risks while in transit or at rest and requires protection to cover both states. Although there are many approaches to protecting data in transit and at rest, encryption is a foundational pillar in data security.
Data encryption must be supplemented by robust cryptographic key management to ensure that corporate information is effectively protected. A common theme across all Thales Data Threat Reports is that although organizations encrypt their data at rest and in motion, they often forget to manage the encryption keys’ lifecycle, which leads to compromises of these valuable assets and subsequent data breaches.
In addition, businesses wishing to comply with the Indonesian PDP Law must establish a separation of duties between the systems applying data encryption protection and those performing key management. This is required to reduce potential risks of incidents migrating from one system to the other and to limit the impact of human error. Sound key management systems provide the ability to leverage a hardware-based root of trust, such as a Hardware Security Module (HSM), for tamperproof key creation and storage.
When properly implemented, data-centric security gives the organization complete control over its sensitive data. This is a necessity considering the data sovereignty requirements of the privacy law. Access to protected data can be granted or revoked at any time based on well-defined policies, and all activity is logged for auditing and reporting.
Access Management and Authentication solutions protect sensitive data by enforcing the appropriate access controls when users log into applications that store sensitive data. By supporting a broad range of authentication methods, including multi-factor authentication, and policy-driven role-based access, access security solutions help enterprises mitigate the risk of a data breach due to compromised or stolen credentials or through insider credential abuse.
How Thales can help you comply with PDP Law
To properly execute your data-centric security approach, it’s important to note the available encryption and data protection methods, the requirements, the applications or data to be protected, and the risk environment unique to the business.
Choosing a vendor with the broadest solution set available and one that provides centralized key and policy management will provide easier deployment and management controls when you grow your installed base.
As the leader in digital security and data protection, Thales has helped hundreds of enterprises comply with regulations worldwide by recommending the appropriate data protection technologies required to meet regulatory requirements. The advanced data discovery, data encryption, key management, network encryption, hardware security module (HSM), data protection on-demand, and access management solutions enable customers to protect and remain in control of their data wherever it resides, across the cloud, on-premises, and hybrid IT environments.
To learn in greater detail how your organization can comply with the PDP Law requirements by selecting Thales as a partner, download our eBook “Addressing Requirements of Personal Data Protection (PDP) Law of Indonesia.”