Indonesia’s Personal Data Protection Law (PDPL)
Operationalize PDPL Compliance with PrivacyOps Platform
On September 20, 2022, the Indonesian Parliament ratified the Personal Data Protection Bill (PDPB). Officially known as the Personal Data Protection Law (PDPL), it aims to provide Indonesians the same degree of data protection as other major data privacy regulations.
The law will have an extraterritorial application for international organizations that handle Indonesian citizens’ data or perform data processing acts that have consequences within Indonesia or in relation to Indonesian citizens. Processing involves collecting, analyzing, storing, transferring, or deleting personal data belonging to Indonesian citizens.
It places major obligations upon organizations to ensure their activities comply with the law’s provisions. The PDPL provides a transition period of two years for both data controllers and data processors to adjust their data handling and processing methods in accordance with the new law.
The PDPL will formally come into effect on a date set by the Minister of State Secretariat, following which organizations subject to the PDPL will have two years to ensure compliance with the law.
The Solution
Securiti enables organizations to ensure seamless compliance with Indonesia’s PDPL Personal Data Protection Law with AI-driven data discovery, DSR automation, universal consent management, autonomous documented accountability, data breach management, and vendor risk assessment.
Securiti supports enterprises in their journey toward compliance with Indonesia’s PDPL through automation, enhanced data visibility, and identity linking.
See how our comprehensive PrivacyOps platform helps you comply with various sections of Indonesia’s PDPL.
Request a demo today to learn how Securiti can aid you and your organization's compliance efforts.
Assess Indonesia’s PDPL Readiness
Articles: 2, 16, 21, 28, 29, 30, 35, 37, 38, 39, 53, 54
With the help of our multi-regulation, collaborative, readiness, and personal information impact assessment system, you can gauge your organization's posture against Indonesia’s PDPL requirements, identify gaps, and address any risks. Seamlessly expand assessment capabilities across your vendor ecosystem to maintain compliance.
Automate Data Subject Request Handling
Chapter IV
Data subjects have the right to be informed of the use of their personal data and access the data held by an organization. For this purpose, organizations must simplify the initiation of verified DSR requests. Automating the delivery and generation of secure data access reports will significantly reduce the risk of compliance violations and reduce the workforce required to comply with all requests.
Furthermore, create personalized web forms according to your brand style guide with the DSR request format and accept verified data subject rights requests. Automate the initiation of fulfillment workflows when verified requests are received. Automate the delivery and generation of secure data access reports to significantly reduce the risk of compliance violations and reduce the workforce required to comply with all requests.
Secure Fulfillment of Data Access Requests
Articles: 5, 7, 13, 14, 32, 33
Disclosure of information to the data subjects within a limited time frame of receiving a verifiable data request is a must for any organization looking to comply. This will be free of charge and delivered through a secure, centralized portal.
Automate the Processing of Rectification Requests
Articles:6, 14, 30, 33
With the help of automated data subject verification workflows across all appearances of a subject’s personal data, you can seamlessly fulfill all data rectification requests.
Automate Erasure / Destroy / Anonymize Requests
Articles: 8, 16(1) (f), 16(2)(g), 44, 45, 48(3), 48(4), 57(2)(c)
Fulfill data subjects’ erasure/destroy/anonymize requests swiftly through automated and flexible workflows.
Automate Objection and Restriction of Processing Requests
Articles: 10, 11, 34(2)(g), 41
Build a framework for objection and restriction of processing handling based on business requirements with the help of collaborative workflows.
Monitor and Track Consent
Articles: 9, 20(2)(a), 21(1), 22(1), 23, 24, 25(2), 26(3), 40, 43(1)(b), 51(5)
Track consent revocation of data subjects to prevent the transfer or processing of data without their consent. Seamlessly demonstrate consent compliance to regulators and data subjects.
Meet Cookie Compliance
Articles: 9, 18, 19, 20, 25(1)
Automatically scan the web properties within your organization, categorizing tags and cookies. Also, build customizable cookie banners, collect consent, and provide a preference center.
