Machine learning and the Artificial Intelligence era sometimes make us forget that much of the data involves human data, in this case, personal data that is sometimes considered sensitive. Therefore, many stakeholders should make sure that there is a way to ensure data is processed in a transparent and processed lawfully.
In the previous article, we elaborate on what is personal data protection (PDP) law and its implementation challenges in Indonesia. In this article, we will discuss on what is the impact of personal data protection law on an organization whether it is a private or public organization. This article will not elaborate on what is benefits of personal data protection because it is obvious that it will increase the customer or public trust. We also did not discuss the details article on the Draft of Personal Data Protection Law because not all of the articles are relevant for the discussion.
Before explaining the impact, we need to understand the stakeholder in the data protection law:
#1 Data Controller
A data controller is a person, company, or other body that determines the purpose and means of personal data processing. In a simple way, this party controls the use of data in an organization and decides what is the next step to do with the data.
#2 Data Processor
A data processor is a person or company that is responsible to process the data with the data controller’s permission.
#3 Supervisory Authority
A data subject is a person that owned the personal data that attach to ourselves since we were born.
#4 Data Subject
A data subject is a person that owned the personal data that attach to ourselves since we were born.
So, assuming that the Personal Data Protection Law apply in Indonesia today, we notice five impacts that should be highlighted by the top management, here is the list:
#1 Hire/Assign Data Protection Officer (DPO)
Once the law is applied in Indonesia, an organization should appoint a data protection officer. A data protection officer is a person that ensures the organisation processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules (https://edps.europa.eu/). This person is important in every organization’s strategy since he/she will make sure that privacy is considered in the process. Moreover, DPO will communicate with the Supervisory Authority if there is a violation in the data processing
There is no specific qualification for the DPO officer, therefore it could be a person from any background as long as the person has the necessary knowledge and understand what to do in the DPO role. But
#2 Including Personal Data Protection Law in Current Information Security Strategy
Most of the companies applied information security standard such as ISO27001 , NIST SP 800-53, COBIT, CIS Control, etc. These are not enough to comply data protection law since the information security standards are not details about personal data collection.
If the PDP law applied, the privacy or security officer require to look the current privacy and security standard and work together with the DPO to ensure the content is covering the articles in the PDP law. This activity demonstrates how important is the DPO within the organization.
#3 Check the data processing activity
The PDP law is about to protect illegal form of personal data processing. In this era, almost all of the organization hold the personal data from their employee or customers. Regarding the data collection and processing within the company, the PDP law will give a big changes to the flow.
An organization require to do privacy impact assessment for a current project that involved personal data collection collection and the data protection impact assessment for the future project.
In addition, the privacy policy of an organization service must comply with the PDP law and better to make it simple and understandable for customer to achieve data processing transparancy.
#4 Update the data breach response strategy
If you are one of the Chief in your organization, what is your response for a data breach involves your customer data?
If you don’t have one, you have a chance to falling your organization reputation. Nowadays, people are getting aware of their personal data that collected by your organization. Even though we use the strongest security system, we cannot turn the chance of the data breach into zero percent. The social media era will make the impact bigger than before for company reputation. Also, the media will chase the respond of an organization about the data breach.
An organization should prepare the respond of the data breach by forming a response strategy. Everyone in the company should be aware of how is the procedure if a data breach happened : who to notify, how is the media response, how critical is the problem.
#5 Keep updated with the compliance
The data protection policy in the company is a living document that should be updated based on the regulation and law in a country. There are some regulations in Indonesia that complement each other with the PDP law. This should be consider by the DPO to ensure the internal data policy align with all of the policy in Indonesia that regulate personal data collection.
These are five impacts if the PDP law applied in Indonesia. Do you think your organization ready for this changes? if you want to know more about privacy impact assessment or data privacy impact assessment, contact us!
Jati graduated his Master’s in ICT in Business and the Public Sector from Leiden University, the Netherlands. He is now currently pursuing his PhD from Leiden University on the topic of data privacy for the VODAN-Africa project.
