IDC Names Securiti a Worldwide Leader in Data Privacy


Indonesia’s Personal Data Protection Regulations (PDP)

Operationalize PDP Compliance with the most comprehensive PrivacyOps platform.

Last Updated on November 15, 2023

Privacy Center
Fully Functional In Minutes

Elegant Consumer Frontend, Fully Automated Backend, Privacy Regulation Intelligent Everywhere.


Although there is no comprehensive data protection law in Indonesia, however, there are several regulations that regulate the personal data processed in the electronic systems by the Electronic Service Providers (ESPs). These Personal Data Protection Regulations (PDP Regulations) are:

  • Regulation No. 20 of 2016 concerning Protection of Personal Data in Electronic Systems (MoCI Reg);
  • Amended Law No. 11 of 2008 on Electronic Information and Transaction (EIT Law);
  • Government Regulation No. 71 of 2019 on the Implementation of the Electronic System and Transaction (GR 71).

The PDP Regulations primarily focus on electronic information where its provisions apply to local electronic service providers that deal with Indonesian citizens. The PDP Regulations also apply extraterritorially in certain circumstances.

Indonesia is also planning to have a comprehensive primary data protection law, Indonesia’s Personal Data Protection Bill (the PDP Bill). The enactment of the PDP Bill would result in the first comprehensive law in Indonesia that specifically deals with protecting the personal data of Indonesian citizens.

The solution

Securiti empowers organizations across the globe to ensure smooth compliance with Indonesia’s Personal Data Protection Regulations (PDP Regulations) with its AI-driven data discovery, DSR automation, universal consent management, autonomous documented accountability, data breach management, and vendor risk assessment functionality.

Indonesia PDP Compliance Solution

Securiti enables enterprises and supports them in their journey towards compliance with Indonesia’s Personal Data Protection Regulations through automation, enhanced data visibility, and identity linking.

See how our comprehensive PrivacyOps platform helps you comply with various sections of PDP Regulations.


dsr handling

Automate data subject request handling

MoCI Reg Articles: 26

Data subjects have several rights instituted under the PDP Regulations. Data subjects have the right to be informed of the use of their personal data and the ability to access their data held by an organization. To comply with the PDP Regulations, organizations must have a well-organized and modern platform to cater to verified DSR requests.

Secure fulfillment of data access requests

MoCI Reg Articles: 26(c)(d)

Conveniently disclose the required information to the data subjects free of charge via the secure, centralized portal. Automating the delivery and generation of secure data access reports minimizes the risk of any compliance violations.

data access request
data rectify request

Automate the processing of rectification requests

MoCI Reg Articles: 26

Seamlessly fulfill all data rectification requests with automated data subject verification and rectification workflows across all appearances of a subject’s personal data.

Automate erasure/destroy/anonymize requests

MoCI Reg Articles: 20,26(d); GR 71 Articles: 15, 18

Erase, destroy or anonymize a data subject’s requests via automated and flexible workflows.

data erasure request
Universal Consent Management

Monitor and track consent

MoCI Reg Articles: 2(2)(b)(c), 2(4), 6, 12(2), 24(1), 37(1); GR 71 Articles: 14(3) and 4; EIT Law Article: 26(1)

Routinely monitor and track consent of data subjects to prevent any illegal transfer or processing of data without the user’s consent. Continuously validate consent compliance to regulators and data subjects for swift action.

Continuous monitoring and tracking

MoCI Reg Articles: 24, 25 ; GR 71 Articles: 13,14(1)(2), 20(1); EIT Law Article: 3

Keep a birds-eye view of potential risks against non-compliance to data subjects’ rights by routinely monitoring and scanning personal consumer data.

data erasure request
PDP Readiness Assessment

Assess PDP Regulations readiness

MoCI Reg Articles: 4,6, 7,8, 9, 10, 28; GR 71 Articles: 2(2), 3,4, 6, 14(1)(2), 19; EIT Law Article: 2

With the help of our multi-regulation, collaborative, readiness, and data protection impact assessment system, you can gauge your organization's posture against PDP Regulations requirements, identify the gaps, and address the risks. Seamlessly being able to expand assessment capabilities across your vendor ecosystem to maintain compliance against PDP Regulations.

Map data flows and generate reports

MoCI Reg Articles: 21, 22(1), 28(e); GR 71 Article: 26(2), 22EIT Law Article: 27(1)

Instantly trace, manage, and monitor data flows on a single interface. Get comprehensive visibility by generating reports of all data points, any cross-border data transfers, vendor contracts, and compliance records.

Data Flow Mapping
breach response notification

Automate data breach response notifications

MoCI Reg Article: 28(c); GR 71 Articles: 14(5), 24(3)

Automate compliance actions and breach notifications to concerned stakeholders regarding any security incidents by leveraging a knowledge database on security incident diagnosis and response.

Meet cookie compliance

MoCI Reg Articles: 2(2)(b)(c), 2(4), 6, 12(2), 24(1), 37(1); GR 71 Articles: 14(3) and 4; EIT Law Articles: 26(1)

Automatically scan the web properties within your organization, categorizing tags and cookies. Also, build customizable cookie banners, collect consent, and provide a preference center.

Cookie Consent Regulation Preferences

Data Subject Rights Under Indonesia’s Personal Data Protection Regulations

Right to be Informed: ESPs must inform data subjects of the purpose of the collection of personal data and any future possible use of a user’s personal data.

Right to Access: Data subjects have the right to access their data and obtain access or the opportunity to receive the history of their personal data.

Right to rectification: A data subject is entitled to gain access to alter or renew their personal data without the interference of a personal data management system.

Right to erasure: A data subject can request the deletion of their personal data or have it erased after the storage time limit has been reached.

Right to opt-out: A data subject can withdraw consent for the processing of his/her personal data with which they don’t agree.

Quick Facts about PDP Regulations


The PDP Regulations primarily focus on electronic information and apply to individuals, legal entities, business entities, government institutions, public entities, and civic society organizations.


Under the PDP Regulations, the Indonesian government is empowered with the duty of supervision, advocacy, evaluation, enforcement, and other conducts necessary to ensure personal data protection.


The transfer of personal data is prohibited without the consent of the data subject, as stipulated under Article 27(1) of the EIT Law.


The PDP Regulations will impose hefty fines on those who violate or fail to comply with the law. Fines ranging from IDR 600 million to IDR 5 billion will be applicable along with imprisonment.


Indonesia’s PDP Bill would be the country’s first comprehensive data protection law governing the rights of Indonesian citizens.

Forrester Names Securiti a Leader in the Privacy Management Wave Q4, 2021

Read the Report
Forrester Wave

Securiti named a Leader in the IDC MarketScape for Data Privacy Compliance Software

Read the Report
IDC MarketScape

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.


Gartner Cool Vendor Award Forrester Badge IAPP Innovation award 2020 IDC Worldwide Leader RSAC Leader CBInsights Forbes Security Forbes Machine Learning G2 Users Most Likely To Recommend