Best practices in

personal data
protection

January 2023

Strictly Private & Confidential

1 Introduction
 With you today

Subianto Michael Campbell Fedelma Good Beatrix Ariane Radhika Bogahapitiya

Broader Assurance Partner, Director and Co-lead of Senior Manager Data Protection and
Service Leader, PwC UK PwC's Legal Data Cybersecurity & Privacy, Technology Risk Senior
PwC Indonesia Protection, PwC Indonesia Manager,
PwC UK PwC UK

• Introduction
• Highlights from UU 27/2022 PDP Law
Today’s topics
• Lessons learned from GDPR implementation in payment industry
• Q&A

PwC 3
2 Data privacy principles
Personal data protection landscape
There has been a number of regulations related to International laws and frameworks
Personal Data Protection in Indonesia:
• Law No. 27 of 2022
Personal Data Protection. Ratified on October 2022.
Undang Undang Two years of implementation. Fair Information
(Law) • Law No. 11 of 2008 as amended by Law No. 19 of EU GDPR Practice
2016 (and E-Privacy) Principles
Electronic Information and Transaction
(FFIP)
Peraturan • Government Regulation No. 71 of 2019
Pemerintah Implementation of Electronic System and Transaction
• Government Regulation No. 80 of 2019 Hong Kong’s
(Government
Regulations) Personal Data China’s Personal
Commerce Activities through Electronic System
(Privacy) Information
• Minister of Communication and Informatics Ordinance Protection Law
Peraturan Menteri Regulation No. 20 of 2016
Personal Data Protection in Electronic System
Example: Financial Services Sector California
• Financial Services Authority Regulation No. ISO 27701 Consumer
6/POJK.07/2022 Privacy Act
Consumer and Community Protection in Financial
Peraturan
Spesifik Sektor Services Sector
• Financial Services Authority Regulation No.
11/POJK.03/2022
Implementation of Information Technology by
Commercial Banks

PwC 5
Data privacy - Key concepts
Key concepts Data subject rights
Data privacy laws introduce a number of new terms and concepts which According to UU PDP 2022 art.5-13, data subjects have the following rights of:
are important for you to familiarise yourself with, before continuing.
The right to be informed The right to rectification The right of access
‘Personal data’ is defined as information that relates to an identifiable
person, either directly or indirectly.
‘Data protection authority’ or ‘Authority/Lembaga’ is the national
body established which is responsible for upholding the rights of Art. 5 Art. 6 Art. 7
individual to protect their personal data through the enforcement and
monitoring of compliance with the local data privacy laws.
The right to erasure The right to restrict of Rights in relation to
A ‘Data Controller’ is defined as any person, public body, and
processing automated decision
international organisation that acts individually or jointly in determining
making and profiling
the purpose of data processing and performing control over data
processing activities.
A ‘Data Processor’ is defined as any person, public body, and Art. 8 Art. 11 Art. 10
international organisation acting individually or jointly in processing
personal data on behalf of the Data Controller.
The right to object The right to claim
A ‘Data Subject’ or ‘Individual’ is defined as the person to whom the compensation
personal data relates.

A ‘Data Protection Officer (DPO)’ is mandatory for organisations that

Art. 9 Art. 12
fulfil one of the following criteria:
- Process personal data for public interests;
- Data controller whose main activities include in continuous and The right to data
systematic monitoring on personal data in a large scale; portability
- Data controller whose main activities include in processing specific
personal data or personal data related to criminal data.

PwC Art. 13 6
Personal data protection
UU PDP 27/2022 applies to every person, public bodies, and international organisations that carry out legal actions in the jurisdiction of the
Republic of Indonesia or outside the jurisdiction of the Republic of Indonesia which has legal consequences in Indonesia or for Indonesian
citizen data subjects. (art.2)

Maintaining Personal Data Register

Data Lifecycle
In order to protect personal data, you need to know what data you collect, how Information Asset
you use it, and how you store it. The first step to achieve this is to identify all Early identification of Collect
sensitive data/information
processing activities in your organisation involving personal data and document,
how and why the data is used, which is called “personal data register” / ROPA Data at Rest
(records of processing activities). Securely store sensitive Store
information
What is usually included in the register?
Data in Use
- Legal basis and purpose of processing of data.
Protection of sensitive data Process
- Different categories of personal data involved. are used as intended
- Systems and locations where the personal data is processed.
Data in Motion
- Where is the data transferred to and list of recipients. Ensure sensitive data being Transfer
- Technical security measures in place. shared is protected
- Data retention.
Data at Rest
Provide secure means to Update
update the data
According to UU PDP article 31, Data Controller is obliged to maintain
records of all personal data processing activities (ROPA). Data at Rest
Destroy
Ensure that data and its
storage is securely destroyed

