Indonesia’s

Personal Data Protection Law

The compliance journey in partnership with

September 1, 2024

1
Table of Contents

1. Introduction Page
o Overview of Indonesia's Personal Data Protection Law (UU PDP) 4
o Importance of data protection for businesses 5
o Comparative analysis of the European Union's General Data Protection Regulation 5
(GDPR) and Indonesia's Personal Data Protection Law (UU PDP)
o Charting the course to personal data protection compliance 7
2. Understanding Indonesia's UU PDP
o Key provisions of the law 9
o Definitions and types of personal data 9
o Scope and applicability 9
o Delineation of scope and responsibilities between controller, processor, and data 9
subjects
o Cooperation between controllers and processors 10
3. Compliance requirements for businesses
o Data protection principles 13
o Lawful grounds for processing personal data 13
o Privacy policy and notice 14
o Rights of data subjects 17
o Obligations of data controllers and processors 19
4. Implementing data protection measures
o Data Protection Officer (DPO) and their role 21
o Data Protection Impact Assessments (DPIA) 21
o Data breach notification requirements 22
o Cross-border data transfer requirements 23
5. Technical and organizational measures
o Protection measures in accordance with Indonesia’s Personal Data Protection Law 25
regulations
o Organizational measures 25
o Technical measure 27
o Data Protection Officer-as-a-Service (DPOaaS) 28
o Privacy Enhancing Tools (PET) with Microsoft 29
o Microsoft compliance as data processor & supporting customer as data controller 33
under UU PDP
o Technical architecture considerations 36
6. Creating a compliance checklist
o Compliance checklist 55
o Fulfilment timeframe 55
o Consequences of non-compliance with UU PDP 56
7. Case studies and best practices
o Microsoft case study 58
o EY & Microsoft case study 59
8. Conclusion
o Key takeaways 61
o Future outlook 61

2
9. Introduction 9
o Overview of Indonesia's Personal Data Protection Law 9
 1. Introduction

3
 Overview of Indonesia's Personal Data Protection Law (UU PDP)
Indonesia's Personal Data Protection Law (UU PDP) regulations emerged in response to the
growing digitization of personal information and the need to protect individuals' privacy rights
in the digital era. The background of these regulations is rooted in the increasing incidents of
data breaches and misuse, which highlighted the necessity for a formal legal structure to
safeguard personal data.

The Personal Data Protection Law No. 27 of 2022 in Indonesia establishes a framework for data
privacy that aligns with established international standards such as the General Data Protection
Regulation (GDPR). It outlines the rights and obligations of individuals, entities and sets forth
penalties for non-compliance. This regulation supports other Indonesian regulations and laws
related to data privacy and protection, including:

Ministry of Communication and

Law No. 1 of 2024 Government Regulation
Informatics Regulation
(ITE Law) No. 71 of 2019
No. 20 of 2016
This law governs electronic Provides more detailed regulations Telecommunication companies are
transactions and includes on the operation of electronic required to implement stringent
provisions on the use and systems, including the protection data protection measures to
exchange of electronic of personal data within such safeguard user data, including
information, including personal systems. obtaining consent for data
data. collection and ensuring the
confidentiality and integrity of
personal data.

Learn more: Learn more: Learn more:

https://jdih.kominfo.go.id/produk https://peraturan.bpk.go.id/Detail https://jdih.kominfo.go.id/produk
_hukum/view/id/884/t/undangun s/122030/pp-no-71-tahun-2019 _hukum/view/id/553/t/peraturan+
dang+nomor+1+tahun+2024 menteri+komunikasi+dan+inform
atika+nomor+20+tahun+2016+ta
nggal+1+desember+2016

Ministry of Health OJK (Financial Services Ministry of Manpower

Regulations Authority) Regulations Regulations
Healthcare providers must ensure The OJK regulates the financial These regulations may include
that personal health data is only services sector and has issued requirements for the protection of
accessed by authorized personnel regulations that address the employee data within the
and is protected against protection of consumer data within workplace.
unauthorized use/ disclosure. the financial industry.

4 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Importance of data protection for businesses

Data protection is critical for businesses to maintain customer trust, comply with legal
requirements, and protect against data breaches that could lead to financial and reputational
damage. The law mandates businesses to implement appropriate data protection measures,
ensuring the confidentiality, integrity, and availability of personal data.

Comparative analysis of the European Union's General Data

Protection Regulation (GDPR) and Indonesia's Personal Data
Protection Law (UU PDP)
Indonesia's Personal Data Protection Law (UU PDP) regulations are indeed influenced by the
General Data Protection Regulation (GDPR) of the European Union and other international
data protection standards. This influence reflects a global trend towards establishing robust
privacy frameworks to address the challenges of data protection in an interconnected world.
The UU PDP regulations aim to provide a level of personal data protection that resonates with
these global standards, thereby facilitating international trade and data flows, which are
essential for businesses operating in the global marketplace.

Despite these parallels, the UU PDP regulations exhibit distinct characteristics that set them
apart from the GDPR and other standards. Such differences are highlighted in the comparison
made below:

Privacy Domain UU PDP GDPR

Exceptions to data subject rights are Exceptions are applied partially, based
Exceptions to data subject applied fully based on the areas of on the principles of necessity and
interest regulated in the law proportionality
rights

The period of personal data storage is The period of personal data storage
Restrictions on personal outlined but for specific data depends can be extended for specific purposes
on other regulations. outlined in the GDPR
data storage

The obligations of data controllers are The obligations of data controllers are
regulated in general terms, regardless regulated in more specific terms,
Obligation of data controller
of the level of risk associated with according to the level of risk
personal data processing associated with personal data
processing

5 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 The UU PDP implies several obligations The GDPR outlines obligations for data
Obligation of data processor for data controllers that also apply to processors that differ from those of
data processors data controllers
regulation

Covers data security generally based on Data security requirements are

Personal data security the controller’s capacity, and data detailed and specified. Annual data
controllers or processors are regulated security review is recommended.
requirements in subsequent regulations. Annual data
security review is required.

Cross-border data transfer mechanisms Personal data transfers to a third

based on adequacy level, international country or international organization
agreements/contracts, or data owner are allowed if:
consent
• The EU Commission has
determined that the third country
provides an adequate level of
protection, or
• Appropriate safeguards are in
Cross-border data transfer place to ensure protection
mechanisms equivalent to that within the EU.

If there is no adequacy decision,

transfers can still occur if the data
controller or processor provides
suitable safeguards and ensures that
data subjects have enforceable rights
and effective legal remedies

Includes both criminal sanctions and Only fines, no criminal sanctions

Sanctions mechanism fines. Up to 2% of organization annual
revenue

Data protection authority to be Independent data protection

Data protection authority established under the government authorities.

Notification within 3x24 hours of data Notification within 3x24 hours of data
Data breach notification breach incident awareness to relevant breach incident awareness to relevant
authorities and data subjects. authorities. Data subjects are not
period obligated to be notified unless the
breach is likely to result in a risk to
rights and freedom of natural person

Source : NEWS : Ini 8 Perbedaan Antara RUU Perlindungan Data Pribadi dan GDPR Uni Eropa (cyberthreat.id)

6 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

Charting the course to Personal
Data Protection compliance
Having established the context and significance of
Indonesia's Personal Data Protection Law in the
introduction, we will now explore critical areas
within UU PDP’s regulatory framework that will
focus on a more detailed understanding of the
implementation of best practices across three
critical areas: people, processes, and technology.
The next sections will focus on a more detailed
overview of vital aspects of the regulations,
outlining compliance mandates relevant to
businesses, and present actionable strategies for
organizations to utilize their people, work
processes, and technology to achieve compliance
with the regulations. These practices are vital for
creating a culture of compliance and ensuring
that personal data is handled with the utmost care
and security.

As we move forward, we aim to equip businesses

with clear guidance on how to bring these elements
together, leveraging the expertise of EY and the
technological solutions from Microsoft to establish
a robust data protection framework.

7 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 2. Understanding
Indonesia’s UU PDP

8 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Key provisions of the law

Core Pillars of Business Compliance

As the compliance deadline for Indonesia's Personal Data Protection Law approaches,
businesses must prioritize key legal provisions. These include defining controller and processor
responsibilities, establishing data breach notification procedures, appointing a Data Protection
Officer (DPO), and respecting data subject rights. Adherence to these areas is crucial for
organizations to align with the law and safeguard personal data effectively.

Definitions and types of personal data

• General personal data: This refers to any information related to an identifiable

individual. Examples include names, addresses, and email addresses.

• Specific personal data: This category includes data that is more sensitive in nature and
requires additional protection. Examples include religious beliefs, biometric data, and
health information.

Scope and applicability

The law applies to any processing of personal data carried out by public and private entities,
regardless of whether the processing takes place in Indonesia or not, as long as it concerns
Indonesian citizens or residents.

Delineation of scope and responsibilities between controller,

processor, and data subjects

Under the Indonesia’s Personal Data Protection Law, it is crucial for businesses to explicitly
outline the roles and responsibilities of data controllers and processors. This clarity is essential
for compliance and effective data governance.

