In 2022, the Government of the Republic of Indonesia ratified Law No. 27 of 2022 on Personal Data Protection (PDP Law). With the enactment of the PDP Law, it is crucial for all business operators to study and prepare for the implementation of obligations arising from the enactment of the PDP Law, especially for all business operators who carry out personal data processing activities in Indonesia.
The implications of the PDP Law have given rise to a new profession known as the Data Protection Officer (DPO). The DPO is an official or officer who executes the function of Personal Data Protection. Within an organizational structure, the DPO must work independently to ensure comprehensive performance. It is common for the DPO to be placed directly under the top leadership or directly under the CEO of a company.
Within a company, the DPO’s primary task is to ensure that the processing of customer, employee, third-party, and other entity data complies with data protection regulations. Additionally, the DPO has other duties, such as informing and advising the personal data controller or personal data processor to comply with the provisions of the PDP Law; providing advice on the impact assessment of PDP and monitoring the performance of the personal data controller and personal data processor; and coordinating and acting as a contact point for issues related to personal data processing. The DPO must also ensure the company is protected from the risks of violations and severe sanctions under the PDP Law.
According to the PDP Law, Companies are allowed to appoint a DPO from within and/or outside the Company, as long as the appointment is based on professionalism, knowledge of the law, practices of Personal Data Protection, and the ability to fulfill the duties as a DPO. A DPO does not necessarily have to hold a law degree, the most important aspect is understanding the law, especially related to PDP. The Indonesian Data Privacy Professional Association (APPDI) offers training for individuals interested in obtaining Data Protection Officer certification.
The PDP Law mandates every company or government institution to appoint a DPO if:
- The entity processes Personal Data for public service purposes;
- The core activities of the Entity are of a nature, scope, and/or purpose that require regular and systematic monitoring of Personal Data on a large scale; and
- The core activities of the Company consist of processing Personal Data on a large scale for specific Personal Data and/or Personal Data related to criminal acts.
In Indonesia, companies that meet these criteria, for example, operate in the financial sector, including banking and non-bank financial service institutions. In providing financial services, both banks and non-bank institutions need to request personal data from customers or potential customers for customer due diligence as required by regulations in their sector.
The financial sector is a very vital sector vulnerable to data leaks containing important customer information, making the presence of a DPO very important and expected to provide protection for customer personal data. Besides personal information, the financial sector also contains customer financial data, such as account balances that must be well protected and safeguarded.
Apart from the financial sector, companies operating in the health sector, e-commerce, and digital sectors also require a DPO. One of the e-commerce companies in Indonesia that has a special Data Protection division is Tokopedia (IDX: GOTO), a marketplace platform used by many Indonesians. Given the scale of transactions facilitated by Tokopedia, and the number of merchants and users registered in it, it can be concluded that personal data protection is one of the priorities, as evidenced by the presence of a DPO in the Company.
WIR Group (IDX: WIRG), a digital company operating in metaverse development, and PT DCI Indonesia Tbk. (IDX: DCII) have collaborated to ensure privacy and data security for users entering the metaverse world. This collaboration is a strategic step regarding the implementation of metaverse technology that requires the support of a secure, reliable, stable, and zero downtime data center infrastructure.
