The implementation of Law No. 27 of 2022 on Personal Data Protection, ratified on October 17, 2023 (“PDP Law“), marks a pivotal moment in Indonesia’s regulatory landscape, particularly for enterprises navigating the complexities of big data. This legislation sets forth a comprehensive framework outlining various obligations for companies acting as personal data controllers or processors, including the imperative requirement to appoint a data protection officer (“DPO“).
Originating from the European Union’s 2018 General Data Protection Regulation (“GDPR“), the concept of the DPO emerged as a cornerstone for ensuring compliance with data protection standards. The DPO assumes a pivotal role in overseeing the processing of personal data, ensuring alignment with regulatory requirements, and safeguarding the rights of stakeholders, including staff, customers, and suppliers.
Similarly, the Indonesian PDP Law emphasizes the critical function of the DPO in mitigating risks associated with personal data processing activities for both personal data controllers and personal data processors. As companies adjust to these regulations, understanding the role and responsibilities of the DPO becomes crucial for maintaining compliance and trust in data protection practices.
Requirements to appoint a DPO
Within the framework of the PDP Law, the obligation to appoint a DPO is not universal among all personal data controllers. Rather, the PDP Law stipulates that a DPO must be appointed by those entities meeting the following criteria:
- Engaging in the processing of Personal Data for public service purposes;
- Conducting core activities that necessitate regular and systematic monitoring of personal data on a large scale; and
- Conducting core activities involving the processing of personal data on a large scale, particularly Personal Data of a specific nature or Personal Data related to criminal acts.
Although the PDP Law, or the most recent draft Bill of Government Regulation on the Implementation Regulation of PDP Law, does not explicitly define the parameters of “large scale” personal data processing activities, Indonesian companies can draw insights from the global standards established by the GDPR. According to GDPR interpretation, enterprises may be considered in engaging in “large scale” processing if they:
- Employ more than 250 individuals (on a full-time equivalent basis); or
- Process personal data from more than 5,000 personal data subjects within any 12 consecutive calendar months.
However, considering the ambiguity surrounding the definition of “large scale,” Indonesian entities acting as personal data controllers or processors may opt to appoint a DPO even if they do not strictly meet the criteria. This proactive measure ensures that their data processing activities adhere to the principles of personal data protection outlined in existing laws and regulations, thereby mitigating the risk of potential violations.
Skills and competencies of a DPO
When appointing a DPO, personal data controllers, and processors seek individuals with a blend of professionalism, legal knowledge, and familiarity with personal data protection practices. Although the PDP Law does not lay out specific criteria for professionalism and competence, the Indonesian Government plans to address this through the PDP Institution, which will be established by a presidential decree.
In the forthcoming PDP Institution regulations, there will likely be clear guidelines on what makes a competent and professional DPO. This move aims to ensure that DPOs have the necessary skills to navigate data protection challenges effectively, protecting personal data in line with Indonesian regulations.
Roles and responsibilities of a DPO
The PDP Law assigns a range of crucial responsibilities to DPOs aimed at mitigating risks inherent in the processing of Personal Data by the entities that appoint them, be they personal data controllers or processors. These responsibilities include:
- Advising and guiding personal data controllers on adhering to the stipulations of the PDP Law;
- Monitoring and ensuring compliance with both the PDP Law and the internal policies of the respective entity;
- Offering insights into assessing the impact of personal data protection measures and overseeing the performance of Personal Data Controllers and Processors; and
- Serving as a central point of contact for matters of the processing of personal data.
To empower DPOs to execute their duties effectively, the latest draft Bill of the Government Regulation on the Implementation of PDP Law mandates personal data controllers to:
- Involve the DPO in all matters related to personal data processing in a timely and comprehensive manner;
- Grant the DPO reporting access to the highest echelons of management;
- Ensure the autonomy of DPOs and safeguard them from retribution for fulfilling their duties as per statutory provisions;
- Provide adequate resources to facilitate the DPO’s effective execution of duties and ongoing professional development;
- Grant the DPO appropriate access to personal data processing activities;
- Facilitate the DPO’s access to other pertinent services to obtain crucial information related to personal data processing;
- Seek guidance from the DPO when evaluating the impact of personal data protection measures; and
- Maintain comprehensive documentation of the DPO’s roles and activities.
While awaiting the enactment of the Government Regulation on the Implementation of PDP Law, Indonesian companies are encouraged to treat these requirements as proactive measures towards compliance with the PDP Law, while remaining flexible to accommodate any forthcoming amendments.
Alignment of DPO roles
When Personal Data Controllers or Processors choose to designate a DPO from their existing internal workforce, it’s crucial to ensure that the DPO’s responsibilities don’t clash with their other roles within the organization. While the PDP Law or the latest Government Regulation draft on PDP Law doesn’t offer explicit guidelines on ensuring the independence of internally appointed DPOs, Indonesian companies can draw insights from global practices, particularly those outlined in GDPR.