• Data controller: The entity that determines the purpose and means of processing
personal data. Responsibilities include ensuring lawful processing, protecting data
subject rights, and implementing data protection principles.
• Establishing data processing objectives
• Maintaining data accuracy and integrity
• Securing consent from data subjects when required

9 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 • Data processor: The entity that processes personal data on behalf of the controller.
Responsibilities are typically defined by the controller and include following the
controller's instructions and assisting in fulfilling data protection obligations.
• Processing data as per controller directives
• Implementing security measures
• Assisting in data breach response and notification

• Data subject: The individual to whom the personal data belongs. They have specific
rights under the law that both controllers and processors must respect and facilitate.
• Right-to-access their personal data
• Right-to-request correction or deletion
• Right-to-object to certain processing activities

Businesses must ensure that their contracts, policies, and documentation reflect these roles
and responsibilities clearly to maintain compliance with the Indonesia’s Personal Data
Protection Law.

Cooperation between controllers and processors

Controller-controller relationship
In a controller-controller relationship, two or more independent entities act as separate data
controllers for the same personal data. Each controller is responsible for their own compliance
with the data protection law and must independently establish the purpose and means of
processing the data.

Example of controller-controller relationship: Company X collects personal data from its

customers for its own marketing purposes. Company Y, a separate entity, also collects the
same customers' data independently for its market research. Both companies act as separate
controllers and are individually responsible for their data processing activities, including data
subject rights and data protection measures.

Joint controllers
Joint controllers are two or more entities that jointly determine the purposes and means of
processing personal data. They must establish an agreement that outlines their respective
responsibilities for compliance with the data protection law, including the exercise of data
subject rights and the provision of a point of contact for data subjects.

Example of joint controllership: An e-commerce platform (Company A) and a payment

service provider (Company B) decide to collaborate on a new payment feature. They jointly
determine how the personal data will be processed for this feature. As joint controllers, they
must agree on their respective data protection obligations and how they will handle data
subject requests.

10 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Controller-processor relationship
In a controller-processor relationship, the controller determines the purposes and means of
processing personal data, while the processor processes the data on behalf of the controller.
The relationship must be governed by a contract or other legal document that sets out the
subject matter and duration of the processing, the nature and purpose of the processing, the
type of personal data, categories of data subjects, and the obligations and rights of the
controller.

Example of controller-processor relationship: A healthcare clinic (the controller) hires an IT

company (the processor) to manage its patient records system. The clinic dictates the purposes
for which patient data is processed (e.g., appointment scheduling, medical record keeping),
and the IT company processes the data within the scope defined by the clinic. The contract
between them specifies the IT company's obligations to protect the data and follow the clinic's
instructions.

Non-compliance with the obligations in any of these relationships can lead to legal and financial
consequences. For instance, if joint controllers do not clearly define their responsibilities, both
could be held liable for any breaches of the data protection law. Similarly, if a processor acts
outside the instructions of the controller, it may be considered a controller in respect of that
processing and be subject to the associated liabilities.

11 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 3. Compliance
requirements for businesses
12 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper
 Data protection principles
Businesses must adhere to the following principles when processing personal data:

• Lawfulness: Data must be processed legally and fairly.

• Transparency: Data processing should be transparent to the data subject.
• Purpose limitation: Data should be collected for specified, explicit, and legitimate
purposes and not further processed in a manner incompatible with those purposes.
• Data minimization: Only data necessary for processing should be collected.
• Accuracy: Personal data must be kept accurate and up to date.
• Storage limitation: Data should be kept in a form that permits identification of data
subjects for no longer than necessary.
• Integrity and confidentiality: Personal data must be processed securely, including
protection against unauthorized or unlawful processing and against accidental loss,
destruction, or damage.

Lawful grounds for processing personal data

The law specifies several legal bases for the lawful processing of personal data, including:

The data subject has Processing is

given explicit necessary for the
Consent consent to the performance of a Public interest
processing of their task carried out in
personal data for the public interest.
one or more specific
purposes.

Processing is Processing is
necessary for the necessary for the
performance of a purposes of the
Contractual contract to which Lawful grounds for legitimate interests
the data subject is processing pursued by the Legitimate
necessity
party.
personal data controller or by a interests
third party.

Processing is Processing is
necessary for necessary to protect
compliance with a the vital interests of
legal obligation to the data subject or
which the controller another natural
Legal is subject. person.
Vital interest
obligation

13 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Privacy policy and notice
Indonesia’s PDP Law mandates the creation and dissemination of privacy policies and notices
to safeguard individual rights. This section will delve into the necessity of having both an
internal privacy policy for employees and stakeholders, and an external privacy notice for
customers and the public, in accordance with the regulations.

Privacy policy for internal purposes

An internal privacy policy is a comprehensive document that outlines an organization's

commitment to safeguarding the personal data of its employees, customers, and other
stakeholders. Under UU PDP, it is imperative for organizations to establish a clear framework
that governs the collection, use, storage, and transfer of personal data within the corporate
environment.

The internal privacy policy serves several critical functions:

1. Compliance with legal requirements: It ensures that the organization adheres to the
provisions set forth by Indonesia’s PDP Law, which mandates the protection of personal
data.
2. Data management standards: The policy sets forth the principles and standards for
data management, ensuring that personal data is processed lawfully, fairly, and
transparently.
3. Employee awareness: It educates employees about their roles and responsibilities in
protecting personal data, thus fostering a culture of privacy within the organization.
4. Risk management: The policy helps in identifying and mitigating risks associated with
data processing activities, thereby reducing the likelihood of data breaches.

Examples of documents and systems where an internal privacy policy could be implemented
include:

1. Employee handbook: Incorporating the privacy policy to inform staff of data

protection practices.
2. Intranet and internal systems: Publishing the policy on the organization's internal
network for easy access.
3. Training materials: Integrating data protection principles into educational resources
for staff.
4. Data processing agreements: Ensuring third-party service providers comply with the
organization's privacy standards.
5. IT security systems: Embedding the policy within security systems to control data
access and monitor processing activities.

14 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Privacy notice to external parties

An external privacy notice is a public declaration of an organization's data processing practices.

This document is crucial for maintaining transparency with customers, clients, and partners
about how their personal data is handled.

Key aspects of the external privacy notice include:

1. Transparency and trust: It builds trust with external parties by transparently disclosing
how their data is collected, used, and protected.
2. Informed consent: The notice provides the necessary information for individuals to
give informed consent when required by UU PDP.
3. Legal compliance: It demonstrates compliance with Indonesia’s PDP Law's requirement
to inform data subjects about their data processing activities.
4. Data subject rights: The notice outlines the rights of data subjects, such as the right to
access, correct, and delete their personal data, as provided under the law.

Examples of documents and platforms where an external privacy notice could be implemented
include:

Website Privacy Mobile App Privacy Customer Account

Notice Notice Portals

A page on the company's Accessible within mobile Displayed within any

website dedicates applications, especially online customer account
Displayed within any during installation or areas.
online materials to within app settings.
explaining data collection
and protection methods.

Online Forms & Marketing Material Social Media

Checkouts Platforms

Summarized on forms and Included or Linkedin sign- Accessible from the

checkout pages with a link up forms for marketing organization's social
to the full document. communications. media profiles for users
who engage with the
company through these
channels.

15 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Consequences of not having privacy policy and notice in place

The absence of an internal privacy policy and an external privacy notice can have significant
legal, financial, and reputational consequences for an organization:

a) Legal sanctions: Non-compliance with Indonesia’s PDP Law can lead to legal actions,
including fines, penalties, and enforcement notices.
b) Loss of consumer trust: Without a privacy notice, consumers may lose trust in the
organization's ability to protect their personal data, leading to a loss of business and
customer loyalty.
c) Operational disruptions: The lack of a privacy policy may result in disorganized data
management practices, leading to inefficiencies and potential data breaches.
d) Reputational damage: Organizations that fail to comply with privacy regulations
often suffer reputational harm, which can be difficult and costly to repair.

In conclusion, having a well-defined internal privacy policy and an external privacy notice is not
only a legal requirement under Indonesia’s PDP Law but also a critical component of an
organization's data governance strategy. It is essential for legal compliance, operational integrity,
and maintaining trust with all stakeholders.

16 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Rights of data subjects
Data subjects, defined as individuals to whom personal data pertains, are granted a number of
rights under Indonesia's Personal Data Protection Law (UU PDP). These rights, detailed in
Articles 5 through 15 of the UU PDP, include but are not limited to:

Rights of data subjects Illustration

The right to obtain confirmation as to whether personal data concerning them

Right-to-access and receive is being processed and to access such data.

copies e.g.: Tina submits a request to an online retailer to see all the personal data they
have about her. The retailer must provide her with a copy of her data, including
purchase history and any personal details they have on file.
The right to have inaccurate personal data corrected.
Right-to-rectification
e.g.: Tina notices that her birth date is incorrect in her bank's records. She requests
a correction, and the bank must update the information to reflect the accurate
date.