PwC 7
Common data flow in payment institutions
Personal data Examples of common
Paper Manually maintained Records in application
maintained & payment entities:
Personal Data Front User records computer documents system and databases
stored

Business application and systems Data transfer/sharing to/from 3rd Party

Core System Other System Payment E-Money

Gateway

Examples of key business functions with high usage/heavy Examples of common 3rd party data
processing of personal data: transfer for e-payments:

Cross Card
Border Network
I-net Partners
Customer Marketing / Customer Operational Finance / Vendor Business Cloud
eChannel onboarding Customer service / Reporting partners service
analytics call centre provider

Collection Store Process Transfer Update Destroy

1 Data collection 2 Data storage and 3 Data processing 4 Data access 5 Data update 6 Data destruction
concern retention concern concern concern concern concern
• Excessive • Insecure storage • No purpose • Data leak during • Unauthorised • No erasure
collection of data limitation transit update policy
• Unlawful • Lack of consent • Cross border
collection regulations
PwC 8
• Third Party Risk
Data Protection Impact Assessment (DPIA)
According to UU PDP article 34, data controllers shall uphold personal data protection principles in personal data processing activities and should any condition
potentially raise the risk towards a data subject, data controllers are required to perform a Data Protection Impact Assessment (DPIA).

Data protection authorities of many EU member states have published draft list of data processing activities that would trigger the need for a DPIA (“blacklists”) and, in
some instance, list of activities that are not subject to one (“whitelists”) in that country. This is accordance to Art 35(4) of the GDPR, that requires supervisory authorities
to provide guidance on this matter. However, it is down to organisations to set out their own processes and define how to assess ‘high risk’.

Examples of High Risk Criteria provided in Art 35(3) GDPR:

Systematic and extensive profiling with significant Public monitoring

Large scale use of sensitive data
effects

High Risk Criteria (UU PDP art.34)

Automated decision-making Specific data processing Large scale data processing Systematic monitoring

Data matching Innovative technology Denial of service

Examples of data privacy risks are identity theft, reputation damage, and financial loss.

PwC 9
Personal data processing
Legal Basis (PDP Law 2022 art.20,25,26) Principles (PDP Law 2022 art.16 (2))

1 Explicit consent from data subject in a form of

electronic or non-electronic documentation is required, Lawfulness, fairness
Purpose limitation Data minimisation
including agreement clause that consist of personal and transparency
data processing request.
Integrity and
● Processing children’s data requires consent from Accuracy Storage limitation confidentiality
the holder of parental responsibility over the child or
guardian.
● Processing people with disabilities’ data requires
Accountability
consent from the data subject or guardian.

2 Fulfillment of a contract
Failure to Protect (Data Breaches)
According to, data breaches need to be reported within 3 x 24 hours in a
3 Legitimate Interest form of written notice, notifying to the related data subjects and authority.
(PDP Law 2022 art 46)

4 Vital Interest The written notice must at least include the following details of:

1. What personal data that has been breached?

5 Legal Requirement
2. When did the breach occur?
3. How did the breach occur?
6 Public Interest 4. What are the remedial actions taken?

PwC 10
Authority, prohibition & sanction

Lembaga Article 65 - 66
Indonesian government participates in realising the implementation of The PDP Law sets out clear prohibitions
personal data protection in accordance with the provisions of RUU PDP 2022, on the use of personal data
which is performed by a governmental supervisory body (lembaga).

Article 57 Article 70

The administrative sanction Sanction to the prohibited action :

Violation of the provisions of Article 20 - 56 (obligations of data in the form of an
controllers and data processors in the processing of personal data; administrative fine is a
maximum of 2% of the
officials who carry out the function of protecting personal data;
annual income or annual
personal data transfer) are subject to administrative sanctions.
revenue for the violation
variable.
These administrative sanctions may be in the form of:
• Written warning
The administrative fine will
• Temporary suspension of personal data processing activity be imposed by the
• Erasure or destruction of personal data supervisory body for
• An administrative fine personal data protection
administration, which is yet
to be established
• Financial penalties – individuals
may face a fine of up to Rp 6
billion and corporations a fine of
up to Rp 60 billion
• Imprisonment – individuals may
face up to 6 years of incarceration
For corporations, criminal sanctions
may be imposed on members of
management (ie, board of directors),
controllers, those giving orders and
beneficial owners (among others)

PwC 11
 Lessons learned from
3 GDPR Implementation in
Payment Industry
Key lessons learned from the GDPR
Risk based prioritisation
Develop a programme that will help you understand the risks you
face, prioritise and reduce risk in a managed and purposeful way.

