Exploring Indonesia’s Personal Data Processing Practices: A Comprehensive Overview

Posted by Written by Hardy Salim Reading Time: 5 minutes

Law No. 27 of 2022 on Personal Data Protection (“PDP Law”) marked a pivotal moment in Indonesia’s commitment to transparency and accountability in the handling of personal data by organizations or companies. Enacted to safeguard the rights of individuals, especially concerning personal data processing activities, the PDP Law embodies the principles of responsible data management.

Under the PDP Law, personal data processing activities must adhere to stringent standards, ensuring they are conducted in a specific, legally valid, and transparent manner. The enactment of this law serves as a shield, safeguarding the privacy and rights of individuals in the digital age.

One of the cornerstones of transparency within the PDP Law is the requirement for personal data controllers to maintain a comprehensive Record of Processing Activities (“ROPA”). This obligation, akin to the provisions of the European Union’s 2018 General Data Protection Regulation (“GDPR”), underlines the importance of documenting every step of the personal data processing journey.

Understanding ROPA

The essence of the ROPA mirrors its counterpart under the GDPR, serving as a crucial tool for demonstrating compliance with applicable privacy laws. Essentially, ROPA acts as a detailed log or audit trail, providing authorities with a transparent view of how an organization manages the processing of personal data. In the event of non-compliance, the consequences can be severe, as supervisory authorities possess the power to levy substantial fines. Under the GDPR, these fines can amount to €20 million or approximately US$20.3 million, highlighting the gravity of maintaining accurate and up-to-date ROPA documentation.

Like its application under the GDPR, ROPA under the PDP Law functions as an inventory and mapping of data flows stemming from the processing of personal data. It serves as a fundamental accountability measure for organizations, laying the groundwork for compliance with Indonesia’s data protection regulations. Non-compliance with this obligation under the PDP Law may result in the imposition of various administrative sanctions, including administrative fines with a maximum amount of two percent of the annual revenue of the companies.

However, unlike the GDPR’s stipulation that ROPA obligations apply only to enterprises or organizations with more than 250 employees (or fewer, subject to certain conditions), the PDP Law mandates all personal data controllers and processors to uphold this obligation. This broad applicability underscores the Indonesian government’s commitment to fostering a culture of transparency and accountability in personal data processing activities across companies or organizations of all sizes.

Components of ROPA

While the PDP Law does not specify the mandatory components of ROPA conducted by personal data controllers, the Indonesian government is set to outline these obligations further in its government regulation. According to the latest draft bill of the government regulation on the implementation of the PDP Law, the Indonesian government delineates the mandatory components of ROPA between those conducted by personal data controllers and those conducted by personal data processors.

According to the latest draft Bill, ROPA conducted by personal data controllers shall include, but not be limited to:

  1. Name and contact details of the personal data controller, joint personal data controller, and/or personal data processor;
  2. Contact of the personal data protection officer;
  3. Source of collection and purpose of sending personal data;
  4. Basis for processing personal data;
  5. Purposes of processing personal data;
  6. Type of personal data;
  7. Categories of personal data subjects;
  8. Parties other than the personal data controller who can access personal data;
  9. Fulfillment of the rights of personal data subjects;
  10. Mapping the flow of personal data;
  11. Retention period; and
  12. Technical and organizational steps to secure personal data.

Additionally, personal data processors appointed by personal data controllers are also required to conduct ROPA, which shall include, but not be limited to:

  1. Name and contact of the personal data processor;
  2. Scope of personal data processing activities;
  3. Details of personal data transfer; and
  4. General description of organizational and technical measures to safeguard personal data.

It is noteworthy that the mandatory components of ROPA are based on the latest draft Bill of the government regulation, which has not been enacted yet and therefore lacks legal enforcement. However, considering that the obligations in maintaining ROPA are already outlined under the PDP Law, companies should make their best effort to prepare the ROPA based on the latest draft Bill. This will help them avoid any imposition of administrative sanctions due to the absence of ROPA conducted by personal data controllers.

Documentation of ROPA

The outcomes of ROPA must be meticulously documented, whether in electronic or hard-copy format and should be regularly updated to reflect any changes in the mandatory components outlined by the government. Personal data controllers are mandated to maintain records of ROPA results, including any subsequent amendments, in strict adherence to statutory regulations. Upon request by the PDP Institution, personal data controllers are obligated to furnish documents stemming from the results of ROPA. Additionally, in the event personal data controllers appoint personal data processors for personal data processing activities, the personal data processor shall provide the relevant information and documentation required by the personal data controllers for audit and supervisory purposes.

Furthermore, personal data subjects retain the right to access and obtain a copy of their data, along with a comprehensive record of the processing activities involving their data, as stipulated by statutory provisions. In this regard, companies must be prepared to provide the necessary access to processed personal data and the record of processing activities within a timeframe of 3 x 24 hours from the date of request by the personal data subjects. This timely provision of information is essential to uphold individuals’ rights and ensure transparency in personal data processing practices.

How companies conduct ROPA

The Indonesian government does not provide specific guidelines or a step-by-step process for companies to conduct a ROPA. Moreover, there are no prescribed templates for personal data controllers to follow in conducting their ROPA. Consequently, companies have the flexibility to adopt any method they deem appropriate and align their methodology with global best practices, such as those outlined in the GDPR, which typically involve the following steps:

  1. Identification of data processing activities: Initially, companies need to identify all data processing activities occurring within the organization. This entails comprehending the types of personal data being collected, the purpose of collection, the involved parties, and the methods of processing.
  2. Documentation of data flows: Subsequently, once the data processing activities are identified, companies must document the flow of personal data across the organization. This includes mapping out the collection points, storage locations, transfer mechanisms, and processing methods, as well as the involvement of any third parties. Additionally, companies must compile the mandatory components of ROPA to comply with the PDP Law. Utilizing a ROPA template or specialized software can aid in organizing this information efficiently.
  3. Maintenance and updating: It is imperative for companies to regularly maintain and update ROPA documentation to reflect changes in data processing activities and regulatory obligations. This ensures that the ROPA remains accurate and up-to-date over time.
  4. Storage and accessibility: ROPA documentation should be securely stored, whether in electronic or physical form, to prevent unauthorized access or tampering. Furthermore, it should be easily accessible to relevant stakeholders, such as data protection officers and regulatory authorities, such as PDP institutions. In cases where companies engage third-party personal data processors, close collaboration is necessary to ensure that ROPA documentation accurately reflects the activities conducted by the personal data processors. This may involve information exchange and documentation for auditing and supervisory purposes.

The absence of specific ROPA guidelines enables companies to tailor their approach to risk management and project implementation while adhering to the mandatory components of ROPA under the PDP Law. Companies may choose to manually conduct ROPA using tools like Excel or internet-available templates, making necessary adjustments to comply with the PDP Law. Alternatively, they may opt for tools provided by third-party service providers specializing in personal data protection and aligned with the PDP Law and other relevant regulations in Indonesia. These tools can facilitate effective and efficient ROPA implementation, ensuring compliance with the PDP Law.

About Us

ASEAN Briefing is produced by Dezan Shira & Associates. The firm assists foreign investors throughout Asia and maintains offices throughout ASEAN, including in Singapore, Hanoi, Ho Chi Minh City, and Da Nang in Vietnam, in addition to Jakarta, in Indonesia. We also have partner firms in Malaysia, the Philippines, and Thailand as well as our practices in China and India. Please contact us at asean@dezshira.com or visit our website at www.dezshira.com.