The right to have personal data erased under certain circumstances.

Right-to-erasure ('right to be
e.g.: After cancelling her account with a social media platform, Tina requests that
forgotten') all her personal data be deleted. The platform is required to erase her data,
provided there are no legal grounds to keep it.

The right to restrict the processing of their personal data in certain situations.
Right-to-restriction of
processing e.g.: Tina is disputing the accuracy of her personal data held by a credit scoring
company. While the dispute is ongoing, she can request that the company restricts
the processing of her data, meaning they can store it but not use it.

17 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 The right to receive their personal data in a structured, commonly used format
Right-to-data portability and to transfer it to another controller.

e.g.: Tina decides to switch to a new fitness tracking service. She requests her
current service provider to transfer her personal data, including workout history
and health metrics, to the new provider in a machine-readable format.

The right to object to the processing of their personal data for specific reasons.
Right-to-object
e.g.: Tina receives marketing emails from a company she once purchased from.
She exercises her right to object to the processing of her personal data for
marketing purposes, and the company must stop sending her marketing
communications.

The right not to be subject to decisions based solely on automated processing,

Rights related to automated including profiling, which produces legal effects concerning them.

decision making and profiling

e.g.: Tina applies for a loan, but her application is declined by an automated credit
scoring system without human intervention. She has the right to request a review
of the decision by a human, challenge the decision, and express her point of view.

The Right to Withdraw Consent is a data subject's legal entitlement to revoke

Right-to-withdraw consent consent previously given for the processing of their personal data.

e.g.: After subscribing to a newsletter, Tina decides she no longer wants to receive
it and withdraws her consent. The company must stop sending the newsletter to
him and remove her personal data from the subscription list if there is no other
legal basis for processing it.

The Right to Indemnity, in the context of data protection, refers to the right of
Right-to-indemnity a data subject to receive compensation for any damages caused by the unlawful
processing of their personal data or by the data controller's non-compliance
with data protection laws.

e.g.: A data breach at a financial institution result in Tina's personal data being
exposed. She suffers identity theft and financial loss as a result. Tina has the right
to seek indemnity from the institution for the damages he incurred due to their
failure to protect her data.

18 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 However, the law also outlines certain exceptions to these rights under Article 15, Paragraph
(1), where the rights of data subjects may be restricted for the following reasons:
• National defence and security interests.
• Law enforcement processes.
• Public interest in the context of state administration.
• Oversight of the financial services sector, monetary systems, payment systems, and
financial system stability as part of state administration.
• Statistical and scientific research interests.

For instance, law enforcement interests include activities related to the execution or
enforcement of legal rules as per regulatory provisions, including investigation, inquiry, and
prosecution processes. Public interest in the context of state administration encompasses
activities such as the management of population administration, social security, taxation,
customs, and integrated electronic business licensing services. These exceptions are in place
to balance individual rights with broader societal and state interests.

Obligations of data controllers and processors

Data controllers and processors have specific obligations, such as:
• Implementing data protection measures: They must take appropriate technical and
organizational measures to ensure data protection and demonstrate compliance with
the law.
• Maintaining a Record of Processing Activities (RoPA): They must keep detailed
records of data processing activities.
• Conducting Data Protection Impact Assessments (DPIA): For high-extreme risk
processing activities, they must conduct DPIAs to assess and mitigate risks to data
subjects.
• Appointing a Data Protection Officer (DPO): If processing operations require regular
and systematic monitoring of data subjects on a large scale, or involve large-scale
processing of sensitive data, a DPO must be appointed.

19 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 4. Implementing data
protection measures

20 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Data Protection Officer (DPO) and their role
Organizations that engage in significant processing of personal
DPO
data are required to appoint a DPO. The DPO should have expert
Appointment
knowledge of data protection law and practices.

The DPO is responsible for overseeing the organization's data

Responsibility protection strategy and its implementation to ensure compliance
with the UU PDP. They also serve as the point of contact for
supervisory authorities and data subjects

The DPO must be able to perform their duties and tasks in an

Independence independent manner, without receiving any instructions
regarding the exercise of their function from the controller or
processor.

Data Protection Impact Assessments (DPIA)

When to conduct a DPIA: a DPIA is required when processing is likely to result in a high risk
to the rights and freedoms of individuals, particularly when using new technologies, and
considering the nature, scope, context, and purposes of the processing.

Content of a DPIA: The DPIA should include a systematic description of the envisaged
processing operations, an assessment of the risks to the rights and freedoms of data subjects,
and the measures envisaged to address the risks, including safeguards, security measures, and
mechanisms to ensure the protection of personal data.

21 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Data breach notification requirements
In alignment with Indonesia's Personal Data Protection Law (UU PDP), it is crucial for businesses
to have well-defined data breach notification protocols. These protocols must ensure that in
the event of a data breach, the following actions are taken within 3x24 hours of becoming
aware of the incident:

• Notification to personal data subjects: Data controllers must provide a written

notification to the individuals whose personal data has been compromised.
• Notification to authorities: The relevant authorities must also receive a written
notification regarding the data breach.

The written notification should include, at a minimum:

• Details of the personal data disclosed: A description of the specific personal data
that has been exposed.
• Timing and method of the disclosure: Information on when and how the personal
data was compromised.
• Response measures: Details of the actions taken by the Data Controller to manage
and recover from the data breach.

Additionally, under certain conditions specified in Article 46, Paragraph (3) of the UU PDP, data
controllers are obligated to:

• Public disclosure: Notify the public about the failure in personal data protection.

These bullet points highlight the key components of the notification process that organizations
must follow to comply with the UU PDP. Establishing these protocols is vital for mitigating
potential harm to data subjects and for maintaining transparency in data governance practices.
Organizations must be prepared to detect, report, and respond to data breaches promptly and
effectively to fulfil their legal and ethical obligations.

22 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Cross-border data transfer requirements

Adequacy Appropriate
Decision Safeguards

Personal data may be transferred to another In the absence of an adequacy decision, transfers
country if the supervisory authority has may take place if the controller or processor has
determined that the country provides an provided appropriate safeguards, such as binding
adequate level of data protection. corporate rules or standard contractual clauses,
and on condition that enforceable data subject
rights and effective legal remedies are available.

23 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 5. Technical
and
organizational
measures

24 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Protection measures in accordance with Indonesia’s Personal
Data Protection Law (UU PDP) regulations
Under UU PDP regulations, it is mandated that both data controllers and data processors must
adopt suitable technical and administrative strategies to ensure an adequate level of
protection for personal data, corresponding to the potential risks involved.

The details provided here are fundamental precautions that should be considered by entities
handling personal data of Indonesian citizens. Data controllers and processors must tailor
these strategies to their specific circumstances, considering the latest technological
advancements, the processing environment, and the associated risks to the data subjects. This
segment will detail practical, high-effectiveness technical and organizational steps that
enterprises can refer to support compliance with Indonesia’s Personal Data Protection law.

Organizational measures
It's important to ensure that employees or users who handle personal data are informed about
the privacy risks, the measures in place to manage these risks, and the potential repercussions
of not following these measures:

Legend:

Impact Impact Impact Sanctions

Low (Direct impact on Medium (Effective High (Establishes a strong Medium (Non-compliance can
data protection is response can foundation for data lead to fines)
limited, primarily mitigate damage) protection, directly
focuses on employee impacting compliance and
behaviour) risk mitigation)

Sanctions Business Value Business Value

High (Non-compliance Medium (supports High (Provides clear guidance
can lead to significant compliance, adds efficiency) for employees, reduces legal
fines and reputational risks, and enhances
damage) organizational trust)

25 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Internal policy Privacy by design
Develop a comprehensive data protection Every business activity must consider the
and security policy. protection of personal data.

Cross-border transfer data

Confidentiality agreement Ensure compliance with cross-
Implement mechanisms for enforcing
Organizational border data transfer regulations.
confidentiality agreements include clauses Measures
in employment contracts and clearly
define the scope.

Incident response plan

Develop a plan for responding to
personal data breaches.

Training and awareness Data Protection Officer (DPO)

Conduct regular training and update of Appoint a Data Protection Officer that
training materials to enhance personal oversees data protection practice within
data protection awareness. the organization.

26 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Technical measures
Mandatory security measures

Ensuring the reliability of your information systems is essential and this can be achieved by
implementing mandatory security measures from the UU PDP, which include:

Protect equipment Secure workstations

Safeguarding hardware, software, communication Implement automatic session lockout after inactivity, install
channels, paper documents and other facilities where firewall, updated antivirus, and encourage storing data on
data is stored or accessed. network-backed storage with synchronization options.

Consent management
systems RoPA and DPIA
Centralized consent Conduct DPIA for high-risk
management in one processing activities and RoPA
database to improve
Technical
fulfilment of data subject
rights Measures
Data encryption & minimization
Encrypt personal data both at rest
and in transit. Collect and retain
Regular testing only necessary personal data.
Evaluation of the
effectiveness of technical
and organizational
measures for ensuring the
security of the processing
should be conducted. Access and authorization Physical security
User can access only the data they Control access by distinguishing building
are authorized to use, enforce areas by risk and ensure that only
strong password, RBAC assessment, authorized personnel enter restricted
review and update access zones and managing visitor access.
permissions particularly
administrator right, avoid shared
account, encryptions, and
pseudonymization.

