Navigating the Personal Data Protection Law in Indonesia

With the passing of its long-awaited Personal Data Protection Bill (PDP Bill) into law on 20 September 2022, Indonesia has taken a significant stride towards unifying its previously fragmented patchwork of general and sector-specific data privacy laws and regulations, and providing organisations with greater clarity on their data ownership rights, data transfer protocols, and key data management roles, amongst others.

In recent months, however, as the deadline for the grace period looms closer, one particular requirement under the law – that is, the mandatory appointment of a data protection officer (DPO) to oversee all personal data processing activities across the organisation – has emerged as a significant source of concern for many organisations. This is because there remains significant uncertainty surrounding the circumstances that will mandate a DPO appointment, as well as the necessary organisational structures that must be put in place to support such a role.

In this article, we will examine these issues in greater detail, and provide a set of practical considerations with which to approach the appointment of a DPO and the accompanying establishment of a DPO function for organisations.