n an increasingly online world, information has become the currency of the digital era, with information security and data privacy becoming top priorities for both organizations and consumers alike.
Even so, as our transactions move online, so do the threats. Protecting personal and sensitive data is now more important than ever because of the constantly changing cyber threat landscape along with the expansion of rules and regulations such as the personal data protection law (UU PDP).
The dynamic nature of technology has driven companies to be on their toes when it comes to safeguarding their customers’ information and data. Perhaps we can take a look at how GoTo, Indonesia’s largest technology group comprising of Gojek, Tokopedia, GoTo Financial, and GoTo Logistics formulates their strategies to keep their data safe, as well as to comply with the prevailing personal data protection laws and regulations, and adopt the relevant effort for the company we work for.
With the increase in cyber threats, it is imperative for companies to have a strong information security capability. Recognizing this, GoTo has a comprehensive Information Security Team who manages cybersecurity risks through preventive and detective measures, including: Cyber Security Operations Center to continuously monitor every cyber attack attempt, Computer Security Incident Response Team to react swiftly in the event of an incident and Cyber Threat Intelligence for getting threat insight and trend analysis. GoTo also continuously performs various initiatives to increase the security standard of the digital ecosystem as a whole, including employing modern encryption techniques, AI-driven anomaly detection, and the Bug Bounty Program which aims to identify vulnerabilities in the server, application, site and backend services of the company by allowing ethical hackers to test information security programs with a reward.
In addition to the efforts by the Information Security team to secure the whole ecosystem, GoTo acknowledges that serving millions of users comes with the responsibility of protecting their personal data and privacy and committed to uphold the trust given to the company by proactively initiated their personal data protection efforts even before the UU PDP was ratified. A concrete form of this commitment is the forming of a dedicated team, Data Protection and Privacy Office (DPPO) to drive the efforts to protect the personal data and privacy of the individuals in the GoTo ecosystem. The efforts include not only to protect the personal data through technological and organizational measures, such as access controls and encryption, but also to empower individuals to control their personal data that GoTo processes, by way of providing individuals with a mechanism to exercise their right to access their personal data, to rectify their data and also to delete their personal data. GoTo’s platforms provide its users with several rights they can exercise regarding their personal data. For instance, users can change their numbers or email addresses independently by accessing the profile section. In addition, users can exercise their other rights regarding personal data including deleting their data by contacting the contact center.
GoTo implements data protection and privacy measures throughout the course of personal data processing, starting from the point of collection where they ensure that minimal personal data is collected for the purpose of providing the service until the deletion of personal data when no longer needed. In providing certain services where GoTo engages with third parties, the same level of data protection and safeguarding is expected from their third parties and therefore are subject to reviews and assessments to ensure this. The company’s practices are communicated transparently in their Privacy Notice (Kebijakan Privasi), accessible to all individuals.
While the Information Security team focuses on strengthening the cybersecurity controls and managing security risks, the DPPO team focuses on protecting personal data and privacy of the individuals in the ecosystem. Together, both teams collaborate closely with various divisions and units to enhance user safety and comfort across all GoTo services and business units. Both Information Security and DPPO are permanent members of the Group Risk Management Committee, which supports the Board of Directors risk oversight role.
For a security and privacy program to work effectively, everyone involved needs to understand the importance and how to maintain data security and privacy. To achieve this, all GoTo employees and third-party contractors are subject to mandatory training on information security and data privacy when they join the organization and also on an annual basis. These trainings include topics such as how to identify security risks (e.g. phishing), and practical implementation of data security and privacy processes in their daily tasks. Third parties that work with them also undergo a risk assessment and verification process, and must adhere to a data processing agreement that outlines rights and obligations.
All the above efforts have led GoTo to be one of the leading organizations in Information Security and Data Privacy and is one of only a handful of organizations in Indonesia that has obtained both ISO 27001 Information Security Management System certification and ISO 27701 Privacy Information Management System certification, covering GoTo main services.