Professional Documents
Culture Documents
personal data
protection
January 2023
• Introduction
• Highlights from UU 27/2022 PDP Law
Today’s topics
• Lessons learned from GDPR implementation in payment industry
• Q&A
PwC 3
2 Data privacy principles
Personal data protection landscape
There has been a number of regulations related to International laws and frameworks
Personal Data Protection in Indonesia:
• Law No. 27 of 2022
Personal Data Protection. Ratified on October 2022.
Undang Undang Two years of implementation. Fair Information
(Law) • Law No. 11 of 2008 as amended by Law No. 19 of EU GDPR Practice
2016 (and E-Privacy) Principles
Electronic Information and Transaction
(FFIP)
Peraturan • Government Regulation No. 71 of 2019
Pemerintah Implementation of Electronic System and Transaction
• Government Regulation No. 80 of 2019 Hong Kong’s
(Government
Regulations) Personal Data China’s Personal
Commerce Activities through Electronic System
(Privacy) Information
• Minister of Communication and Informatics Ordinance Protection Law
Peraturan Menteri Regulation No. 20 of 2016
Personal Data Protection in Electronic System
Example: Financial Services Sector California
• Financial Services Authority Regulation No. ISO 27701 Consumer
6/POJK.07/2022 Privacy Act
Consumer and Community Protection in Financial
Peraturan
Spesifik Sektor Services Sector
• Financial Services Authority Regulation No.
11/POJK.03/2022
Implementation of Information Technology by
Commercial Banks
PwC 5
Data privacy - Key concepts
Key concepts Data subject rights
Data privacy laws introduce a number of new terms and concepts which According to UU PDP 2022 art.5-13, data subjects have the following rights of:
are important for you to familiarise yourself with, before continuing.
The right to be informed The right to rectification The right of access
‘Personal data’ is defined as information that relates to an identifiable
person, either directly or indirectly.
‘Data protection authority’ or ‘Authority/Lembaga’ is the national
body established which is responsible for upholding the rights of Art. 5 Art. 6 Art. 7
individual to protect their personal data through the enforcement and
monitoring of compliance with the local data privacy laws.
The right to erasure The right to restrict of Rights in relation to
A ‘Data Controller’ is defined as any person, public body, and
processing automated decision
international organisation that acts individually or jointly in determining
making and profiling
the purpose of data processing and performing control over data
processing activities.
A ‘Data Processor’ is defined as any person, public body, and Art. 8 Art. 11 Art. 10
international organisation acting individually or jointly in processing
personal data on behalf of the Data Controller.
The right to object The right to claim
A ‘Data Subject’ or ‘Individual’ is defined as the person to whom the compensation
personal data relates.
PwC Art. 13 6
Personal data protection
UU PDP 27/2022 applies to every person, public bodies, and international organisations that carry out legal actions in the jurisdiction of the
Republic of Indonesia or outside the jurisdiction of the Republic of Indonesia which has legal consequences in Indonesia or for Indonesian
citizen data subjects. (art.2)
PwC 7
Common data flow in payment institutions
Personal data Examples of common
Paper Manually maintained Records in application
maintained & payment entities:
Personal Data Front User records computer documents system and databases
stored
Examples of key business functions with high usage/heavy Examples of common 3rd party data
processing of personal data: transfer for e-payments:
Cross Card
Border Network
I-net Partners
Customer Marketing / Customer Operational Finance / Vendor Business Cloud
eChannel onboarding Customer service / Reporting partners service
analytics call centre provider
1 Data collection 2 Data storage and 3 Data processing 4 Data access 5 Data update 6 Data destruction
concern retention concern concern concern concern concern
• Excessive • Insecure storage • No purpose • Data leak during • Unauthorised • No erasure
collection of data limitation transit update policy
• Unlawful • Lack of consent • Cross border
collection regulations
PwC 8
• Third Party Risk
Data Protection Impact Assessment (DPIA)
According to UU PDP article 34, data controllers shall uphold personal data protection principles in personal data processing activities and should any condition
potentially raise the risk towards a data subject, data controllers are required to perform a Data Protection Impact Assessment (DPIA).
Data protection authorities of many EU member states have published draft list of data processing activities that would trigger the need for a DPIA (“blacklists”) and, in
some instance, list of activities that are not subject to one (“whitelists”) in that country. This is accordance to Art 35(4) of the GDPR, that requires supervisory authorities
to provide guidance on this matter. However, it is down to organisations to set out their own processes and define how to assess ‘high risk’.