Automate Data Breach Response Notifications
Article: 46
Automates compliance actions and breach notifications to concerned stakeholders about security incidents by leveraging a knowledge database on security incident diagnosis and response.
Manage Vendor Risk
Articles: 51, 52, 53
Keep track of privacy and security readiness for all your service providers and processors from a single interface. Collaborate instantly with vendors, automate data requests and deletions, and manage all vendor contracts and compliance documents.
Map Data Flows (Cross-Border Data Transfers) and Generate RoPA Reports
Articles: 31, 48, 56, 60(f)
Instantly trace, manage, and monitor data flows on a single interface. Get comprehensive visibility by generating reports of all data points, any cross-border data transfers, vendor contracts, and compliance records.
Automate DPIAs and Risk Assessments
Articles: 34(1), 34(3)
Automate the data protection impact assessment process by identifying the risks early on and mitigating them to ensure data security and compliance with the PDPL.
Privacy Policy and Notice Management
Articles: 47
Dynamically update privacy policies and notices to comply with Indonesia’s PDPL. Automate how you publish your privacy notices with the help of pre-built templates to make the process faster. Also, enable centralized management by tracking and monitoring privacy notices in order to maintain compliance.
Continuous Monitoring and Tracking
Articles: 16, 27, 28, 29, 53(1)(b), 54(1)(b), 54(1)(c), 60(j)
Keep a birds-eye view of potential risks against non-compliance to data subjects’ rights by routinely monitoring and scanning personal consumer data.
Data Security and Access Controls
Articles: 16(2)(e), 35, 39(1), 39(2)
Ensure that the personal data is secured from any unauthorized access, disclosure, alteration or misuse, or deletion before processing such data. Determine the security level and accordingly implement relevant technical and operational measures to protect personal data.
Key Rights Under Indonesia’s Draft PDPL
Right to Request/Access Information
The personal data owner has the right to access the personal data held by the personal data controller in accordance with the provisions set under the PDPL. Additionally, they can request information regarding the use and purpose of their personal data and the accountable party requesting it.
Right to Renew/Correct/ Complete Information
The personal data owner has the right to request the completion, renewal, or correction of any mistake or inaccuracy in their personal data according to the set provisions. The data controller is required to do so within 72 hours of receiving such a request.
Right to Terminate/Erasure
The personal data owner has the right to request the termination, erasure, or destruction of their personal data.
Right to Revoke Consent
The personal data owner has the right to revoke their consent at any period in time for the processing of their personal data that has been permitted to the personal data controller.
Right to Object Automated Decision Making
The personal data owner has the right to object to the decision-making, which is based on automatic processing in accordance with personal profiling.
Right to Postpone/Limit
The personal data owner has the right to postpone or limit the processing of their personal data in accordance with the purpose of processing.
Right to File Lawsuit
The personal data owner has the right to file a lawsuit and receive compensation for the violation of their personal data as defined by Article 12 of the PDPL.
Right to Data Portability
All data subjects have the right to obtain a copy of all personal data collected on them by a data controller or processor in a commonly used machine-readable format as provided by Article 13 of the PDPL.
Facts Related to Indonesia’s Personal Data Protection Law
Here are some important facts to know about the PDPL:
The data controller or the data processor is required to appoint an official who performs personal data protection in situations where processing is for public purposes, if the processing requires constant monitoring of personal data on a large scale and if there is large-scale processing of criminal offenses.
In the case of cross-border data transfer, organizations should ensure equivalent or higher data protection measures are in place where data is being sent.
The PDPL provides administrative sanctions and penal penalties in case of a personal data breach.
The administrative fines would be a maximum of 2% of annual revenue or annual acceptance of the violation variable. Additional punishments may also be imposed in the form of confiscating assets/profits obtained from unlawful activities.
Unlawful collection of an individual's personal data is punishable with either imprisonment of a maximum of 6 years or a maximum fine of up to 6 billion rupiahs.
The President shall establish a regulatory body to supervise the application of PDPL.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
Copyright © 2022 Securiti · Sitemap · XML Sitemap
Newsletter
Get in touch
[email protected]
3031 Tisch Way Suite 110 Plaza West, San Jose,
CA 95128