Security of payment data

Security was always critical. However, increased scrutiny of security practices
drives a new wave of activity.

Clarity of responsibilities across the ecosystem

Understanding the organisation’s role as a data processor or controller is key to agreeing the
responsibilities between various parties in the payments ecosystem. Individuals within participating
organisations also need to understand their own responsibilities.

Understanding the risks points within data flows

The data flows within the payment ecosystem can be complex. Understanding these from the outset is
critical in defining the governance and control protocols that you need to build for your organisation.

.
Third party risk management and monitoring
Agreeing responsibilities within contracts will provide some coverage. However, given the reliance on third party providers
across the landscape, considerations should be given to third party risk management through monitoring mechanisms

PwC 13
Things have continued to evolve since GDPR went live in 2018
Privacy Whistleblowers Government Hacker Regulators Employees Consumers Media Shareholders
Advocates

Multiple
Stakeholders
to be
considered

2018 8

01
The 80:20 rule applies - the majority
2019 140 of fines are of a lower value but the
What can big fines hit the headlines
Approx. no. 2020 340 we learn

02
Organisations express greater concern
of fines since from the about the reputational damage of a fine
2021 450
2018 than the fine itself.
regulators
2022 460
fines?
03
In the UK over 50% of the fines
2023 20 imposed relate to direct marketing
violations

PwC 14
A typical GDPR implementation project lifecycle
Assess Design Operate
current capabilities the future state and sustain

Risk analysis and data discovery Gap assessment Cross-functional oversight and Implementation Ongoing monitoring
and remediation roadmap planning

Key programme components

Strategy & governance Privacy by design Individual rights processing

Policy management Information security Training & awareness

Cross-border data strategy Privacy incident management

Data lifecycle management Data processor / third party accountability

PwC 15
Privacy compliance transformation programme - an example
Client Problem:
PwC was brought in to support the client post notification of local privacy regulation similar to GDPR. The objective was to setup a privacy programme, upskill the
local team and support with programme implementation. The team undertook a current state gap analysis, post which the implementation roadmap was designed.
Our team was involved in all key stages from gap assessment, planning to implementation. This programme was supported by local network firm for stakeholder
management and delivery.

Key Triggers Key Outcomes

Centralised inventory for 40+ Privacy Champions
1 Lack of structured response to privacy requirements
mgmt. of 600+ 3rd parties assigned

Inventory of 3,000+ personal data 50+ policies and procedures

2 Limited privacy controls on data collection and sharing processes reviewed
Designed 30+ data Risk Appetite, KPIs developed
3 Lack of precedents and limited local regulatory guidance management controls for the DPO Office

Identified 40+ gaps based on DPO Operating Model

4 Insufficient monitoring of third parties and contracts data inventory responses implemented

Incomplete system inventory and record of processing Cross border transfer impact Security application
5
activities assessments assessments

Our Learnings
Understand key risks - Consider where and
what your data privacy are and prioritise
actions you need to take
Build a sustainable programme - Consider
Mobilise early - Start thinking about what a
building sustainable processes, tools and
privacy programme could look like for your
operating structures. Data privacy compliance
organisation early.
isn’t a one off.

PwC 16
 4 Contact us

PwC
We look forward to working with you
Subianto
Broader Assurance Services Leader, Indra Allen
Chief Digital & Technology Officer PwC Legal Partner

E-mail: subianto.subianto@pwc.com E-mail: indra.allen@pwc.com

Andrew Tirtadjaja
Jeffry Kusnadi
Cybersecurity & Privacy Director
Cybersecurity and Technology Director

E-mail: jeffry.kusnadi@pwc.com
E-mail: andrew.tirtadjaja@pwc.com

Hengky Antony Beatrix Ariane

Data Analytics Director Cybersecurity & Privacy Senior Manager

E-mail: henkgy.antony@pwc.com E-mail: beatrix.b.ariane@pwc.com

Roro Astuti
PwC Legal Senior Managing Associate

E-mail: roro.astuti@pwc.com

18
 Thank you
pwc.com/id

This document has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information
contained in the document without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or
completeness of the information contained in this document, and, to the extent permitted by law, PwC Indonesia, its members, employees and agents accept no liability,
and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this document or for
any decision based on it.

The documents, or information obtained from PwC, must not be made available or copied, in whole or in part, to any other persons/parties without our prior written
permission which we may, at our discretion, grant, withhold or grant subject to conditions (including conditions as to legal responsibility or absence thereof).

© 2023 KAP Tanudiredja, Wibisana, Rintis & Rekan. All rights reserved.
PwC refers to the Indonesia member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see
www.pwc.com/structure for further details.