27 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Data Protection Officer-as-a-Service (DPOaaS)
Based on Article 53 of Indonesia’s Personal Data Protection Law, data controllers and data
processors are required to appoint an officer or staff member to carry out the personal
data protection function. This person must be appointed based on professionalism,
knowledge of the law, practices in personal data protection, and the ability to fulfil their duties.
The officer or staff member performing the personal data protection function may come from
within and/or outside the data controller or data processor (DPO as a Service).

DPO Roles and Responsibilities

1 2 3 4

Informing and advising Monitoring and Advising on personal Coordinating and

the data controller or ensuring compliance data protection impact acting as a contact
data processor to with this Law and the assessments and person for issues
comply with the policies of the data monitoring the related to the
provisions of this law. controller or data performance of the processing of personal
processor. data controller and data data.
processor.

Under Indonesia’s Personal Data Protection Law (UU

PDP), failing to appoint a Data Protection Officer (DPO) Comparison of appointing an in-house
can lead to:
DPO vs. a virtual DPO
Cost Risk
• Legal penalties: Organizations may face fines up to
IDR 10 billion or 2% of annual revenue, whichever
is higher, for non-compliance.
• Increased risk of data breaches: Without a DPO,
× Larger upfront × Dependent on a
there's a higher risk of mishandling personal data investment single individual
and data breaches. related to
• Reputational damage: Lack of a DPO can damage staffing costs
trust and harm the organization’s public image. and
✓ Cost-effective TCO ✓ Broad expertise
• Operational inefficiencies: Organizations may maintenance
through flexible pricing
experience poor management of data protection scheme.
practices and compliance gaps.
× More complex due to × Longer recruitment
employment and and onboarding
integration within process.
the company
DPO-as-a-service, a flexible cost-effective ✓ Simplified ✓ Quicker setup and
solution for data protection obligations through management but implementation.
externally hired subject-matter experts enable requires effective
remote coordination.
organizations to focus on their core business,
while ensuring compliance.
Complexity Time

28 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Privacy Enhancing Tools (PET) with Microsoft

In the context of Indonesia's evolving data protection landscape, the UU PDP sets forth a
framework for safeguarding personal data, emphasizing the importance of consent, data
subject rights, and the secure processing of personal data. To align with such regulations,
organizations must implement robust security measures that can prevent unauthorized
access and data breaches while ensuring compliance with legal standards.

It is imperative to implement the baseline and foundational security requirements, as these are
fundamental to any technology initiatives. These include robust authentication measures, such
as:

1. Multi-Factor Authentication (MFA), which significantly bolsters security by requiring

multiple verification steps.
2. Conditional access policies are equally vital, ensuring that access rights are dynamically
tailored based on user context and behaviour.
3. Identity protection mechanisms, which safeguard user credentials and prevent
unauthorized access, form the bedrock of secure operations.
4. Furthermore, advanced email security protocols are crucial in defending against
sophisticated phishing and malware attacks.
5. Endpoint security solutions, which monitor and protect devices accessing the network,
are indispensable for maintaining a secure environment.

All these measures should align with a Zero Trust Framework, a global standard that
advocates for continuous verification and stringent access controls to minimize security risks.
Incorporating these foundational elements creates a secure infrastructure, paving the way for
the successful implementation of Privacy Enhancing Tools.

Privacy Enhancing Tools empower organizations to adeptly steer through the intricate
regulatory landscape, harnessing cutting-edge technological advancements to bolster the
protection of personal data. These tools are instrumental in supporting compliance with
stringent data protection laws, providing sophisticated mechanisms that safeguard sensitive
information against unauthorized access and potential breaches, thereby fostering a secure
and trustworthy data management ecosystem:

The journey towards robust personal data protection begins with a comprehensive
understanding of what data is being collected, how it is collected, how it is processed, where
it is stored, and for how long it is retained. This holistic approach encompasses the entire data
lifecycle, ensuring that each phase is meticulously managed.

29 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 High level PET building block

To accomplish this, it’s recommended that a compliance process is implemented at every stage
of the data lifecycle:

1. Discover: Identify all data elements within the organization to understand their nature and
source. This phase involves mapping out data flows and inventories to ensure a complete
picture of data handling practices.
2. Classify: Once discovered, data must be labelled and categorized based on sensitivity and
regulatory requirements. Techniques such as regular expressions (regex), predefined
dictionaries, and other advanced methods can automate this process, applying labels
across various contexts across M365 apps (Word, Excel, PowerPoint, SharePoint, OneDrive),
including PDFs. The scope can further extend to multi-cloud environments and even data
stored in databases.
3. Protect: Implement security measures to safeguard data, including Data Loss Prevention
(DLP) systems, endpoint protection, and encryption. Labelling information plays a crucial
role in these systems, enhancing their effectiveness and ensuring compliance with data
protection regulations.
4. Monitor: Continuously oversee data usage and access to detect anomalies and potential
breaches. This includes monitoring insider risk, managing compliance, and making
informed decisions based on real-time data insights.

By following this cycle, organizations can establish a robust framework for protecting personal
data, taking a step towards ensuring compliance, and maintaining a secure data management
ecosystem.

30 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Proposed approach to Privacy Enhancing Tool (PET) use in different aspects of personal
data protection

1 2 3 4

Access Data Device Threat

Securing access for any Prevent data from To transform the Monitoring the threat
identity, to anyone or unauthorized use across delivery of device landscape for emerging
any resource, anywhere apps, services, and management and vulnerability and
devices security services, using attacks targeting
tool and process that personal data
already familiar with

Privacy management

Elevate privacy posture, keep customer data private, and streamline compliance processes

31 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Proposed integration of Privacy Enhancing Tool (PET) within the personal data lifecycle
Use
• Data accuracy, consistencies and completeness must be ensured
• Data subject has right to maintenance their data (update and
correction of personal data must be enabled)
• Implement encryption and/or data masking

Supporting Tools: Microsoft Purview, Microsoft Entra, and Microsoft

Intune can be used to support compliance with these requirements.
1. Acquire 2. Use

Acquire
• Customer consent
• Privacy notice Process
• Consent must be explicit and clear • DPIA must be applied in High-Risk Data
• EULA need to be transparent and update Processing Activity
whenever there are changes with how the PII
• Personal data subjects have the right to
data is being managed
obtain access and copies of personal data
• Specific data privacy for children and people
about themselves
with disabilities
• Respect processing to data subject rights
include stop, delay, and limit process
Supporting Tools: Microsoft Entra and Priva can
be used to manage consent, provide privacy
notices, and effectively protect and update Supporting Tools: Microsoft Priva.
personal data.
3. Process

Disclosure
• Data subjects have the right to access and transfer their data
• Compliance of cross-border transfer restriction
• Security for data transfer must be ensured and extended to 3rd party
partners
• Corporate actions - if there's any, transfer of all personal data must
be notified to data subject within 3x24 hours.
• Third-Party Contract Management

Supporting Tools: Microsoft Priva.

5. Disclosure 4. Store and/or

Store and/or Retention Retention.
• RoPA-collecting change logs, affected
processes and audit trail
• Data restriction
• Implement data retention policy and data portability
• Breach notification must be done within 3x24 hours
• Implement encryption and/or data masking

Supporting Tools: Microsoft Priva, Purview, Entra,

Intune, Sentinel and Defender.
6. Destruction
(Soft & Hard Destruction
• Data subject has the right to withdraw consent and right for erasure.
Delete)
Microsoft Priva can be used to support compliance with this requirement.
Soft-delete marks data as inactive without physically removing it, allowing for potential recovery,
while hard-delete permanently erases data from the system with no option for restoration.

32 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Microsoft compliance as data processor & supporting customer
as data controller under UU PDP
Microsoft offers a suite of technologies that can assist organizations in fulfilling their roles as
data controllers and data processors under Indonesia’s Personal Data Protection Law. These
technologies include Entra, Intune, Purview, Priva, Defender XDR, and Sentinel, each providing
critical features to supporting proper security controls throughout the entire data lifecycle
(acquisition, use, processing, storage, disclosure, and destruction).

In addition to M365 security solutions, integrating Azure Security services within the broader
Microsoft Zero Trust framework significantly enhances the protection of organizational assets.
Key Azure Security offerings include Azure Firewall, DDoS Protection, Azure Key Vault, Azure
Bastion, Azure Lighthouse, Azure Backup, Azure Virtual Desktop, and Windows 365. By
leveraging these comprehensive tools, organizations can fortify their security posture, ensuring
robust defense mechanisms are in place to safeguard data and systems against various threats.

Combining M365 security capabilities with Azure Security tools provides a cohesive and
fortified security environment. This integrated approach helps ensure that data is not only
protected during its lifecycle within M365 apps but also across cloud infrastructures, thereby
strengthening the overall resilience and compliance of the organization.

