Geo Focus: Asia , Geo-Specific , Governance & Risk Management
Indonesia's Data Protection Law: Are Businesses Ready?
Indonesian Businesses Seek Clarity on Data Transfer and the Financial Regulator’s RoleIt has been over a year since Indonesia enacted its first personal data protection law, bringing its data privacy and security controls closer to standards set by Europe's General Data Protection Regulation. The country, hit hard by cyberattacks in recent years, gave data controllers and data processors two years to firm up their cybersecurity policies and practices to comply fully with the new cybersecurity law.
See Also: Using the Netskope HIPAA Mapping Guide
With less than a year to go, cybersecurity leaders feel domestic businesses and corporations must overcome many obstacles before they become fully compliant and get complete visibility and control over the data they collect, store and process.
The government seems to be aware of the challenges. The Communication and Informatics Ministry in July said it is ramping up efforts to prepare derivative regulations for the data protection law and disseminate information to individuals and businesses to help them fulfil essential requirements. "In the two-year transition period, we are providing a chance to data managers to prepare the regulated things, one of which is readying data protection officers," a ministry official said.
The government has also said the data protection law will streamline cross-border data transfers, rather than becoming an impediment to data exchanges. Minister of Communication and Information Budi Arie Setiadi said government regulations on data transfers must align with regional and global regulations such as the ASEAN Model Contractual Clauses for Cross Border Data Flows (ASEAN MCCs). "This is necessary so that policy convergence that supports interoperability of data transmission activities can be realized," he said.
Cybersecurity experts within Indonesia's private sector agree that the PDP law can help businesses better protect customer information and abide by global rules on data privacy and protection, but a lack of clarity on teething issues could complicate compliance, such as who can they share data with, the roles and responsibilities of a proposed data protection authority, whether the law could clash with the financial regulator's data security regulations, or which types of businesses are required to appoint data protection officers.
Acute Shortage of Cybersecurity Professionals
Like many other countries in the ASEAN region, Indonesia lacks the cybersecurity professionals needed to secure businesses across all sectors. The new law requires every data controller to appoint a data protection officer who can ensure that data is collected, stored and processed correctly, but the number of organizations in the country far exceeds the number of skilled cybersecurity professionals.
Andang Nugroho, president at ISC(2) Jakarta Chapter, said many Indonesian businesses are looking at making a senior information technology executive responsible for cybersecurity to cover for the acute shortage. Industry certification bodies, such as ISACA and ISC(2) are also offering more cybersecurity certifications, but the progress is slow at this point.
Nugroho said only five people have received CISSP certifications and five have received CCSP certifications from ISC(2) so far this year, for a total of about 130 CISSPs and 15 CCSPs across Indonesia. The country needs many more professionals and needs to focus on skills development, Nugroho said.
Rusdi Rachim, chief information security officer at Indonesia's Maybank, said many organizations cannot automatically appoint their CISOs as data protection officers. DPOs will have regulatory and legal challenges to deal with aside from the technical aspects of data privacy and protection.
Organizations will have to find qualified professionals to function as data protection officers and also set up steering committees to establish a roadmap for complying with the law, decide deliverables for the task force, set timelines and realistic expectations. Only then can organizations make progress to remain compliant in the long run.
Lack of Awareness
Nugroho said a vast majority of Indonesian businesses lack clarity or knowledge about the Personal Data Protection Act, and the government has provided little support and guidance, contributing to the general lack of awareness. Unless organizations take an active interest in learning more about the law, they will not be able to fine-tune their data protection policies and practices before the grace period expires.
Most Indonesian citizens are also unaware of the law or their digital rights, and hence they don't know if organizations are misusing or selling their data without their permission, he said. If citizens are aware of their right to data privacy and protection, organizations will be incentivized to abide by the new data privacy rules or face reputational damage in the long run.
Jeremiah Purba, a senior associate at global law firm Norton Rose Fulbright, cited several concerns that have not been fully addressed in the data protection law. Indonesia is yet to set up a supervisory authority responsible for overseeing legal compliance, and the government is yet to issue implementing regulations for the law. Consequently, businesses are not clear about the supervisory authority's role. Organizations in the financial sector also are unsure about how the authority will interact or cooperate with the OGK, the financial services authority.
According to Purba, the cross-border data transfer rules are unclear. The law mandates that Indonesia and the country where the data is being transferred must have the same level of data protection. Many businesses are not clear about how to measure whether a third country has comparable data protection regulations. The government so far has not published a list of countries with similar or more stringent data privacy and protection regulations.
Complexity
Some of the new requirements are quite stringent, and businesses fear they may struggle to comply with them, Nugroho said. For example, the law gives customers the right to request deletion or changes to the data companies hold about them, but given how things are now, it is difficult for companies to honor such requests within specified timelines.
He said such complexities, along with a lack of guidance from the government, ensures that businesses aren’t ready to comply with the new law and don’t know how to comply with it. The government may have to extend the grace period further, given the existing lack of preparedness.
Wahyu Agung Prasetyo, IT and cyber risk management head at Bank Mega, said that in the absence of specific instructions or guidance from the government, banking and financial institutions are carefully preparing to comply with the law when it goes into effect. The bank is identifying all the customer data stored in its systems and reviewing and updating customer consent forms.
Prasetyo says the financial regulatory authority has published regulations on the digitization of banking records, the cybersecurity of banking systems, and data and financial institutions' data maturity. But there is a lack of clarity over how the law will be implemented and whether the law will supersede the financial regulator's existing regulations.
Compliance Remains a Bridge Too Far
Indonesia is emerging as one of Asia's brightest stars based on economic development, GDP growth and becoming a vital part of global industrial supply chains. The country has taken a major step forward with the new Personal Data Protection Law that could make data exchanges with Europe and the Americas much smoother and regulated. While the government gave businesses a two-year grace period to prepare for legal compliance, experts indicate that more work needs to be done by all stakeholders to eliminate uncertainties within this landmark legislation.