In recent years, Indonesia saw a double-extortion ransomware attack on the nation’s central bank, massive data leaks involving the details of 1.3 billion registered mobile phone numbers, 105 million voters, more than 200 million citizens in the Healthcare and Social Security Agency’s database, and a log of President Joko Widodo’s correspondence.

In response, Indonesia’s Parliament passed into law in October 2022 a personal data protection Bill that will impose corporate fines and jail terms of up to six years for those who mishandle data.

What the new PDP Law mean for organizations operating in Indonesia

The Personal Data Protection (PDP) Law has 76 articles across 16 chapters that cover extensively data ownership rights, and prohibitions on data use, along with the collection, storage, processing, and transfer of personal data of Indonesian users.

It also introduces new concepts, including the requirement for both prior and post notifications to the regulator on cross-border personal data transfers. The new law goes further by introducing criminal sanctions for personal data breaches, including fines of up to US$400,000 for individuals and up to $4 million for corporations. Other criminal sanctions include imprisonment of up to six years and seizure of assets and freezing of business activities.

Controllers, processors, and other relevant parties who process personal data have two years to comply with the provisions of the PDP Law.

Data-centric security key to compliance to PDP Law

A data-centric security approach is integral to virtually every worldwide data compliance regulation and standard, and is a foundational best practice. The defining characteristic of data-centric security is that protection is applied to data itself, independent of the data’s location.

Unfortunately, most data security technology focuses on protecting where data is, rather than the data itself — for example, protecting all the data stored on a specific laptop or server, or all the data that crosses a specific network. The problem with this approach is that as soon as data moves somewhere else, another solution is required, or data is left unprotected.

Data-centric security, on the other hand, focuses on what needs to be protected — the files containing sensitive information — and applying the appropriate form of protection no matter where the data happens to be. To be effective, data must be protected automatically; sensitive information should be identified as soon as it enters an organization’s IT ecosystem and should be secured with policy-based protection that lasts throughout the data lifecycle. Data can be exposed to risks both in transit and at rest and requires protection in both states. As such, there are many approaches to protecting data in transit and at rest. Encryption plays a major role in data security and is a popular tool for securing data both in transit and at rest.

For securing data in transit, enterprises often choose to encrypt sensitive data prior to moving it and/or use encryptors to protect the contents of data-in-transit. For protecting data-at-rest, enterprises can simply encrypt sensitive data in files and databases prior to storing them and/or choose to encrypt the storage drive itself.

Once an organization uses encryption technologies to safeguard its data, enterprise security then depends on encryption key and policy management — the ability to generate, distribute, store, rotate, and revoke/destroy cryptographic keys as needed to protect the sensitive information with which they are associated.

Best practice data security solutions using cryptography include strong key management and a separation of duties between the systems applying that data protection and those performing key management. Good key management systems will also provide the ability to leverage a hardware-based root of trust for key creation and storage.

When properly implemented, data-centric security gives the organization complete control over its sensitive data from the moment that each file or database record is created. Access to protected data can be granted or revoked at any time, and all activity is logged for auditing and reporting. To properly execute your data-centric security approach, it’s important to note the encryption and data protection methods that are available, the requirements, the applications or data to be protected, and the reasons for applying the chosen protection method. Choosing a vendor with the broadest solution set available, and one that provides centralized key and policy management, will provide easier deployment and management controls when you grow your installed base.

Tips to get your organization started

Here are some tips on addressing the requirements of the PDP Law of Indonesia:
  • Data Protection

    • Simplify data security, accelerate time to compliance
    • Discover data wherever it resides and classify it
    • Protect sensitive data with encryption or tokenization
    • Control access to the data and centralize key management
  • Access Management and Authentication

    • Enhance security by enforcing multi-factor authentication
    • Provide a wide range of authenticators
    • Simple integration to both legacy and cloud service
    • Access policy control

Organizations can leverage Thales’ suite of identity and data protection solutions available on a single unified platform to become compliant today and stay compliant in the future.