The following outlines the high-level steps of implementation, technical architecture, features
that can be leveraged, and the expected outcomes of using these Microsoft solutions to meet
UU PDP requirements and helping your organization streamline the process with consistent
and integrated solution.

High-level steps of implementation

a) Compliance as data processor

As a trusted technology partner, Microsoft has consistently demonstrated its commitment
to privacy and data protection. By adhering to stringent privacy regulations, Microsoft
ensures that customer data is handled with the utmost care and transparency.

Microsoft collects data through user interactions and product usage, always prioritizing
user consent and control. Customers have the ability to manage their personal data
through various tools and settings, allowing them to make informed choices about what
data they share.

In terms of data sharing, Microsoft only shares personal data with user consent, to
complete transactions, or to provide requested services. This data may also be shared with

33 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 affiliates, vendors, and as required by law, ensuring that all data transfers are secure and
compliant with legal obligations.

To protect user data, Microsoft employs both automated and manual processing methods,
maintaining high standards of security and compliance. This dual approach helps ensure
that data is processed accurately and securely, supporting efforts to meet regulatory
requirements.

Key points on how Microsoft fulfills its responsibilities as a data processor to comply with
privacy regulations:

• Data collection and use: Microsoft collects data through interactions and product
usage to provide and improve services. Users have choices about the data they share
and can control their personal data through various tools.
• Data sharing: Personal data is shared with consent, to complete transactions, or to
provide requested products. Data may also be shared with affiliates, vendors, and as
required by law.
• Data protection: Microsoft uses both automated and manual methods to process
data, ensuring security and compliance with legal obligations.
• User control: Users can access and control their data, with limitations based on
applicable laws and product usage. Tools and settings are provided for managing data
collection and usage preferences.

b) Supporting customer as data controller

Microsoft provides comprehensive and robust solutions tailored to help our customers
comply with Indonesia’s PDP Law requirements. Implementing our advanced security
solutions can help you ensure the protection of personal data at each stage of the data
lifecycle. Our solutions are designed to seamlessly integrate with your existing
infrastructure, offering unparalleled data protection and compliance assurance.

1. Identity verification and management

• Implement identity verification mechanisms to authenticate your internal and
external users using Microsoft Entra.
• Multiple options for MFA (multi-factor authentication) to add an additional layer of
authentication.
• Establish identity governance policies to manage and monitor user identities
effectively.

34 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 2. Access control
• Using Entra Enterprise Application, integrate SaaS or your own line-of-business
applications with Entra ID to centralize policy enforcement and monitoring.
• Implement risk-based conditional access policies to continuously evaluate access
based on threat intelligence, device compliance and user risk levels.

3. Data classification and protection

• Utilize Microsoft Purview to discover, classify, and protect sensitive information
across the data estate.
• Implement Purview’s DLP (Data Loss Prevention) policies to minimize the possibility
of unauthorized sharing and leakage of sensitive information.

4. Privacy management and risk mitigation

• Leverage Microsoft Priva for subject rights request, privacy risk management for
policy enforcement, consent management (preview), tracker scanning (preview),
and privacy assessments (preview).
• Automate privacy operations to continuously support compliance with data privacy
regulations.

5. Threat detection and response

• Deploy Microsoft Defender for Endpoints or Microsoft Defender for Servers to
detect and mitigate malware attack
• Deploy Microsoft Sentinel for advanced security analytics and threat intelligence.
• Utilize Microsoft Defender XDR to provide broad visibility and enhanced security
events correlation to provide better defenses against incidents like data breaches.

6. Data lifecycle management

• Ensure proper security controls are in place for data acquisition, use, processing,
storage, disclosure, and destruction.
• Implement continuous monitoring and auditing to track compliance and identify
potential vulnerabilities.
• Use Microsoft Purview Data Lifecycle Management to manage lifecycle and
disposition of information and records in Microsoft 365.

35 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Technical architecture considerations
The government will review whether institutions that experienced a data breach had initially
implemented security measures as a best effort to protect personal data. This will be one of
consideration in determining whether an institution is a victim or guilty of negligence,
depending on their privacy control efforts. Therefore, implementing comprehensive security
and privacy measures based on a zero-trust approach is key element to help ensure your
organization is the right security posture.

The technical architecture for implementing these solutions involves integrating Microsoft
technologies into a cohesive security framework.

36 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 The architecture includes:

Microsoft Entra for identity and access management, providing secure authentication and authorization services.
Microsoft Entra family provides comprehensive identity and access management solutions, ensuring that only
authorized users have access to sensitive data. It supports multi-factor authentication, conditional access policies,
and identity protection, which are crucial for compliance with privacy regulations. These features help organizations
enforce strict access controls and monitor user activities to prevent unauthorized data access.

Learn more: https://learn.microsoft.com/en-us/entra/

Microsoft Intune for device and application management, supporting compliance with security policies and
regulations. Microsoft Intune family provides unified endpoint management, ensuring that PII data is secure on all
devices. It allows organizations to enforce security policies, manage device compliance, and protect data through
encryption and remote wipe capabilities.

Learn more: https://learn.microsoft.com/en-us/mem/intune/

Microsoft Purview offers robust data governance and compliance capabilities. It enables organizations to discover,
classify, and protect sensitive information across their data estate. With features like data loss prevention (DLP),
information protection, and compliance management, Purview helps organizations meet the stringent data handling
and protection requirements outlined in the UU PDP.

Learn more: https://learn.microsoft.com/en-us/purview/

Microsoft Priva for privacy management, automating privacy operations and supporting compliance with data
protection regulations. Microsoft Priva family of solutions supports privacy operations across entire data landscapes,
providing quick and cost-effective paths to meet privacy regulations and avoid non-compliance risks. With Microsoft
Priva, organizations can automate the management, definition, and tracking of privacy procedures at scale, and help
ensure that personal data remains private, secure, and compliant.

Learn more: https://learn.microsoft.com/en-us/privacy/priva/

Microsoft Sentinel for security information and event management (SIEM) and security orchestration, automation,
and response (SOAR). Microsoft Sentinel is a cloud-based Security Information and Event Management (SIEM) and
Security Orchestration, Automation and Response (SOAR) solution. It delivers advanced security analytics and threat
intelligence for the entire enterprise. Sentinel aids organizations in identifying, analyzing, and addressing security
incidents, thereby safeguarding personal data and supporting regulatory compliance. Combined with Microsoft
Defender XDR, our defenses against incidents like data breaches are enhanced.

Learn more: https://learn.microsoft.com/en-us/azure/sentinel/

Microsoft Defender XDR for extended detection and response, providing comprehensive threat protection across
the enterprise. Microsoft Defender XDR unifies security measures across endpoints, networks, and cloud
environments. It delivers extensive capabilities for threat detection, investigation, and response. By adopting this
integrated security approach, Defender XDR aids organizations in identifying and mitigating privacy breaches.
Additionally, if an incident involves PII data, it assists organizations in meeting the Data Controller’s obligation to
report incidents more swiftly and comprehensively.

Learn more: https://learn.microsoft.com/en-us/defender-xdr/

37 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Azure Firewall is a cloud-native and intelligent network firewall security service that provides threat protection for
your cloud workloads running in Azure. With built-in high availability and unrestricted cloud scalability, it allows
organizations to centrally create, enforce, and log application and network connectivity policies across subscriptions
and virtual networks. Leveraging Azure Firewall can help organizations ensure that personal identifiable information
(PII) and other sensitive data are protected from unauthorized access and comply with data protection regulations.

Learn more: https://learn.microsoft.com/en-us/azure/firewall/

Azure DDoS Protection safeguards your applications from Distributed Denial-of-Service (DDoS) attacks with
always-on monitoring and automatic network attack mitigation. It provides protection at both the network and
application layers, thus ensuring the availability and reliability of your services. This protection is crucial for ensuring
that PII data is not compromised during an attack and helping organizations remain compliant with privacy
regulations.

Learn more: https://learn.microsoft.com/en-us/azure/ddos-protection/

Azure Key Vault helps safeguard cryptographic keys and secrets used by cloud applications and services. It
streamlines the key management process and enables secure key storage backed by hardware security modules
(HSMs). Managing and controlling access to encryption keys can help organizations ensure that sensitive data,
including PII, is adequately protected and remains compliant with privacy regulations.

Learn more: https://learn.microsoft.com/en-us/azure/key-vault/

Azure Bastion provides secure and seamless RDP and SSH connectivity to your virtual machines directly from the
Azure portal, without exposing them to the public internet. This service enhances security by protecting PII data from
potential breaches and supporting compliance with data protection regulations through secure access controls.

Learn more: https://learn.microsoft.com/en-us/azure/bastion/

Azure ARC provides a comprehensive solution for managing and securing your on-premises and multicloud
resources, supporting adherence to privacy regulations. By extending Azure management capabilities to any
infrastructure, Azure ARC enables consistent policy enforcement, secure access, and robust compliance through
integrated security features. It supports role-based access control (RBAC) and encryption to protect sensitive data,
while also providing visibility and audit capabilities to monitor access and support compliance with data protection
standards.

