In the rapidly advancing digital era, Personal Data Protection (PDP) becomes crucial. The prevalence of data leak and personal data theft cases affecting various industries in Indonesia shows the need for enhanced personal data protection across sectors. The suboptimal governance and management of PDP have prompted the government to enact Law No. 27 of 2022 on Personal Data Protection (PDP Law).
Generally, the primary purpose of the PDP Law is to provide adequate protection for individuals against unauthorized use, unwanted disclosure, or misuse of their personal data. Enacted on 17 October 2022, the PDP Law states that personal data is data about an individual who is identified or can be identified, either alone or in combination with other information, directly or indirectly through electronic or non-electronic systems.
Protection of personal data according to Article 1 paragraph 2 of the PDP Law is all efforts made to protect individuals’ personal data in the processing or management of personal data to guarantee the constitutional rights of Personal Data Subjects.
It is necessary for individuals to understand that personal data is not just about full name, date of birth, or phone number. Referring to Articles 4 and 5 of the PDP Law, it is mentioned that the classification of personal data consists of two types, namely specific personal data and general personal data.
Specific Personal Data includes: a) health data and information; b) biometric data; c) genetic data; d) criminal records; e) child data; f) personal disability data; and/or g) other data according to regulatory provisions. Meanwhile, General Personal Data includes a) full name; b) gender; c) nationality; d) religion; e) marital status; and/or f) personal data combined to identify an individual.
The PDP Law does not provide a definition of Data Protection Officer (DPO) but generally, this term refers to an individual or position within an organization responsible for managing personal data protection policies, ensuring compliance with privacy laws, and addressing privacy data issues. This role can be found in the fourth part, which mentions DPO as the Officer or Official Executing the Function of Personal Data Protection.
The DPO is a relatively new profession in the digital world, and it plays a very important role in personal data protection amid the rapidly growing digital economy. The profession of DPO becomes mandatory with the enactment of the PDP Law as the executor of the personal data protection function itself. Referring to Article 54 of the PDP Law, there are at least functions of the DPO that include:
- Informing and advising the Personal Data Controller or Personal Data Processor to comply with the provisions of this Law.
- Monitoring and ensuring compliance with this Law and the policies of the Personal Data Controller or Personal Data Processor.
- Providing advice regarding the impact assessment of Personal Data Protection and monitoring the performance of the Personal Data Controller and Personal Data Processor; and coordinating and acting as a point of contact for issues related to Personal Data processing.
In performing these duties, the officer or official executing the personal data protection function considers the risks related to personal data processing, considering the nature, scope, context, and purposes of the processing in question. The role of DPO will be further regulated in Government Regulations as derivatives of the PDP Law. The Directorate General of Informatics Applications, Ministry of Communication and Informatics, is accelerating the creation of a certification for Personal Data Protection Officer (PPDP) or Data Protection Officer (DPO).
