Implementing Indonesia’s Personal Data Protection Law: Obligations, Challenges, and Where to Begin

Imagine an e-commerce company losing data on millions of customers because its security systems hadn’t been updated. Beyond the collapse in customer trust, the company now faces lawsuits and fines it can’t easily absorb. This isn’t a hypothetical anymore.

Based on a Surfshark report cited by Databoks (Katadata), Indonesia recorded more than 1 million leaked accounts in Q2 2022 alone — a 143% jump from the previous quarter.

That figure put Indonesia at 3rd place globally for data breaches in Q3 2022.

That’s what pushed the creation of the Personal Data Protection Law (UU PDP) — the first comprehensive legal framework Indonesia has for governing how personal data gets handled.

What Is UU PDP and Why Should Companies Care?

Law No. 27 of 2022 on Personal Data Protection governs how the personal data of Indonesian citizens gets collected, processed, stored, and deleted — by anyone, including private companies.

It applies to every entity that processes the personal data of Indonesian citizens, whether they operate inside or outside the country.

What sets it apart from earlier rules is its scope and legal weight. Before UU PDP, data protection was scattered across more than 30 sectoral regulations that didn’t connect with each other.

Now there’s one clear legal umbrella, with both criminal and civil penalties for violations.

For companies, this isn’t just a legal box to check. Compliance also speaks to reputation, customer trust, and long-term business survival.

Categories of Personal Data That Must Be Protected

Before getting into technical steps, companies need to understand which types of data fall under UU PDP’s scope. Not all data is treated the same — the law divides personal data into two categories with different levels of protection.

General Personal Data

This covers basic, less sensitive information such as:

• Full name
• Gender
• Citizenship
• Religion
• Marital status
• Personal data used in combination to identify someone

A concrete example: customer names and addresses stored in a company’s CRM system fall into this category.

Specific Personal Data

This covers more sensitive information that requires stronger protection, including:

• Health records and medical history
• Biometric data (fingerprints, iris scans, facial recognition)
• Genetic data
• Criminal records
• Personal financial data
• Data of minors

A concrete example: an insurance company that stores the medical records of hundreds of thousands of policyholders must apply layered encryption and restrict access to authorized personnel only. Processing this data without the owner’s explicit consent is a direct violation of UU PDP.

Data Subject Rights That Companies Must Honor

One of the most fundamental shifts UU PDP introduces is putting the individual at the center — as the owner of their own data. For companies, this means actively building systems that let people exercise these rights. Knowing about them on paper isn’t enough.

A company that doesn’t build mechanisms to respond to these requests risks violating UU PDP, even without any bad intent.

Here are the rights that companies need to account for during implementation:

Right to Access Data

Everyone is entitled to know what data a company holds about them. Companies must provide a clear mechanism for customers or employees to access this information easily.

Example: a banking app user has the right to request a full report of what personal data the bank stores about them.

Right to Correct Data

If data is inaccurate or outdated, the data subject can request a correction. Companies must process these requests within a reasonable time.

Example: a customer who has moved to a new address is entitled to have that information updated in the company’s records, and the company can’t refuse without a valid reason.

Right to Delete Data

Data subjects can request deletion of their personal data when it’s no longer needed, was collected without a proper legal basis, or when they’ve withdrawn their original consent.

Example: a former employee is entitled to request deletion of non-operational personal data after the employment relationship ends.

Right to Withdraw Consent

Consent given at the start isn’t permanent. Data subjects can withdraw it at any time, and the company must stop all processing activities that relied on that consent as soon as the request comes in.

What companies need to understand: withdrawal doesn’t apply retroactively. Everything processed before the withdrawal remains legally valid. But from the moment consent is withdrawn, there’s no legal basis left to keep processing on those grounds.

This is a real challenge for companies that don’t have a structured consent management system.

If customer data is spread across multiple systems — a CRM platform, an email marketing system, a third-party database — withdrawing consent in one place doesn’t automatically cascade to the others.

Example: a user withdraws permission for their data to be used for marketing by clicking “unsubscribe” on an email. The company can’t just stop sending promotional emails. It must also remove the user’s data from every distribution list, including those managed by third-party email marketing vendors.

Right to Data Portability

Data subjects are entitled to receive a copy of their personal data in a structured, machine-readable format so they can transfer it to another service provider. The principle behind this right is that no one should be “locked in” to a platform just because their data is stored there.

For companies, this means building an accessible data export mechanism — not just the data visible in the user interface, but everything collected and processed on behalf of that individual.

The sectors most affected by this right are fintech, digital health platforms, and subscription-based services that run on user data.

Example: a digital wallet user is entitled to request their full transaction history in a file format that can be opened on another financial platform. Companies must provide this capability — showing data within their own app isn’t enough.

What UU PDP Actually Requires of Companies

Understanding data subject rights is one part of the picture. Companies also need to know what UU PDP specifically demands from them as data controllers. These obligations apply to businesses of all sizes — startups and large corporations alike — as long as they process personal data of Indonesian citizens.

Obtaining Lawful Consent

Before collecting data, companies must obtain clear, voluntary, and informed consent from the data owner. Consent forms using technical jargon, or buried deep in lengthy terms and conditions, don’t meet this standard.

Example: a mobile app requesting access to contacts, location, and camera must explain specifically what each permission is used for — a generic blanket statement doesn’t cut it.

