Heaptalk, Jakarta — Indonesia continues harmonizing derivative regulations of the Personal Data Protection Law (PDP Law) that is targetted to complete by February 2025.
The government is drafting a Presidential Regulation to implement Law No. 27 of 2022 on Personal Data Protection. Deputy Minister of Communication and Digital Affairs Nezar Patria emphasized that drafting is meticulously conducted to address cybersecurity challenges and emerging technologies.
“We are harmonizing several articles daily. There are 216 articles if I’m not mistaken. The Presidential Regulation includes significant additions, particularly regarding cybersecurity and new technologies,” he explained during the Socialization of Personal Data Protection Guidelines in the Fintech Industry. (01/16)
Nezar Patria stated that the Presidential Regulation is being discussed. He underscored its crucial role in enhancing personal data protection, especially in rapidly growing sectors like fintech.
“The regulation is under review at the Ministry of Law. We hope that by the fourth week of February, the harmonization process will be complete,” he revealed.
The Ministry of Communication and Digital (Komdigi) also actively engages in public education and awareness, collaborating with other government bodies, private companies, startups, academics, and the community. According to Nezar Patria, this effort aims to pool resources, expertise, and networks to accelerate PDP implementation across various sectors.
“Our ministry is responsible for drafting detailed and technical implementing regulations for the PDP Law. These regulations will provide clear guidance for organizations, businesses, and the public in applying the established principles,” he noted.
Additionally, the ministry continues to maturing human resource competencies in personal data protection. Nezar Patria mentioned that the ministry would conduct technical guidance on PDP readiness for public institutions.
“We also offer support for PDP implementation through consultations and PDP workshops, providing practical training for the private sector,” he added.
Consequences of data leakage
Data controllers must inform the affected individuals and authorities in writing within 72 hours when the data breach occurs. This notification should include:
- The specific personal data compromised;
- The timing and method of the breach;
- The actions taken to address and mitigate the impact.
In cases where the breach significantly affects public services or the broader public interest, data controllers must also issue a public announcement about the incident. Furthermore, specific scenarios exempt data controllers from notifying individuals, including situations involving:
- National security and defense;
- Ongoing legal investigations;
- Public interest related to government functions;
- Regulatory oversight of the financial sector, monetary systems, or financial stability.
These exemptions are applicable only when permitted by law. Besides, article 47 of the Personal Data Protection Act emphasizes that data controllers are accountable for personal data processing and must demonstrate compliance with data protection principles. Non-compliance can lead to administrative penalties, such as written reprimands, temporary suspension of data processing activities, mandatory deletion of data, or monetary fines.
Regulatory authorities can impose these fines, which may amount to up to 2% of the offender’s annual revenue or income linked to the breach.