Indonesia’s Personal Data Protection Law has been enacted to safeguard the personal information of Indonesian citizens and prevent data breaches. The law imposes significant obligations on companies that collect, process, store, or transmit personal data. This post looks at the technical implications of the law for companies operating in or with Indonesia and suggests ways to improve data security.
Key Takeaways of the Indonesia Personal Data Protection Law
The Personal Data Protection Law in Indonesia has several important provisions, including:
- Companies must obtain consent from individuals before collecting and processing their personal data.
- Personal data must be processed lawfully and for a specific purpose.
- Companies must notify individuals of any data breaches that could harm them.
- Individuals have the right to request that their data be deleted or corrected.
- Companies must appoint a data protection officer to oversee compliance with the law.
- Sanctions for breach of data principles are punishable by a fine of up to MYR 300,000, up to 2% of a company’s revenues, and/or up to two years imprisonment.
Scope of the Law
The law applies to any company that collects, processes, stores, or transmits personal data of Indonesian citizens, regardless of the organization’s location.
Impact on Companies Working in or with Indonesia
Companies that collect, process, store, or transmit personal data of Indonesian citizens must comply with the law, regardless of their location.
Non-compliance with the Personal Data Protection Law can result in significant legal and reputational consequences. Companies that experience data breaches or leaks can face significant reputational damage, in addition to the legal penalties imposed by the law.
Compliance Technical Aspects
The Personal Data Protection (PDP) Law, Article 35, specifies security measures organizations must adopt to protect personal data, including preparing and implementing technical, and operational measures and employing a risk-based approach to determine the level of appropriate security for data. Controllers likewise have a duty to prevent personal data from being accessed unlawfully (Art 39). Note that the PDP Law does not specify further security measures but instead defers to future regulations to fill out additional detail.
Risk-based Approach Suggestions
A risk-based cybersecurity approach is a strategy that focuses on identifying and mitigating the most significant risks to an organization’s information and assets, or, in this case, personal data. It involves assessing the organization’s vulnerabilities, the likelihood and potential impact of security incidents, and prioritizing mitigation measures accordingly. A risk-based cybersecurity approach emphasizes continuous monitoring and improvement to ensure that security measures are effective.
The PDP Law defers to future regulations the exact definition of what the exact risk-based requirements will be. In such a situation, it is prudent to aim for the most thorough options available.
New technologies operationalizing a risk-based approach can be categorized as breach and attack simulation, attack surface management, and continuous automated red teaming.
· Breach and Attack Simulation
Breach and attack simulation (BAS) is a technology that simulates real-world attacks against organizations’ systems. It identifies security gaps and vulnerabilities, tests the effectiveness of security controls, assesses that the recommendations outlined above are applied effectively, and recommends remediation steps.
· Attack Surface Management
Attack surface management (ASM) is a process that automates the discovery, analysis, and testing of an organization’s digital footprint. The process consists in running a reconnaissance to discover vulnerabilities and attempts to exploit those to assess each exposure’s risk.
· Continuous Automated Red Teaming (CART)
CART is a technology that simulates multi-stage attacks against organization systems. It begins by identifying exploitable entry points, then automatically attempts to propagate within the system and accomplish its goal, including data exfiltration, for example.
Technical Measures Suggestions
· Fully Segmenting Database Holding Personal Data
Segmenting requires managing access to the database through Identity and Privilege Access Management, limiting access on a need-to-know-only basis. Validating the segmentation measures’ effectiveness can easily be achieved with a BAS full kill chain attack simulation.
· Providing Employee Training on Data Protection Best Practices
Employee training is essential to ensure that all employees understand data protection’s importance and follow best practices. This includes training on password management and data handling procedures and running regular phishing awareness campaigns.
· Keeping Software and Systems Up to Date
Keeping software and systems up-to-date with the latest security patches can help prevent vulnerabilities from being exploited. Risk-based approach technologies such as internal ASM can detect and draw attention to expired subscriptions and outdated or legacy software versions.
The Waterfall Bonus of Implementing a Risk-Based Approach
Adopting and implementing a risk-based approach by incrementally integrating the technologies above drastically improve an organization’s cyber-resilience. Improved security posture has a “waterfall” effect on other aspects of a company’s operations. For example, fewer breaches reduce downtime and operational disruption, improving business continuity, resiliency, customer trust, and brand reputation.
The Cymulate comprehensive risk-based security validation platform combines the ASM, BAS, and CART in a single platform and includes dynamic, interactive dashboards. Global and granular analysis include actionable remediation guidance for uncovered security gaps.
To see it in action try a free trial or request a demo.