In the wake of Law No. 27 of 2022 on Personal Data Protection (“PDP Law”), organizations and companies in Indonesia are subject to a stringent set of regulations aimed at safeguarding the personal data they handle. This legislation introduces numerous obligations for entities acting as Personal Data Controllers or Processors, necessitating robust measures to protect the personal data collected from customers, clients, employees, and other relevant parties. Failure to adhere to the provisions outlined in the PDP Law can result in substantial penalties, including fines of up to IDR 60 billion or 2% of annual revenue, underscoring the gravity of compliance.
A pivotal aspect of demonstrating compliance with the PDP Law is the implementation of Data Protection Impact Assessments (DPIAs) for activities involving the processing of high-risk personal data. The purpose of DPIA in PDP Law is like the DPIA introduced in the European Union’s 2018 General Data Protection Regulation (“GDPR”) and Personal Information Protection Impact Assessment (“PIPIA”) introduced in China Personal Information Protection Law (“PIPL”). These assessments serve as a critical tool for companies to evaluate the potential impact or risk of their data processing activities on individuals’ privacy and assess the effectiveness of existing safeguards. By conducting DPIAs, companies can identify and mitigate risks, ensuring compliance with regulatory requirements while fostering a culture of data protection and privacy awareness.
Legal requirements for DPIA
Under the provisions of the PDP Law, companies serving as personal data controllers or processors are mandated to conduct DPIAs when processing personal data that poses a high risk to the data subjects. These requirements encompass various scenarios, including:
- Automatic decision making: Situations where automated decisions are made that hold legal consequences or significant impacts for the data subjects.
- Processing of specific personal data: Processing activities involving specific categories of personal data that are deemed sensitive or require heightened protection.
- Large-scale processing: Processing activities involving a large volume of personal data, indicating a potentially heightened risk to data subjects’ privacy.
- Systematic evaluation or monitoring: Processing activities involving systematic evaluation, scoring, or monitoring of data subjects, which may impact their rights or freedoms.
- Data matching: Processing activities involving the matching or combining of different datasets, which may result in increased risks to data subjects’ privacy.
- Use of new technologies: Utilization of emerging technologies in the processing of personal data, which may introduce novel privacy risks or challenges.
- Limitation of data subjects’ rights: Processing activities that restrict or limit the exercise of data subjects’ rights, such as the right to access or rectify their data.
These legal requirements underscore the importance of conducting DPIAs as a proactive measure to identify and mitigate potential risks to data subjects’ privacy arising from data processing activities. By adhering to these provisions, companies can ensure compliance with the PDP Law and uphold the rights and freedoms of Personal Data Subjects.
DPIA process
While the newly enacted PDP Law refrains from delving into the intricate workings of DPIAs, the latest draft Bill of the government regulation on the implementation of the PDP Law imposes a critical obligation on all personal data controllers in Indonesia to meticulously evaluate the impact of personal data protection through DPIA before embarking on any high-risk personal data processing activities.
The DPIA process, as outlined in the draft regulation, encompasses the following key elements:
- Systematic description of processing activities: DPIAs must include a systematic description of the personal data processing activities, outlining the purposes of data processing, including the interests of the Personal Data Controller in such processing.
- Assessment of need and proportionality: Companies must assess the necessity and proportionality between the purposes and activities of personal data processing. This evaluation ensures that data processing activities are aligned with the intended objectives and do not exceed the scope of what is necessary.
- Risk assessment for data subject rights protection: DPIAs should entail a comprehensive risk assessment aimed at protecting the rights of personal data subjects. This assessment involves identifying potential risks associated with data processing activities and evaluating their impact on data subjects’ privacy rights.
- Implementation of protective measures: Personal data controllers are required to implement measures to protect data subjects from the risks associated with data processing activities. These measures may include technical and organizational safeguards aimed at mitigating privacy risks and ensuring compliance with data protection regulations.
Additionally, if a data protection officer (“DPO”) is appointed within the organization, their advice must be considered and documented in the DPIA process. Companies must review the DPIA if there are changes in the risk profile of personal data processing activities.
