Navigating the era of personal data protection in Indonesia

In October 2022, Indonesia took one significant step forward in the era of personal data protection by enacting Law Number 27 of 2022 concerning Personal Data Protection, commonly known as the “PDP Law.” This move solidifies the government’s commitment to safeguarding individual privacy and establishing a strong legal foundation for the use of personal data across various sectors, including the insurance industry.

One interesting update under the PDP Law is the duty to protect customer data. This duty includes the responsibility to ensure the security of customers’ personal data as to prevent misuse or violation of their privacy rights amidst the increasing incidents of personal data breaches experienced by both individuals and legal entities. The update is aimed at developing a more robust regulatory framework that will be able to enhance existing sectoral regulations governing personal data. The challenge that may be faced is the overlapping issues among personal data protection provisions across sectoral regulations. In order to overcome this challenge, it is necessary to differentiate the provisions in the PDP Law, which should cover the personal data protection standards in general, either partially or completely processed by electronic or non-electronic means, in which each sector can apply personal data protection according to its characteristics.

The Role of the Personal Data Protection Law

Within the business landscape, comprehending and adhering to the roles and obligations delineated by the PDP Law serve as an initial stepping stones towards achieving compliance while preserving the company’s reputation. Let us delve more deeply into some pivotal roles articulated by the PDP Law:

1. Protecting Consumer Privacy: The PDP Law serves as a vital instrument in addressing global challenges of personal data protection, where data can easily travel across borders. To that end, the PDP Law provides a robust framework to protect individual rights in Indonesia.
2. Regulating Data Processing: The PDP Law sets out provisions on how companies can collect, store, and manage personal data. This law encourages companies to implement more transparent practices in informing consumers about how their data is used, and in obtaining consent before utilizing it.
3. Balancing Business and Data Protection: The PDP Law strikes a wise balance between conducting business operations and safeguarding customers’ personal data. This regulation recognizes the importance of managing personal data responsibly without hindering innovation and growth in the business world.

Obligations to Prepare Officers for Companies

To run a successful business and gain the trust of customers, a company needs to understand its obligations related to customer data protection. The PDP Law requires the appointment of an individual whose role is to safeguard personal data, known as a Data Protection Officer (“DPO“).

The DPO serves as the primary custodian of the integrity of consumers’ personal data and as the enforcer of the provisions of the PDP Law. DPO plays a pivotal role in ensuring that companies comply with the regulations and maintain consumer trust. To become a DPO, a person must be a professional who has knowledge in the field of law and personal data protection, along with the ability to fulfill the responsibilities. So, what are the duties and responsibilities of a DPO?

Duties and Responsibilities of a DPO

1. Compliance Oversight: DPO has a central role in overseeing company compliance with the provisions of the PDP Law. They must ensure that consumers’ personal data is managed in full compliance with these regulations.
2. Providing Advice: DPO is entrusted with the duty of providing advice to companies on the course of action to undertake in order to be in compliance with the PDP Law, as well as extending the expertise in assessing the impacts of personal data protection.
3. Internal Coordination: DPO acts as a coordinator, liaising with various departments within the organization to guarantee the comprehensive compliance of all facets of the company with the provisions of the PDP Law, especially those relating to internal matters linked to personal data processing.

Does this mean that individuals aspiring to become a Personal DPO will need specific certification? and how can they prepare themselves for this crucial role? However, it is worth noting that the responsibilities and qualifications of a DPO will be provided in greater detail within the forthcoming Government Regulation, which is currently in the process of refinement.

Implications of the PDP Law on the Insurance Sector

In the course of their business, insurance companies collect and manage their customer’s personal data, including personal information, medical information, financial information, and more. With the enactment of the PDP Law, insurance companies are now required to ensure that customers’ data is managed carefully, limited to its intended purpose, transparently and in compliance with applicable regulations.

Strengthening Data Protection Practices: The PDP Law imposes a heightened need for insurance companies to bolster their data protection practices. This entails the fortification of measures to safeguard customer data against unauthorized access, disclosure, alteration, misuse, or loss. Personal data can only be deleted or destroyed after the expiry of the specified retention period or upon the customer’s request unless alternative regulations dictate otherwise.

Regulatory Changes and Compliance: Prior to the enactment of the PDP Law, insurance companies leaned on a mosaic of existing regulations, such as The Financial Services Authority Regulation or Peraturan Otoritas Jasa Keuangan (“POJK”) Number 6/POJK.07/2022 concerning Consumer and Public Protection in the Financial Services Sector (“POJK 6/2022“), while navigating the terrain of customer personal data processing and management. POJK 6/2022, for instance, featured key provisions pertaining to the necessity of upholding principles of protecting and preserving the privacy of customer information, as well as ensuring its utilization only for lawful purposes.

With the enactment of the PDP Law, the protection of customer’s personal data, in this case, policyholders, are now codified in one specific law. The new law requires adjustments of relevant statutes until October next year. It could be intriguing to explore potential revisions or the possibility of forming a new POJK to adjust the provisions of the PDP Law.

Sanctions for Violating the Provisions of the PDP Law

This regulation provides two types of sanctions for violations of the PDP Law:

1. Administrative sanctions: Administrative sanctions are in the form of written warnings, temporary suspension of personal data processing activities, deletion or destruction of personal data, and/or administrative fines, with a maximum fine of 2% of the annual income or annual revenue related to the violation.
2. In line with the statement of the Minister of Communication and Information Technology, Johnny G. Plate, on 21 September 2022 administrative sanctions are imposed on data controllers or processors who violate the provisions of the PDP Law e.g., in cases where personal data is processed for purposes other than those originally intended or where preventive measures against unauthorized data access fall short.
3. Criminal sanctions: As outlined in Articles 67 to 73 of the PDP Law, sanctions including fines from IDR 4 billion to IDR 6 billion, and imprisonment from 4 years to 6 years could be imposed for engaging in illegal activities such as collecting personal data not belonging to them for personal gain, disclosing personal data not belonging to them, and falsifying personal data for profit, resulting in harm to others. Corporations committing such violations can also be subject to additional sanctions e.g., confiscation of profits and/or assets obtained from such violations, suspension of the entire or part of the company’s business, permanent prohibition of doing certain actions, shutdown of the entire or part of the company’s place of business and/or activities, obligation to fulfill duties that have been neglected, payment of compensation, revocation of license and/or dissolution of the company.

To comply with the PDP Law, insurance companies may have to make internal adjustments and implement business practices in accordance with the law, with a deadline of October 2024.

Personal data protection is not merely a legal obligation but also a way to maintain trust and uphold the integrity of a business. We, ADCO Law, are ready to assist you in understanding and adopting best practices in running your business to be in accordance with the PDP Law.

Author: Christopher Johnston, Business Advisor, ADCO Law.

Further reading:

ESG and the future of business: Why is it important?

Rainmaking and rainmakers - how to bring in new clients

About ADCO Law

As Alliott Global Alliance’s law firm representative in Indonesia, ADCO Law offers clients a wide range of integrated legal services, including commercial transactions and corporate disputes in a variety of industry sectors.

Over the course of more than a decade, we have grown to understand the industries of our clients as well as regulatory aspects, and we provide comprehensive and solid legal advice and solutions to minimize legal and business risks.

We actively engage with financial, tax, environmental specialists, accountants, and law firms from various jurisdictions to give added value to our clients. Moreover, having strong relationships with Government agencies, regulators, associations, and industry stakeholders ensures that our firm has a holistic view of legal matters. Read more.