Automated decision-making Specific data processing Large scale data processing Systematic monitoring
Examples of data privacy risks are identity theft, reputation damage, and financial loss.
PwC 9
Personal data processing
Legal Basis (PDP Law 2022 art.20,25,26) Principles (PDP Law 2022 art.16 (2))
2 Fulfillment of a contract
Failure to Protect (Data Breaches)
According to, data breaches need to be reported within 3 x 24 hours in a
3 Legitimate Interest form of written notice, notifying to the related data subjects and authority.
(PDP Law 2022 art 46)
4 Vital Interest The written notice must at least include the following details of:
PwC 10
Authority, prohibition & sanction
Lembaga Article 65 - 66
Indonesian government participates in realising the implementation of The PDP Law sets out clear prohibitions
personal data protection in accordance with the provisions of RUU PDP 2022, on the use of personal data
which is performed by a governmental supervisory body (lembaga).
Article 57 Article 70
PwC 11
Lessons learned from
3 GDPR Implementation in
Payment Industry
Key lessons learned from the GDPR
Risk based prioritisation
Develop a programme that will help you understand the risks you
face, prioritise and reduce risk in a managed and purposeful way.
.
Third party risk management and monitoring
Agreeing responsibilities within contracts will provide some coverage. However, given the reliance on third party providers
across the landscape, considerations should be given to third party risk management through monitoring mechanisms
PwC 13
Things have continued to evolve since GDPR went live in 2018
Privacy Whistleblowers Government Hacker Regulators Employees Consumers Media Shareholders
Advocates
Multiple
Stakeholders
to be
considered
2018 8
01
The 80:20 rule applies - the majority
2019 140 of fines are of a lower value but the
What can big fines hit the headlines
Approx. no. 2020 340 we learn
02
Organisations express greater concern
of fines since from the about the reputational damage of a fine
2021 450
2018 than the fine itself.
regulators
2022 460
fines?
03
In the UK over 50% of the fines
2023 20 imposed relate to direct marketing
violations
PwC 14
A typical GDPR implementation project lifecycle
Assess Design Operate
current capabilities the future state and sustain
Risk analysis and data discovery Gap assessment Cross-functional oversight and Implementation Ongoing monitoring
and remediation roadmap planning
PwC 15
Privacy compliance transformation programme - an example
Client Problem:
PwC was brought in to support the client post notification of local privacy regulation similar to GDPR. The objective was to setup a privacy programme, upskill the
local team and support with programme implementation. The team undertook a current state gap analysis, post which the implementation roadmap was designed.
Our team was involved in all key stages from gap assessment, planning to implementation. This programme was supported by local network firm for stakeholder
management and delivery.
Incomplete system inventory and record of processing Cross border transfer impact Security application
5
activities assessments assessments
Our Learnings
Build a sustainable programme - Consider
Understand key risks - Consider where and Mobilise early - Start thinking about what a
building sustainable processes, tools and
what your data privacy are and prioritise privacy programme could look like for your
operating structures. Data privacy compliance
actions you need to take organisation early.
isn’t a one off.
PwC 16
4 Contact us
PwC
We look forward to working with you
Subianto
Broader Assurance Services Leader, Indra Allen
Chief Digital & Technology Officer PwC Legal Partner
Andrew Tirtadjaja
Jeffry Kusnadi
Cybersecurity & Privacy Director
Cybersecurity and Technology Director
E-mail: jeffry.kusnadi@pwc.com
E-mail: andrew.tirtadjaja@pwc.com
Roro Astuti
PwC Legal Senior Managing Associate
E-mail: roro.astuti@pwc.com
18
Thank you
pwc.com/id
This document has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information
contained in the document without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or
completeness of the information contained in this document, and, to the extent permitted by law, PwC Indonesia, its members, employees and agents accept no liability,
and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this document or for
any decision based on it.
The documents, or information obtained from PwC, must not be made available or copied, in whole or in part, to any other persons/parties without our prior written
permission which we may, at our discretion, grant, withhold or grant subject to conditions (including conditions as to legal responsibility or absence thereof).
© 2023 KAP Tanudiredja, Wibisana, Rintis & Rekan. All rights reserved.
PwC refers to the Indonesia member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see
www.pwc.com/structure for further details.