Learn more: https://learn.microsoft.com/en-us/azure/azure-arc/

Azure Lighthouse enables managed service providers (MSPs) to manage customer resources and subscriptions at
scale with higher automation and efficiency. It offers secure multi-tenant management capabilities that help
organizations enhance data privacy and compliance by ensuring that access to sensitive information is tightly
controlled and monitored.

Learn more: https://learn.microsoft.com/en-us/azure/lighthouse/

38 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Azure Backup provides a simple, secure, and cost-effective solution for backing up your data to the Microsoft Azure
cloud. It helps ensure that data, including PII, is encrypted in transit and at rest, helping organizations comply with
data protection regulations. Azure Backup's features, such as recovery points and role-based access, support robust
data protection and privacy management.

Learn more: https://learn.microsoft.com/en-us/azure/backup/

Azure Virtual Desktop enables a secure, scalable, and versatile remote desktop experience that is optimized for
Microsoft 365 applications. It helps user data and applications stay protected and supports compliance with privacy
regulations by leveraging secure access, multi-factor authentication (MFA), and data encryption.

Learn more: https://learn.microsoft.com/en-us/azure/virtual-desktop/

Windows 365 is a cloud service that securely streams your personalized Windows experience from the Microsoft
cloud to any device. It enhances data privacy and compliance by providing secure access to applications and data,
implementing robust security policies, and supporting compliance with data protection regulations through
encryption and access controls.

Learn more: https://learn.microsoft.com/en-us/windows-365/

Features that can be leveraged

a) Microsoft Entra (identity and access management)

• Verified ID ensures your Electronic Know Your Customer (e-KYC) robustness to

minimize KYC related attacks such as impersonation or fraud.
• External identity allow external identities to securely access your apps and resources.
Whether you’re working with external partners, consumers, or business customers, users
can bring their own identities. These identities can range from corporate or
government-issued accounts to social identity providers like Google or Facebook.
• Single Sign-On (SSO) means a user doesn't have to sign in to every application they
use. With SSO, users can access all needed applications without being required to
authenticate using different credentials. Many applications already exist in Microsoft
Entra ID that you can use with SSO. You have several options for SSO depending on the
needs of the application and how it's implemented.

39 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 • Identity federation. Cloud applications can use federation-based options, such as
OpenID Connect, OAuth, and SAML.
• Multi-Factor Authentication (MFA): Ensures only authorized access to sensitive data,
preventing unauthorized access and data breaches.
• Identity protection enforces access controls based on risk level and ensures
appropriate access rights, supporting compliance with data protection regulations.
• Entra Enterprise Application integrates identities with SaaS or line-of-business
applications, consistently applying data protection measures and simplifying identity
management.
• Identity governance helps organizations address these four key questions, for access
across services and applications both on-premises and in clouds:
1) Which users should have access to which resources?
2) What are those users doing with that access?
3) Are there organizational controls in place for managing access?
4) Can auditors verify that the controls are working effectively?
• Permission management detects, automatically right-sizes, and continuously monitors
unused and excessive permissions across your organizations to avoid over-privileged
workload and user identities, actions, and resources across multicloud infrastructures in
Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
• Internet access provides an identity-centric Secure Web Gateway (SWG) solution for
Software as a Service (SaaS) applications and other Internet traffic. It protects users,
devices, and data from the Internet's wide threat landscape with best-in-class security
controls and visibility through Traffic Logs.
• Private access provides a quick and easy way to replace your VPN to allow secure
access to your internal resources with an easy-one time configuration, using the secure
capabilities of Conditional Access. Microsoft Entra Private Access unlocks the ability to
specify the fully qualified domain names (FQDNs) and IP addresses that you consider
private or internal, so you can manage how your organization accesses them. With
Private Access, you can modernize how your organization's users access private apps
and resources. Remote workers don't need to use a VPN to access these resources if
they have the Global Secure Access Client installed. The client quietly and seamlessly
connects them to the resources they need.

40 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 b) Microsoft Intune (unified endpoint management)

• Manage users and devices owned by your organization and devices owned by your
end users. Microsoft Intune supports Android, Android Open Source Project (AOSP),
iOS/iPadOS, Linux Ubuntu Desktop, macOS, and Windows client devices. With Intune,
you can use these devices to securely access organization resources with policies you
create.
• Automate policy deployment, as a zero trust building blocks, centralized device policy
management is easy to maintain at Intune, you can deploy these policies to your user
groups and device groups. To receive these policies, the devices only need internet
access.
• Integrate with mobile threat defense. Intune integrates with Microsoft Defender for
Endpoint and third party partner services. With these services, the focus is on endpoint
security. You can create policies that respond to threats, do real-time risk analysis, and
automate remediation.
• Use Microsoft Copilot in Intune for AI-generated analysis. Copilot can summarize
existing policies, give you more setting information, including recommended values and
potential conflicts. You can also get device details and troubleshoot a device.

41 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 c) Microsoft Purview (data security and governance)
i) Data security

• Information protection helps you discover, classify, and protect sensitive

information wherever it lives or travels.
• Data Loss Prevention helps protect sensitive data, and reduce the risk from
oversharing, organization need a way to help prevent their users from
inappropriately sharing sensitive data with people who shouldn't have it.
• Insider Risk Management correlates various signals to identify potential malicious
or inadvertent insider risks, such as IP theft, data leakage and security violations.
Insider risk management empowers customers to create policies to manage security
and compliance. Built with privacy by design, users are pseudonymized by default,
and role-based access controls and audit logs are in place to help ensure user-level
privacy.
• Information barriers to restrict communication and collaboration between certain
people inside your organization to safeguard internal information.
• Encryption encompasses files uploaded to a SharePoint library, Project Online data,
documents shared in a Teams meeting, email messages and attachments saved in
mailbox folders, and files stored in OneDrive for Business. This also includes mail
messages being delivered and conversations during an online meeting. In Microsoft
365, data is considered in transit when a user's device communicates with a
Microsoft server or when one Microsoft server communicates with another server.
• Compliance Manager helps customers adhere to the legal standards and internal
policies aligned with the regulatory requirements. It helps customers track the
compliance progress, identifies risks, and offers guidance for improvement based
on the customer’s unique requirements.
• AI Hub supports collaboration across teams by offering pre-built models, datasets,
and code repositories, enabling faster AI experimentation and innovation. It fosters
seamless integration of AI solutions into existing workflows while maintaining a
focus on scalability and security.

42 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 • Communication compliance provides the tools to help organizations detect
regulatory compliance (for example, SEC or FINRA) and business conduct violations
such as sensitive or confidential information, harassing or threatening language,
and sharing of adult content. Built with privacy by design, usernames are
pseudonymized by default, role-based access controls are built in, investigators are
opted in by an admin, and audit logs are in place to help ensure user-level privacy.
• Electronic discovery, or eDiscovery, is the process of identifying and delivering
electronic information that can be used as evidence in legal cases. You can use
eDiscovery tools in Microsoft Purview to search for content in Exchange Online,
OneDrive for Business, SharePoint Online, Microsoft Teams, Microsoft 365 Groups,
and Viva Engage teams. You can search mailboxes and sites in the same eDiscovery
search, and then export the search results. You can use Microsoft Purview eDiscovery
(Standard) cases to identify, hold, and export content found in mailboxes and sites.

ii) Data governance

• Data catalog allows you to explore and understand your data categorized by business
domains, search through AI powered copilot, and subscribe to data products that come
equipped with all the data you need and the tools to safely access it. Over the last couple
years Microsoft invested in a strong platform that has an inventory of all your data assets,
their metadata, and their lineage so you can understand the topography of your data estate.
Now we're providing better tools to manage it as it grows, and more points to surface that
data to your business, to make use of it in the day-to-day. It also connects with other data
processing, storage, and analytics systems to extract lineage information. The information
is combined to represent a generic, scenario-specific lineage experience in the catalog.
• Data map provides an automated classification capability while you scan your data sources.
You get more than 200+ built-in system classifications and the ability to create custom
classifications for your data. You can classify assets automatically when they're ingested as

43 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 part of a configured scan, or you can edit them manually in the Microsoft Purview
governance portal after they're scanned and ingested.

d) Microsoft Priva (privacy compliance)

• Privacy assessments (Preview) automates the discovery, documentation, and

evaluation of personal data use across your digital estate. It is easy to customize and
add your own privacy rules, which automatically identify changes in data processing and
maintain an accurate record in support of compliance efforts.
• Privacy risk management helps organizations set up policies to identify and remediate
privacy risks, detect overexposed personal data, secure it, limit transfers across
departments or regions, and reduce the amount of personal data stored.
• Tracker scanning (Preview) automates website privacy compliance monitoring and
tracker management.
• Consent management (Preview) streamlines and optimizes consent management at
scale across hybrid environments, helping organizations comply with data privacy laws
and regulations.
• Subject rights requests automates the management and fulfillment of subject rights
requests for data to be accessed, deleted, and exported, helping to streamline
compliance adherence.