Implementing Data Security

Companies must apply both technical and administrative measures to protect data from unauthorized access, leaks, or misuse. This includes encryption, multi-layer authentication systems, and role-based access controls.

Example: customer data stored in a database can’t be accessible to every employee. Only the teams that actually need it to do their jobs should have access.

Reporting Data Breaches

If a data breach or incident occurs, companies must report it to the relevant authority and notify affected data subjects within 14 working days of discovering the incident.

Example: if a company’s database is hacked and customer data leaks, the company can’t cover it up. This notification obligation has no exceptions.

Appointing a Data Protection Officer (DPO)

Companies that process data at scale or handle sensitive data must appoint a Data Protection Officer. The DPO is responsible for ensuring UU PDP compliance, acting as the point of contact with authorities, and handling inquiries from data subjects.

Example: an insurance company storing health data on hundreds of thousands of policyholders must have a DPO with genuine expertise in data law and information security.

The Real Challenges of Implementing UU PDP

Knowing what’s required is one thing. Actually doing it is a different problem entirely — and that’s where many companies get stuck, especially those dealing with data protection regulations for the first time.

Some of the most common obstacles companies run into during implementation:

Lack of Internal Understanding

Many teams across the company — from HR to marketing — don’t realize that their everyday work already involves processing personal data that UU PDP covers. They don’t know what’s allowed and what isn’t.

Example: a marketing team that buys a contact list from a third party for an email blast, without verifying whether those contacts gave lawful consent, has already violated a core principle of UU PDP.

No Clear Data Inventory

Many companies don’t have a data map showing what data they collect, where it’s stored, and who can access it. Without this inventory, measuring risk is nearly impossible — let alone starting compliance work.

Example: a retail company using a dozen different systems (POS, CRM, loyalty apps, e-commerce platforms) often has no idea that the same customer data is scattered and duplicated across multiple places.

Limited Resources

Not all companies — especially small and medium-sized businesses — have the budget and expertise to build a compliance infrastructure from scratch. Appointing a DPO, conducting a data audit, upgrading security systems, and revising contracts all take time and money.

Example: a 15-person startup may not have a dedicated legal or IT security team. But they’re still obligated to comply with UU PDP if their service collects user data — even something as basic as a name and phone number for account registration.

Technical Ambiguity in the Regulations

Some provisions in UU PDP still need more detailed implementing regulations. This creates gray areas for companies that want to comply but aren’t sure where the minimum standard actually sits.

Legal Penalties for Non-Compliant Companies

Failing to comply with UU PDP isn’t just a reputational risk. There are concrete legal consequences that can directly affect business continuity. Based on provisions summarized by Hukumonline and Indonesia.go.id, UU PDP sets out two main categories of sanctions:

Administrative Sanctions, which include written warnings, temporary suspension of data processing activities, deletion or destruction of personal data, and administrative fines of up to 2% of annual company revenue (Article 57 of UU PDP).

For a company with annual revenue of Rp1 trillion, that figure can reach Rp20 billion from a single violation.

Criminal Sanctions, which apply to serious violations such as:

• Obtaining or collecting personal data through unlawful means (up to 5 years in prison or fines up to Rp5 billion)
• Disclosing and using personal data that doesn’t belong to the perpetrator (up to 4 years in prison or fines up to Rp4 billion)

When a violation is committed by a corporation, Article 70 of UU PDP allows fines to be multiplied up to 10 times the amount imposed on an individual. This isn’t just a threat on paper.

The first criminal conviction under UU PDP has already been handed down — by the Karanganyar District Court, where two defendants received 1.5-year prison sentences for violating Article 67 of UU PDP related to using personal data without authorization.

Where to Start: A Practical Implementation Approach

It doesn’t need to be perfect from day one. What matters is starting with a structured, measurable approach. Below is a step-by-step method that businesses of any size can adapt:

1. Conduct a Data Audit (Data Mapping): Identify all personal data being collected — where it’s stored, who can access it, and what it’s used for. This is the foundation of any compliance program.
2. Review the Legal Basis for Processing: Make sure every data processing activity has a lawful basis, whether that’s consent, contract performance, legal obligation, or legitimate interest.
3. Update Your Privacy Policy: The privacy policy must reflect actual company practices, written in plain language, and easy for customers to find and read.
4. Train All Employees: Compliance isn’t just the IT or legal team’s job. Every employee who touches personal data needs to understand their basic obligations.
5. Build an Incident Response Mechanism: Have a clear procedure ready for when a data breach happens — who’s responsible, what steps to take, and how notifications get sent.
6. Appoint or Consult a DPO: Whether internal or external, having someone who deeply understands this regulation will make the compliance process significantly more manageable.

Conclusion

Implementing UU PDP is no longer optional. It’s a legal obligation with real consequences.

Understanding which data categories are covered, respecting data subject rights, meeting the obligations of a data controller, and building a solid incident response system — these aren’t things companies can keep putting off.

The challenges are real, from resource limits to regulatory complexity. But companies that move early gain a competitive edge in customer trust and audit readiness.

If your company is starting this compliance process and needs structured guidance, Adaptist PRIVE from Accelist Adaptist Consulting is a UU PDP consulting and implementation solution designed specifically for the needs of businesses in Indonesia.

From data mapping, drafting privacy policies, and employee training to supporting the appointment of a DPO — Adaptist PRIVE helps your company become compliant without having to navigate the regulatory complexity alone.

FAQ