Furthermore, companies are obligated to document the DPIA along with the protective measures implemented to safeguard data subjects’ rights. In cases where personal data controllers seek guidance or consultation, they may engage with the designated PDP Institution (to be determined by the President) concerning processing activities that may result in material or non-material losses to data subjects and where technical and organizational measures alone may not suffice to minimize such negative impacts.
How can companies conduct a DPIA?
The Indonesian government has yet to set up specific guidelines in Indonesia regarding DPIAs, therefore, companies may adopt a methodology aligned with global best practices, such as those used for the implementation of GDPR, which include the following steps:
- Identify the need for a DPIA: Determine whether the data processing activity meets the criteria that necessitate a DPIA, considering factors such as the nature, scope, and potential risks of the processing.
- Describe the process activities: Provide a detailed description of the data processing activities, including the types of personal data collected, the purposes of the processing, the parties involved, and the intended recipients of the data.
- Consider a consultation: Consult with relevant stakeholders, including data subjects, data protection officers, legal advisors, IT professionals, and business owners, to gather insights and perspectives on the potential privacy risks associated with the processing activities.
- Assess necessity and proportionality: Evaluate the necessity and proportionality of the data processing activities, considering whether they align with the intended objectives and whether they are justified in relation to the risks posed to individuals’ privacy rights.
- Identify and assess risk: Identify potential privacy risks associated with the data processing activities, considering factors such as the sensitivity of the data, the volume of data processed, data sharing arrangements, and the rights of data subjects. Assess the likelihood and severity of each identified risk, considering the potential impact on individuals’ privacy rights and the organization’s ability to mitigate the risk.
- Identify measures to mitigate risks: Develop and propose risk mitigation measures to address the identified privacy risks, including technical, organizational, and procedural controls. Implement measures to minimize or eliminate risks, such as encryption, access controls, data minimization, anonymization, and transparency measures.
- Record outcomes: Obtain sign-off from relevant stakeholders, including senior management, legal counsel, and data protection officers, to endorse the DPIA report and its findings. Record the outcomes of the DPIA process, including the identified risks, risk assessment results, proposed mitigation measures, and any additional recommendations.
After sign-off, integrate the outcomes of the DPIA back into the company’s project plan and keep the DPIA under review. Throughout this process, continue to consult with individuals and stakeholders as needed to ensure ongoing compliance with PDP Law and other prevailing laws and regulations.
The absence of DPIA process guidelines is also allowing companies to tailor their approach to managing risks and projects while adhering to the key elements of DPIAs under the PDP Law. Companies may choose to conduct DPIAs manually using Excel or templates available on the internet, with necessary adjustments to comply with the PDP Law. Alternatively, companies may opt to utilize tools provided by third-party service providers that specialize in personal data protection and are aligned with the PDP Law and other prevailing laws and regulations in Indonesia.
Complying with Indonesia’s Personal Data Protection Law: Essential Steps for Businesses
Webinar | Tuesday, April 30, 2024 / 3:00 PM Jakarta / 4:00 PM China / 10:00 AM CET
Join our upcoming webinar as Hardy Salim, Assistant Manager of the Business Advisory Unit, takes you through an in-depth explanation of Indonesia’s Personal Data Protection law and what steps companies need to undertake to ensure compliance.
By following these steps, companies can effectively conduct DPIAs to identify, assess, and mitigate privacy risks associated with data processing activities, thereby ensuring compliance with data protection regulations and safeguarding individuals’ privacy rights.
About Us
ASEAN Briefing is produced by Dezan Shira & Associates. The firm assists foreign investors throughout Asia and maintains offices throughout ASEAN, including in Singapore, Hanoi, Ho Chi Minh City, and Da Nang in Vietnam, in addition to Jakarta, in Indonesia. We also have partner firms in Malaysia, the Philippines, and Thailand as well as our practices in China and India. Please contact us at asean@dezshira.com or visit our website at www.dezshira.com.