← Back to all briefings
Policy 6 min read Published Updated Credibility 90/100

Policy Briefing — Indonesia Personal Data Protection Law Enacted

Indonesia enacted Law No. 27 of 2022 on Personal Data Protection, establishing comprehensive controller duties, fines, and criminal sanctions that organisations must operationalise within a two-year transition period.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
3 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: Indonesia’s President Joko Widodo signed Law No. 27 of 2022 concerning Personal Data Protection (the PDP Law) on 17 October 2022, establishing the country’s first comprehensive privacy regime. The law introduces GDPR-like obligations for data controllers and processors, sets out detailed data subject rights, and empowers the Ministry of Communications and Informatics (Kominfo) to levy administrative fines and pursue criminal penalties. Organisations operating in Indonesia or handling data on Indonesian residents have a two-year transition window to align governance, security, and vendor management controls before enforcement fully commences in October 2024.

The PDP Law applies extraterritorially to entities outside Indonesia that process personal data for individuals located in Indonesia or that affect Indonesian citizens. It defines personal data as any data about identified or identifiable persons, with special protection for specific categories such as health, biometric, genetic, criminal records, children’s data, and financial information. Controllers must implement lawful processing principles, obtain valid consent unless another legal basis applies, honour rights requests, secure data through appropriate measures, and report breaches promptly.

Lawful basis and consent requirements

Controllers must identify a lawful basis for processing personal data. The PDP Law recognises consent, contractual necessity, legal obligation, vital interests, public interest, legitimate interests, and processing for statistical and research purposes subject to safeguards. Consent must be explicit for sensitive data, demonstrable, and easily withdrawable. Organisations must provide clear notices specifying the purpose, type of data, retention period, and details of data sharing. If processing changes significantly, controllers must seek renewed consent or establish another lawful basis.

For children’s data, consent must be obtained from a parent or legal guardian. Controllers should implement age verification processes and maintain records of parental authorisation. Processing deceased individuals’ data also requires consent from heirs or relevant parties. Failure to demonstrate lawful processing can lead to administrative fines up to 2 % of annual revenue or criminal sanctions in severe cases.

Data subject rights

The PDP Law grants individuals nine key rights: the right to obtain information about processing, access personal data, rectify inaccuracies, delete data, restrict or delay processing, withdraw consent, object to automated decision-making, data portability, and compensation for losses. Controllers must implement channels to receive and respond to requests within 14 business days, extendable by another 14 days when justified. Procedures must include identity verification, logging, escalation to the data protection officer (DPO), and documentation of response outcomes.

Automated decision-making involving profiling that produces legal or significant effects requires safeguards, including the right to human intervention and explanation. Organisations should assess algorithmic systems deployed in Indonesia, implement bias testing, and maintain override mechanisms consistent with Kominfo’s forthcoming technical regulations.

Governance and accountability duties

Controllers and processors must appoint a DPO if their core activities involve systematic monitoring on a large scale, large-scale processing of sensitive data, or processing for public services. The DPO can be internal or external but must be independent and report to the highest management level. Responsibilities include advising on compliance, monitoring adherence, training staff, conducting audits, and liaising with Kominfo. Organisations without a mandatory obligation may still appoint a DPO to demonstrate accountability.

The PDP Law requires controllers to implement organisational and technical measures proportionate to risk. This includes policies covering governance, security, and incident response; access controls; encryption; disaster recovery; and vendor oversight. Controllers must maintain records of processing activities, conduct impact assessments for high-risk processing (especially involving sensitive data or new technologies), and ensure processors act only on documented instructions with adequate contractual safeguards.

Cross-border data transfers

Transferring personal data outside Indonesia is permitted when the destination jurisdiction provides equal or higher protection, when adequate contractual clauses or binding rules are in place, or when the individual has provided explicit consent. Kominfo may issue future adequacy lists. Until then, organisations should conduct transfer impact assessments analysing foreign legal regimes, government access risks, and available redress. Contracts should include security obligations, audit rights, breach notification duties, and termination clauses if compliance risks materialise.

Data breach notification

Controllers must notify Kominfo and affected individuals within 72 hours of discovering a personal data breach that compromises confidentiality, integrity, or availability. Notifications should include the nature of the breach, compromised data categories, mitigation steps, and recommendations for individuals. Controllers must document incidents, preserve evidence, and coordinate with law enforcement if criminal activity is suspected. Regular testing of breach response plans, including tabletop exercises and simulated notifications, will help demonstrate readiness.

Sanctions and enforcement

Kominfo may issue administrative sanctions ranging from written warnings and temporary suspension of processing to deletion of data and fines up to 2 % of annual income or revenue. The law also introduces criminal penalties, including imprisonment up to six years and fines up to IDR 6 billion for unlawful processing, identity theft, or unlawful disclosure. Corporate entities can face asset seizure, profit confiscation, and suspension of business activities. The law allows affected individuals to sue for damages, increasing litigation exposure.

A new independent supervisory authority will be established to oversee implementation, though Kominfo will exercise powers during the transition. Organisations should monitor secondary regulations clarifying certification schemes, standard contractual clauses, and sector-specific requirements for banking, telecommunications, and e-commerce.

Implementation roadmap

With a two-year transition period, companies should phase compliance work:

  • Phase 1 (0–6 months): Conduct gap assessments comparing existing Indonesian operations against PDP Law requirements, inventory processing activities, prioritise sensitive data, and assign a programme owner. Begin drafting updated privacy notices, consent forms, and data subject request workflows.
  • Phase 2 (6–12 months): Appoint a DPO if required, implement record of processing systems, update contracts with processors to include PDP Law clauses, and design transfer impact assessment templates. Launch training for employees on new rights and sanctions.
  • Phase 3 (12–24 months): Operationalise breach response drills, implement automation for rights intake, and establish metrics dashboards tracking request response times, incident counts, and vendor compliance status. Engage local counsel to monitor Kominfo regulations and adjust controls accordingly.

Outcome testing and assurance

Demonstrating effective compliance will require evidence of control performance:

  • Rights performance metrics. Track volume of access, deletion, and objection requests; average resolution time; and escalation rates. Use results to refine staffing and process design.
  • Breach simulation. Run quarterly incident response exercises replicating ransomware, insider misuse, and cross-border transfer failures. Evaluate coordination between security, legal, and communications teams.
  • Vendor audits. Perform on-site or remote assessments of processors handling Indonesian data, reviewing security measures, subcontractor controls, and breach notification readiness.
  • Policy effectiveness reviews. Conduct independent audits of privacy policies, consent management, and data retention schedules. Document remediation actions and report to senior leadership.

Organisations that align early with the PDP Law will strengthen trust with Indonesian consumers and regulators, reduce the risk of fines or business disruption, and position themselves for future regional data-sharing initiatives.

Timeline plotting source publication cadence sized by credibility.
3 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Indonesia PDP Law
  • APAC privacy compliance
  • Data breach response
  • Cross-border transfers
Back to curated briefings