44 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 e) Microsoft Sentinel (Security Information and Event Management and Security Orchestration,
Automation and Response)

• Monitor and visualize data to help reduce noise and minimize the number of alerts
you need to review and investigate; Microsoft Sentinel uses a fusion technique to
correlate alerts into incidents. Incidents are actionable groups of related alerts for you
to investigate and resolve.
• Visibility into Threat Intelligence using Microsoft Sentinel by enabling data
connectors to various TI platforms and feeds. For SIEM solutions like Microsoft Sentinel,
the most common forms of CTI are threat indicators, also known as Indicators of
Compromise (IoC) or Indicators of Attack (IoA). Threat indicators are data that associate
observed artifacts such as URLs, file hashes, or IP addresses with known threat activity
such as phishing, botnets, or malware. This form of threat intelligence is often called
tactical threat intelligence because it's applied to security products and automation in
large scale to detect potential threats to an organization and protect against them. Use
threat indicators in Microsoft Sentinel, to detect malicious activity observed in your
environment and provide context to security investigators to inform response decisions.
• Similar incidents widget shows you the most relevant information about incidents
deemed to be similar, including their last updated date and time, last owner, last status
(including, if they are closed, the reason they were closed), and the reason for the
similarity. If anything you’ve seen so far in your incident looks familiar, there may be
good reason. Microsoft Sentinel stays one step ahead of you by showing you the
incidents most similar to the open one.
• User and Entity Behavior Analysis (UEBA) capability in Microsoft Sentinel eliminates
the drudgery from your analysts’ workloads and the uncertainty from their efforts, and
delivers high-fidelity, actionable intelligence, so they can focus on investigation and
remediation. As Microsoft Sentinel collects logs and alerts from all of its connected data
sources, it analyzes them and builds baseline behavioral profiles of your organization’s
entities (such as users, hosts, IP addresses, and applications) across time and peer group
horizon. Using a variety of techniques and machine learning capabilities, Microsoft

45 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Sentinel can then identify anomalous activity and help you determine if an asset has
been compromised.
• Security Orchestration, Automation, and Response (SOAR), to automate any
recurring and predictable enrichment, response, and remediation tasks that are the
responsibility of your security operations center and personnel (SOC/SecOps), freeing
up time and resources for more in-depth investigation of, and hunting for, advanced
threats.
• SOC optimizations will give actionable recommendations to help you identify areas
where you can reduce costs, without affecting SOC needs or coverage, or where you
can add security controls and data where its found to be missing. SOC optimizations
are tailored to your environment and based on your current coverage and threat
landscape.

f) Microsoft Defender XDR (Extended Detection and Response)

• Endpoints with Defender for Endpoint - Microsoft Defender for Endpoint is a unified
endpoint platform for preventative protection, post-breach detection, automated
investigation, and response.
• Assets with Defender Vulnerability Management - Microsoft Defender Vulnerability
Management delivers continuous asset visibility, intelligent risk-based assessments, and
built-in remediation tools to help your security and IT teams prioritize and address
critical vulnerabilities and misconfigurations across your organization.
• Email and collaboration with Defender for Office 365 - Defender for Office 365
safeguards your organization against malicious threats posed by email messages, links
(URLs) and collaboration tools.
• Identities with Defender for Identity and Microsoft Entra ID Protection - Microsoft
Defender for Identity is a cloud-based security solution that uses your on-premises
Active Directory signals to identify, detect, and investigate advanced threats,
compromised identities, and malicious insider actions directed at your organization.
Microsoft Entra ID Protection uses the learnings Microsoft acquired from their position

46 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 in organizations with Microsoft Entra ID, the consumer space with Microsoft Accounts,
and in gaming with Xbox to protect your users.
• Applications with Defender for Cloud Apps - Microsoft Defender for Cloud Apps is a
comprehensive cross-SaaS solution bringing deep visibility, strong data controls, and
enhanced threat protection to your cloud apps.

g) Azure Firewall (next-generation firewall)

• Network traffic filtering - Centralizes policy management and logs all network traffic
flows.
• Threat Intelligence integration - Provides real-time threat intelligence feeds to
protect against known malicious IP addresses and domains.
• Application FQDN filtering - Controls outbound HTTP/S traffic to fully qualified
domain names (FQDNs).
• High availability - Ensures resilience through built-in high-availability and scalability.
• Multiple public IP support - Enables multiple public IP addresses for scalability and
improved security postures.

47 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 h) Azure DDoS Protection (DDoS protection)

• Always-on protection - Offers continuous monitoring and automatic mitigation of

DDoS attacks.
• Application layer protection - Safeguards web applications from DDoS attacks
targeting application layer.
• Cost protection - Provides financial protection through DDoS Protection Service Credit.
• Attack analytics - Delivers rich attack metrics and insights for enhanced security
monitoring.
• Integration with Azure Monitor - Provides monitoring capabilities through Azure
Monitor for detailed logging and alerting.

i) Azure Key Vault (key vault)

• Secret management - Securely stores and tightly controls access to tokens, passwords,
certificates, and API keys.
• Key management - Creates and controls encryption keys used to encrypt data.

48 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 • Certificate management - Simplifies the process of creating, importing, and managing
certificates.
• Enhanced security - Supports hardware security modules (HSMs) for increased security
of key management operations.
• Compliance - Facilitates meeting compliance requirements with broad auditing and
access control mechanisms.

j) Azure Bastion (bastion host)

• Secure RDP and SSH connectivity - Provides seamless and secure RDP and SSH
connectivity to VMs directly over SSL without exposing public IPs.
• Browser-based access - Enables secure access to VMs through the Azure portal using
a web browser.
• Fully managed platform - Simplifies management with a fully managed PaaS service.
• Integration with Azure Active Directory - Enhances security by integrating with Azure
AD for user authentication and access control.
• High availability - Offers built-in redundancy to ensure high availability and reliability.

49 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 k) Azure Lighthouse (multi-tenant management)

• Multi-tenant management - Provides streamlined management of multiple customer

tenants from a single control plane.
• Delegated resource management - Enables secure delegation of resource
management across different tenants.
• Comprehensive visibility - Offers comprehensive visibility and control over resources
across tenants.
• Enhanced security - Supports secure operations with role-based access control and
auditing features.
• Integration with Azure Services - Integrates with Azure Monitor, Security Center, and
other Azure services for a cohesive management experience.

l) Azure Backup (backup)

• Automated backups - Simplifies backup processes with automated and scheduled

backups.
• Long-term retention - Supports long-term retention of backup data for compliance
and archival purposes.

50 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 • Data encryption - Provides encryption for data at rest and in transit to support data
security.
• Geo-redundancy - Offers geo-redundant storage options to protect against regional
outages.
• Centralized management - Centralizes backup management through the Azure portal.

m) Azure Virtual Desktop (virtual desktop)

• Remote Desktop Experience - Delivers a full Windows 10 or Windows 11 desktop

experience remotely.
• Scalable infrastructure - Scales quickly to accommodate a changing number of users.
• Security and compliance - Provides built-in security features and compliance options.
• Cost efficiency - Offers cost savings by using existing licenses and scaling resources
based on user demand.
• Flexible access - Allows access from any device, ensuring flexibility for users.

n) Windows 365 (Windows as a Service)

• Cloud PC experience - Provides a persistent, personalized Windows experience in the

cloud.

51 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 • Easy setup - Simplifies setup and management with a user-friendly interface and
automated provisioning.
• Scalable solutions - Scales easily to meet business needs with flexible plans.
• Security and compliance - Provides enterprise-grade security and compliance
features.
• Seamless integration - Integrates seamlessly with Microsoft 365 and other Microsoft
services.

52 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Workload data protection in Azure
Azure services provide flexibility for you implement data protection using encryption, using
Azure Disk Encryption we can encrypt disk to provide data-at-rest security and using
Confidential Computing we can encrypt data in memory when VM is running to provide
multi-tenancy security.

For your custom application/workload, Azure Key Vault enables you to implement your own
custom data protection using cryptography. This is example of envelope encryption workflow
using Azure Key Vault and Azure Function. In this diagram, plaintext data are sent to Azure
Function, Azure Function then encrypt the data using DEK derived from random number
(CSPRNG function) and then Wrap (encrypt) the key using asymmetric operation, then the data
are sent to their target storage destination, whether it’s BLOB storage in Azure Storage
Account or simply if the data is text you can store it anywhere such as Redis or Database.

