Professional Documents
Culture Documents
(Data Privacy)
rudy_b@telkom.co.id
Dept IA Telkom
Industry 4.0
Todays Telco’s is Entering to the Most Preferable Playground & Near Fit with
its Capabilities…
Indonesia Internet Users 2019-2020 (Q2)
“Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to
privacy with respect to the processing of personal data.”
(European Union (EU) Directive, 1995)
“The rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of
personal information.”
(The American Institute of Certified Public Accountants/Canadian Institute of Chartered Accountants (AICPA/CICA), 2009)
“Data Pribadi adalah data perseorangan tertentu yang disimpan, dirawat, dan dijaga kebenaran serta dilindungi
kerahasiaannya. “
(Permen Kominfo No 20 Thn 2016, tentang Perlindungan Data Pribadi Dalam Sistem Elektronika)
“bahwa pelindungan data pribadi merupakan salah satu hak asasi manusia yang merupakan bagian dari pelindungan diri
pribadi, perlu diberikan landasan hukum yang kuat untuk memberikan keamanan atas data pribadi, berdasarkan Undang-
Undang Dasar Negara Republik Indonesia Tahun 1945”
(Rancangan UU PDP (Perlindungan Data Pribadai) RI)
Privacy Risks
Privacy is a risk management issue for businesses, governments, and nonprofit organizations.
Consumers and citizens are concerned with how organizations use their personal information. Failure of
management and data controllers to address the protection of personal information presents numerous risks
to the organization, including:
Evaluating an Organization’s Privacy Framework, the internal audit activity can contribute to good governance
and risk management by assessing the adequacy of management’s identification of risks related to its privacy
objectives and the adequacy of the controls established to mitigate those risks to an acceptable level.
In today’s business context, privacy often refers to the personal information about an
individual and the individual’s ability to:
Personal information is data that can be linked to or used to identify an individual either
directly or indirectly.
[root@hostname ~]
Sample Case: External
Sample Case: External
Screenshoot situs jual beli Raid Forums, salah satu anggotanya menjual dataset yang
diklaim milik 279 juta penduduk Indonesia.(Source: Raid Forums)
Sample Case: Internal
Sample Case: Internal
Sample Case: Contoh Temuan pada PKAT iSec Audit
Sample Case: Potential Risk Personal Data Leak
Check Your E-Mail
https://www.periksadata.com/ https://www.avast.com/hackcheck
Peraturan
RUU
Consideration
Privacy protection can be considered a process of establishing an appropriate balance between privacy and
multiple competing interests.
To minimize intrusiveness, maximize fairness, and create legitimate, enforceable expectations of privacy, a set
of principles governing the processing involved include a blend of substantive concepts such as data quality,
integrity, and limitation of use, and procedural principles such as the concepts of consent and access rights.
1. Data subject — Individual whose personal information is collected, used, disclosed, retained, and
disposed of.
2. Data controller — Organization that controls access to and processing of personal information.
3. Privacy officer — An organization’s privacy oversight, monitoring, and contact function.
4. Privacy commissioner — A governmental oversight authority.
5. Service providers — Circumstances where third parties are involved in processing personal
information.
Typical areas that internal audit may review when auditing privacy include:
1. Governance/management oversight.
2. Privacy policies and controls.
3. Applicable privacy notices.
4. Types and appropriateness of information collected.
5. Systems that process, store, and transmit personal information.
6. Collection methodologies.
7. Consent and opt-in/opt-out management.
8. Uses of personal information for compliance with stated intent, applicable laws, and
other regulations.
9. Security practices, operations, and technical controls in place to protect personal
information.
10.Retention and disposal practices of personal information.
Source: IIA PG Auditing Privacy Risks, 2nd edition, Jul 2012
Audit Program Example
Privacy Management
Risk : The organization has not conducted formal privacy policy, privacy awareness, data handling, or
information security training.
Risk : The organization is not adequately protecting personal information it collects, uses, retains, discloses,
and disposes
Risk : The organization not conducted access management to transfer of data and data at rest
Risk : The organization has not conducted Incident Management on data privacy breach