According to GDPR norms, DPOs are expected to hold pivotal and autonomous positions within their organizations, backed by the following independent guarantees:
- DPOs shouldn’t receive directives regarding their roles and responsibilities;
- There should be no conflicts of interest between the DPO’s duties and any other roles they may hold. It’s advisable that the DPO:
- Isn’t directly involved in personal data processing activities;
- Works on a fixed-term contract rather than being a permanent employee;
- Reports directly to management rather than to a direct supervisor;
- Manages their own budget.
- The organization should provide the necessary resources to support the DPO in their duties;
- DPOs should be granted access and authority to scrutinize all Personal Data processing operations.
- The organization should establish a minimum term of appointment and strict dismissal conditions for DPOs.
Regardless of whether DPOs are internal employees or external consultants, they must collaborate with the units, officials, or parties responsible for data security within the organization. DPOs are obliged to:
- Provide recommendations and suggestions to units, officials, or parties responsible for the security of the processing of personal data processed by the personal data controllers to ensure that data security measures align with legal requirements by the prevailing laws and regulations;
- Make the necessary efforts to ensure that the unit, official, or party responsible for the security of the processing of personal data processed by the personal data controllers implements technical and operational measures that consider the protection of the rights and freedoms of personal data subjects; and
- Report the performance of the unit, official, or party responsible for the security of processing personal data to the board of directors and/or the PDP Institution if the DPO assesses that the unit, official, or party has or has not implemented technical and operational steps that take into account the protection of the personal data subjects according to the needs of the personal data controllers.
This collaboration can involve ongoing communication and cooperation between the DPO and the relevant units, officials, or parties responsible for data security to facilitate effective data protection practices.
Administrative sanctions
The appointment of a DPO serves as a cornerstone in ensuring that personal data processing activities conducted by both personal data controllers align with the mandates of the PDP Law and other pertinent regulations. This is particularly crucial for entities meeting the criteria mandating DPO appointment, as outlined earlier. Furthermore, the appointment of a DPO serves as a preventative measure against the imposition of various administrative sanctions in case of non-compliance. These sanctions may include:
- Written warnings;
- Temporary suspension of personal data processing activities;
- Deletion or destruction of personal data found to be processed in violation of regulations; and/ or
- Administrative fines can amount to a maximum of 2 percent of annual income or annual receipts, depending on the violation variables.
Considering the above, by appointing a DPO and ensuring adherence to personal data protection protocols, entities can mitigate the risk of facing these administrative sanctions, thus fostering a culture of compliance and accountability in their data handling practices.
How to Appoint a DPO
It is essential to note that the Indonesian Government mandates compliance with the PDP Law within a two-year timeframe from the enactment date, which commenced on October 17, 2022. This necessitates that Personal Data Controllers and Processors appoint a DPO no later than October 16, 2024, to ensure adherence to the provisions of the PDP Law.
Personal data controllers have the flexibility to appoint a DPO through the following avenues:
- Internal Workforce
Personal data controllers and Processors may choose to designate existing employees who possess the requisite skills and competencies outlined in the PDP Law as their DPO. However, careful consideration is warranted, as not all employees are suitable for this role. Individuals who hold positions on the board or may face conflicts of interest between their regular duties and the responsibilities of the DPO are ineligible for appointment. Examples of such roles include IT managers, personnel managers, and heads of marketing. Additionally, internal DPOs must demonstrate expert knowledge in data protection law to effectively fulfil their duties.
- External Consultant
Alternatively, personal data controllers have the option to enlist the services of an external expert or consultant to fulfil the role of DPO. External DPOs bring a high level of expertise in data protection law and operate as independent professionals. External service providers can undertake various DPO responsibilities, including conducting training and awareness programs, monitoring and mitigating risks, and responding to data breaches, while maintaining their independence as DPOs.
Complying with Indonesia’s Personal Data Protection Law: Essential Steps for Businesses
Webinar | Tuesday, April 30, 2024 / 3:00 PM Jakarta / 4:00 PM China / 10:00 AM CET
Join our upcoming webinar as Hardy Salim, Assistant Manager of the Business Advisory Unit, takes you through an in-depth explanation of Indonesia’s Personal Data Protection law and what steps companies need to undertake to ensure compliance.
About Us
ASEAN Briefing is produced by Dezan Shira & Associates. The firm assists foreign investors throughout Asia and maintains offices throughout ASEAN, including in Singapore, Hanoi, Ho Chi Minh City, and Da Nang in Vietnam, in addition to Jakarta, in Indonesia. We also have partner firms in Malaysia, the Philippines, and Thailand as well as our practices in China and India. Please contact us at asean@dezshira.com or visit our website at www.dezshira.com.