As Indonesia prepares to fully enforce its Personal    Data Protection Law (UU PDP) after 17 September 2024, businesses are facing a critical decision point. With the deadline rapidly approaching, organizations must either take proactive measures to ensure compliance or risk significant challenges once the law takes full effect. The clock is ticking, and organizations that delay may face substantial hurdles as they scramble to meet the new requirements.

The UU PDP marks a significant shift in personal data management, aligning Indonesia’s practices with global standards such as the EU’s General Data Protection Regulation (GDPR). It aims to safeguard personal data and ensure that businesses handle it responsibly. However, despite the impending full implementation, several key issues remain unresolved, creating uncertainty for businesses on how to proceed.

Non-compliance with the UU PDP carries serious consequences. Organizations face administrative fines of up to 2% of annual revenue, in addition to potential criminal penalties. This article outlines what businesses need to know and provides a clear guide on how to effectively prepare for the upcoming regulations.

 

CURRENT LANDSCAPE OF UU PDP IN INDONESIA

While the law is about to take full effect, there are still a few strategic issues that are yet to be finalized, adding to the complexity of compliance for businesses:

  1. Pending Government Regulations (PP)

    One of the most significant hurdles is that the detailed Government Regulations (Peraturan Pemerintah, PP) accompanying the UU PDP are still in draft form. These regulations will cover important aspects like data processing activities, data disclosure, and penalties for violations. Without this clarity, businesses are left uncertain about the exact steps they need to take to comply fully with the law.

  2. Absence of a Data Protection Supervisory Body

    The law calls for an independent supervisory authority, Lembaga Pengawas Perlindungan Data Pribadi, to oversee and enforce data protection regulations. According to Article 58, this body is expected to set data protection strategies and policies while also enforcing administrative sanctions. While it will ultimately report to the President, for now, it will coordinate with the Ministry of Communication and Information Technology (Kominfo). The absence of this supervisory authority makes businesses unsure of how enforcement will play out in practice.

  3. Overlapping Regulations

    Indonesia has multiple existing data protection regulations that overlap with the UU PDP. This can cause confusion, particularly for companies in sectors with complex regulatory requirements. Clearer harmonization between these laws is needed to avoid compliance issues.

 

TOP CHALLENGES FOR BUSINESSES IMPLEMENTING UU PDP 

As businesses prepare for the UU PDP, they are encountering several challenges. Below are the 3 most pressing:

Compliance Readiness 

Many organizations, especially small and medium-sized enterprises (SMEs), are not fully prepared for the law’s requirements. They need to upgrade their data protection systems, create privacy policies, and enhance cybersecurity measures. Delaying these preparations can lead to significant penalties and damage to reputation.

Appointing a Data Protection Officer (DPO)

The UU PDP requires organizations to appoint a Data Protection Officer (DPO) if they handle 
substantial amounts of personal data. Finding and training qualified DPOs is a challenge, particularly in technology and finance sectors. This shortage adds complexity to achieving compliance. 

Enforcement and Penalties

One of the biggest concerns businesses have been the strict penalties outlined in the UU PDP. Media coverage has highlighted the severity of potential fines and criminal charges, making it a top worry for business leaders. The uncertainty surrounding how the law will be enforced also adds to the anxiety, as organizations are unsure of what operational changes are needed to avoid penalties.

 

ESSENTIAL STRATEGIES FOR IMMEDIATE ACTION 

With the full implementation date approaching, businesses cannot afford to wait. Here are some quick-win strategies that can help companies kickstart their compliance journey:

Conduct a Readiness or Gap Assessment

The first step is to assess your organization’s current data protection practices and identify any gaps in compliance with the UU PDP. This includes reviewing your data collection, processing, and storage practices, as well as evaluating your privacy policies and security measures.

Develop a Compliance Roadmap

Once gaps are identified, develop a phased roadmap to address them. This should include updating internal processes, securing personal data, and ensuring that data protection measures are integrated into your business operations.

 Appoint or Train a Data Protection Officer (DPO)

If your business is required to appoint a DPO, start the recruitment process now. Alternatively, you can train an existing employee who has a solid understanding of data protection laws and can take on the role of DPO with the right guidance.

Vendor Management and Third-Party Audits

Review your contracts with vendors and partners to ensure they are aligned with the UU PDP. Conduct third-party audits to confirm that they are also complying with data protection laws. This can help minimize risks associated with non-compliant partners.

 

CONCLUSION: ACT NOW TO STAY AHEAD 

Despite the uncertainties, it's crucial for businesses to start preparing for the UU PDP now. The best approach is to conduct a readiness assessment to identify any gaps in your current data protection practices. From there, develop a phased compliance strategy to address these gaps and ensure you are ready when the law takes full effect.

 

Erikman D. Pardamean, Technology Risk Consulting Practice