53 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 6. Creating a
compliance checklist

54 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Compliance checklist

Source: GDPR compliance checklist - GDPR.eu Notes: Supporting / Required immediately

Aspect Checklist Impact Benefit

Conduct an information audit to determine what information that
Lawful basis company processed and who has access to it (article 5, 7, 16, 33)
Have a legal justification for data processing activities (article 20,
and 21)
transparency Provide clear information about data processing and legal
justification in company privacy policy (article 20, 21, 22)
Consider data protection, from product development through
every data processing step (article 16)
Encrypt, pseudonymize, or anonymize personal data wherever
possible (article 28, 29)
Create an internal security policy, practices such as Zero trust, and
Data security build awareness about data protection across all employees (article
20)
Conduct a data protection impact assessment (article 34)
Have a process in place to notify the authorities and your data
subjects in the event of a data breach within 3x24 hours after
awareness of incident (article 46)
Appoint a Data Protection Officer who responsible for ensuring UU
PDP compliance in your organization (article 53, 54)
Sign a data processing agreement between your organization and
Accountability any third parties that process personal data on your behalf (article
and 22, 51)
If your organization is outside Indonesia, appoint a representative
governance
within Indonesia (article 2, 56)
The organization must ensure to create process for customers
(data subject) just in case they request and receive all the
information you have about them, correct, or update inaccurate or
incomplete information, request to stop processing or delete their
data, etc. (refer to sub-section “Right of Data Subject”) (article 5-
13)
Privacy right If the organization make decisions about people based on
automated processes, they have a procedure to protect data
subject rights (article 10, 21)

Fulfilment timeframe

Data controllers are required to respond to

data subject requests within one month, with
the possibility of a two-month extension for
complex requests.

Response time

55 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Consequences of non-compliance with UU PDP
Non-compliance can lead to a range of significant repercussions. Here are some of the major
consequences organizations may face for failing to adhere to data protection laws:

Reputational Organizations may suffer

Non-compliance can lead to Penalties
significant fines, legal
harm reputational damage, leading to
sanctions, and enforcement a loss of consumer trust and
actions. potential business impacts.

Operational
Non-compliance may result in
operational disruptions, such as disruptions
orders to cease processing activities.

Expected outcome
Leveraging these Microsoft technologies can support organizations’ efforts to build the
foundational security requirements, aligned to the Zero-Trust Framework and approach as a
base layer to achieve comprehensive security controls throughout the data lifecycle, from
acquisition to destruction to meet Indonesia’s PDP Law requirements. The expected outcomes
include:

• Enhanced identity and access management to prevent unauthorized access and provide
secure authentication.
• Improved data governance and compliance with data protection regulations.
• Automated privacy management and risk mitigation to address privacy concerns and
support regulatory compliance.
• Advanced threat detection and response capabilities to protect against data breaches
and security incidents.
• Continuous monitoring and auditing to support ongoing compliance and identify
potential vulnerabilities.
• Add application and Azure / multi cloud specific details

Indonesia’s PDP Law affects three main areas: "People," "Process," and "Technology." To address
the technology aspect, Microsoft offers solutions through Microsoft Priva and other security
tools. For the "People" and "Process" aspects, EY provides consulting support to help you manage
these compliance efforts effectively.

56 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 7. Case studies and
best practices

57 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Case study 1: Riachuelo's data governance transformation with Microsoft

Executive summary
Riachuelo, a leading Brazilian fashion retailer, undertook a comprehensive digital
transformation to enhance data governance, aligning with data protection standards akin to
Indonesia’s PDP Law. By leveraging Microsoft Azure Cloud and advanced AI algorithms, the
company developed a 'Self Service' Data Lake environment, supporting secure and efficient
data-driven decision-making across all business units.

Introduction
Riachuelo, with a rich history of over 70 years and a workforce of 40,000, faced the challenge
of modernizing its data infrastructure to support its extensive operations, including two
factories, 350 stores, and a significant customer base. In 2020, the company embarked on a
digital transformation journey to bolster its data governance, with a particular focus on
compliance and security, drawing parallels with Indonesia’s PDP Law's requirements.

Objective
The primary objective was to create a robust data governance framework that would:
• Facilitate secure data storage and management.
• Enable scalable data processing and analytics.
• Support compliance with data protection laws, mirroring principles of Indonesia’s PDP
Law.

Relevance with UU PDP

While Riachuelo operates in Brazil, the case study demonstrates adherence to principles that
would be required under Indonesia’s PDP Law, such as:

• Data minimization: Collecting only relevant data necessary for processing.

• Purpose limitation: Using data exclusively for the stated purpose.
• Data subject rights: Allowing individuals to access and control their personal data.
• Data security: Implementing strong security measures to protect data integrity and
confidentiality.
• Accountability and transparency: Maintaining clear records of data processing
activities.
Conclusion
Riachuelo's data governance transformation exemplifies how a large-scale retail operation can
enhance its data management practices in line with stringent data protection laws like
Indonesia’s PDP Law. By the end of 2021, Riachuelo consolidates its corporate Data Lake as the
singular information source, establishing a modern data environment that is secure, compliant,
and accessible to all business units.

58 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Case study 2: Improving a UK Bank's data privacy practices with EY

Executive summary
A leading UK bank engaged EY to assess and enhance its data privacy measures to ensure
compliance with the General Data Protection Regulation (GDPR). The project involved a
detailed applicability assessment, gap analysis, and the development of a sustainable privacy
framework. The methodologies and outcomes of this GDPR compliance project offer similarity
to Indonesia’s PDP Law, providing a model for aligning data protection practices with
international standards.

Introduction
In the face of stringent data protection regulations, the bank recognized the need to
rigorously evaluate and improve its data privacy protocols across three key departments.
With GDPR as the benchmark, the bank aimed to not only meet the legal requirements but
also to reinforce trust among its customers and stakeholders.

Objectives
• Determine the applicability of GDPR within the bank's selected departments.
• Conduct a comprehensive current state assessment of GDPR implementation.
• Identify any compliance gaps and develop a remediation plan.
• Establish robust, GDPR-compliant policies and procedures across the organization.

Relevance with UU PDP

Although the project was centred on GDPR compliance, the approach undertaken by EY can
be readily applied to Indonesia’s PDP Law. Key aspects of the project that align with
Indonesia’s PDP Law include:
• Risk assessment: Identifying and mitigating risks in handling personal data, which is a
core requirement of the UU PDP.
• Data processing procedures: Developing clear data processing and handling
procedures that mirror the accountability principle of the UU PDP.
• Data subject rights: Establishing mechanisms to honour data subject rights, such as
access, rectification, and erasure, which are also enshrined in the UU PDP.
• Data protection training: Implementing training programs to enhance awareness
and understanding of data protection obligations, fostering a culture of compliance
that is essential under the UU PDP.

Conclusion
The GDPR compliance project for the UK bank exemplifies a comprehensive approach to data
privacy that is also relevant to Indonesia’s PDP Law. By employing thorough assessments, gap
analyses, and the establishment of clear policies and procedures, EY has demonstrated how
organizations can achieve high standards of data protection. This case study serves as a blueprint
for institutions seeking to comply with Indonesia’s PDP Law, highlighting the importance of
proactive and meticulous data privacy practices.

59 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 8. Conclusion

60 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Key takeaways
• Understanding obligations: A clear understanding of the obligations under the UU
PDP is crucial for compliance.
• Implementing measures: The importance of implementing appropriate technical and
organizational measures to protect personal data, including baseline foundational
security measures like alignment to Zero Trust Framework.
• Regular review: The need for regular review and updates to data protection practices
in response to evolving risks and regulatory guidance.

Future outlook
• Regulatory changes: Anticipate potential updates to the UU PDP in response to
technological advancements and international data protection trends.
• Global compliance: Organizations should prepare for the possibility of more stringent
data protection regulations as part of a global trend towards stronger privacy rights.

Version1 of Indonesia’s Personal Data Protection Law (UU PDP), The Compliance Journey is a
living document, it was jointly prepared by Microsoft and EY on September 1, 2024. For the latest
online version of this content, visit https://aka.ms/idpdp

Contact Information

• Microsoft idpdp@microsoft.com
• EY idpdp@id.ey.com

Recommended Resources

• Microsoft Trust Center:

https://www.microsoft.com/en-us/trust-center/product-overview
• Microsoft Product and Services Data Protection Addendum (WW):
https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA
• Microsoft Privacy and Security Terms:
https://www.microsoft.com/licensing/terms/product/PrivacyandSecurityTerms/all
• Microsoft Privacy Statement:
https://privacy.microsoft.com/id-id/privacystatement/
• Data Protection Impact Assessments: Guidance for Data Controllers Using Microsoft Azure:
https://learn.microsoft.com/en-us/compliance/regulatory/gdpr-dpia-azure
• Data Protection Impact Assessments: Guidance for Data Controllers Using Microsoft Office 365:
https://learn.microsoft.com/en-us/compliance/regulatory/gdpr-dpia-office365

61 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper

 Contact Information

Microsoft idpdp@microsoft.com
EY idpdp@id.ey.com

For the latest online version of this content, visit https://aka.ms/idpdp

©2024 Microsoft Corporation. All rights reserved. This document is provided solely
for information and should not be construed as legal advice. The information within
is provided “as-is” and Microsoft makes no warranties, express or implied.
Information and views expressed in this document, including URLs and other
references, may change without notice. You bear the risk of using them. This
document does not provide you with any legal rights to any intellectual property in
any Microsoft product. You may copy and use this document solely for your internal
reference purposes.

62 Indonesia’s Personal Data Protection Law (UU PDP) Whitepaper