Securiti Named a 2022 Cool Vendor in Data Security by Gartner

Download Now

Indonesia’s Draft Personal Data Protection Bill (PDPB)

Operationalize PDPB Compliance with the most comprehensive PrivacyOps platform.


Download the book today!

PrivacyOps - Automation & Orchestration for Privacy Compliance
Download Book
Available in PDF

Indonesia’s draft Personal Data Protection Bill (PDPB) was signed on January 24, 2020. The regulations related to personal data protection existed in different Indonesian laws, but for improved effectiveness of Indonesian citizens’ personal data protection, a separate law dedicated to data protection was required, and hence, a draft bill was signed. The draft PDPB would apply to any person, entity, organization, and legal entity that operate within or outside Indonesia and have legal consequences to the personal data owner (data subject) within or outside the legal territory of the Republic of Indonesia.

The solution

Securiti enables organizations to ensure seamless compliance with Indonesia’s draft Personal Data Protection Bill (Draft PDPB) with its AI-driven data discovery, DSR automation, universal consent management, autonomous documented accountability, data breach management, and vendor risk assessment.

securiti dashboard

Securiti supports enterprises in their journey towards compliance with Indonesia’s Draft PDPB through automation, enhanced data visibility, and identity linking.

See how our comprehensive PrivacyOps platform helps you comply with various sections of Indonesia’s draft PDPB.


dsr portal

Customize a data subject rights request portal for seamless customer care

Create personalized web forms according to your brand style guide with the DSR request format and accept verified data subject rights requests. Automate the initiation of fulfillment workflows when verified requests are received.

Assess Indonesia’s Draft PDPB readiness

Articles 2, 17, 21, 24, 27, 28, 29, 35, 36, 41, 45, 55

With the help of our multi-regulation, collaborative, readiness, and personal information impact assessment system, you can gauge your organization's posture against Indonesia’s draft PDPB requirements, identify the gaps, and address the risks. Seamlessly expand assessment capabilities across your vendor ecosystem to maintain compliance.

Assess GDPR readiness
dsr handling

Automate data subject request handling

Chapter III

Data subjects have the right to be informed of the use of their personal data and access their data held by an organization. For this purpose, organizations must simplify the initiation of verified DSR requests. Automating the delivery and generation of secure data access reports will significantly reduce the risk of compliance violations and reduce the workforce required to comply with all the requests.

Secure fulfillment of data access requests

Articles 4, 6, 14, 15, 32

Disclosure of information to the data subjects within a limited time frame of receiving a verifiable data request is a must for any organization looking to comply. This will be free of charge and delivered through a secure, centralized portal.

data access request
data rectify request

Automate the processing of rectification requests

Articles: 5, 7, 33, 34

With the help of automated data subject verification workflows across all appearances of a subject’s personal data, you can seamlessly fulfill all data rectification requests.

Automate erasure/destroy/anonymize requests

Articles: 8, 38(1)(c), 39(1)(c)

Fulfill data subject’s erasure/destroy/anonymize requests swiftly through automated and flexible workflows.

data erasure request
processing request

Automate objection and restriction of processing requests

Articles: 8, 10, 11, 12, 26

Build a framework for objection and restriction of processing handling based on business requirements, with the help of collaborative workflows.

Meet cookie compliance

Articles: 9, 18, 19, 20, 25(1)

Automatically scan the web properties within your organization, categorizing tags, and cookies. Also, build customizable cookie banners, collect consent, and provide a preference center.

cookie consent
consent preference management

Monitor and track consent

Articles: 9, 18, 19, 20, 25(1)

Track consent revocation of data subjects to prevent the transfer or processing of data without their consent. Seamlessly demonstrate consent compliance to regulators and data subjects.

Automate data breach response notifications

Article: 40

Automates compliance actions and breach notifications to concerned stakeholders about security incidents by leveraging a knowledge database on security incident diagnosis and response.

breach response notification
manage vendor risk

Manage vendor risk

Articles: 43, 44, 45

Keep track of privacy and security readiness for all your service providers and processors from a single interface. Collaborate instantly with vendors, automate data requests and deletions, and manage all vendor contracts and compliance documents.

Map data flows (cross border data transfers) and generate RoPA reports

Articles 47, 48, 49, 31

Instantly trace, manage, and monitor data flows on a single interface. Get comprehensive visibility by generating reports of all data points, any cross-border data transfers, vendor contracts, and compliance records.

map data flows

Automate DPIAs and risk assessments

Articles 46(1)(c)

Automate the data protection impact assessment process by identifying the risks early on and mitigating them to ensure data security and compliance with the draft PDPB.

Privacy policy and notice management

Articles 41

Dynamically update privacy policies and notices to comply with Indonesia’s draft PDPB. Automate how you publish your privacy notices with the help of pre-built templates to make the process faster. Also, enable centralized management by tracking and monitoring privacy notices in order to maintain compliance.

personal data monitoring tracking

Continuous monitor and tracking

Articles 17, 28, 29, 30, 46(1)(b)

Keep a birds-eye view of potential risks against non-compliance to data subjects’ rights by routinely monitoring and scanning personal consumer data.

Key Rights Under Indonesia’s Draft PDPB

Right to Request/Access Information: The personal data owner has the right to access their personal data held by the personal data controller in accordance with the provisions set under the bill. Additionally, they can request information regarding the use and purpose of their personal data and the accountable party requesting it.

Right to Renew/Correct/ Complete Information: The personal data owner has the right to request the completion, renewal, or correction of any mistake or inaccuracy in their personal data according to the set provisions.

Right to Terminate/Erasure : The personal data owner has the right to request the termination, erasure, or destruction of their personal data.

Right to Revoke Consent: The personal data owner has the right to revoke their consent at any period in time the processing of their personal data that has been permitted to the personal data controller.

Right to Object Automated Decision Making: The personal data owner has the right to object to the decision making which is based on automatic processing in accordance with personal profiling.

Right to Postpone/Limit: The personal data owner has the right to postpone or limit the processing of their personal data in accordance with the purpose of processing.

Right to File Lawsuit: The personal data owner has the right to file a lawsuit and receive compensation against the violation of their personal data as defined in the provisions under the bill.

Right to Pseudonymization: The personal data owner has the right to choose or not to choose the pseudonymization of their personal data for any purpose.

Facts related to Indonesia’s Draft Personal Data Protection Bill


The draft PDPB requires the personal data controller to comply with the eight principles for personal data processing, including but not limited to a specific basis for processing, the purpose of processing, and guarantee of the rights of the personal data owner, to name a few.


The draft PDPB defines separate cross-border transfer regulations for data transfer within and outside the legal territory of the Republic of Indonesia, such as in case of outside Indonesia data transfer, the recipient international organization must have equivalent or higher data protection measures, there’s an international treaty, and the personal data controller has the consent of the personal data owner.


In the event of personal data protection failure, the personal data controller shall notify about the failure of the personal data owner and the Minister in writing within 72 hours.


Imprisonment penalties and fines range from 1 year to up to 6 six years, and from Rp 20,000,000,000.00 (twenty billion rupiahs) to up to Rp 10,000,000,000.00 (ten billion rupiahs) depending on the severity of the violation of the draft PDPB.




Users love Securiti on G2 G2 leader spring 2022 G2 leader summer 2022 G2 leader easiest business 2022 ISO certification RSAC Leader Forrester Badge IAPP Innovation award 2020 Sinet Innovator Award Gartner Cool Vendor Award

Securiti PrivacyOps Named a Leader in The Forrester WaveTM