Read the Indonesian version here.

In the rapidly evolving digital era, personal data protection has become a very crucial issue. The Personal Data Protection Law (PDP Law) provides an important legal framework to ensure that each individual’s personal data is properly protected. Industry players’ compliance with the PDP Law not only protects individual’s privacy rights, but also builds business trust and credibility.

For Microsoft, this means we need to take a bigger role in ensuring that every person and every organization across Indonesia and across the world can rely on us to protect their personal and sensitive personal data. Which is why since more than a decade ago, Microsoft has established our Trusted Cloud Principles to guide our Microsoft Cloud technology. These principles include security, privacy, compliance, reliability/resiliency, and intellectual property. As one of the results, Microsoft Cloud is having the most comprehensive set of compliance offerings of any cloud service provider with more than 100 compliance offerings, including CIS benchmarks, EU GDPR, and Singapore MTCS, among others.

These investments align closely with the intentions of the PDP Law, and because of this, the Microsoft Cloud can uniquely provide an expedited support to PDP Law compliance. Today, we are sharing how organizations could accelerate their PDP Law compliance journey with Microsoft Cloud, as part of a joint effort in protecting every individual in Indonesia. More details are elaborated in the Microsoft EY Indonesia PDP Law Whitepaper 2024 here.

Managing compliance process with Privacy Enhancing Tools

First, it’s critical to note that practicing robust personal data protection needs to begin with a comprehensive understanding of what data is being collected, how it is collected, how it is processed, where it is stored, and for how long it is retained. This holistic approach encompasses the entire data lifecycle, ensuring that each phase is meticulously managed.

Managing compliance process at every stage of the data lifecycle, of course, is not easy – but highly important. Here comes the support from privacy enhancing tools (PET). PET is set of solutions designed to help organizations manage and protect personal data, ensuring compliance with stringent data protection laws, providing sophisticated mechanisms that safeguard sensitive information against unauthorized access and potential breaches, hence fostering a secure, private, and trustworthy data management ecosystem.

Image 1. High level PET building block

Source: Microsoft EY Indonesia PDP Law Whitepaper 2024, page 30

In the PET building block, Microsoft has broad portfolio of enterprise cloud services that organizations could leverage to help meeting PDP Law obligations. Microsoft’s PET could (1) Discover by identifying all data elements within the organization to understand their nature and source, (2) Classify by labelling and categorizing data based on sensitivity and regulatory requirements, (3) Protect by implementing security measures to safeguard data, including Data Loss Prevention systems, endpoint protection, and encryption, and (4) Monitor by continuously overseeing data usage and access to detect anomalies and potential breaches.

The below framework is an example approach on how organizations could integrate Microsoft’s PET within the personal data lifecycle:

Image 2. Suggested Integration of Privacy Enhancing Tool (PET) within the Personal Data Lifecycle

Source: Microsoft EY Indonesia PDP Law Whitepaper 2024, page 32

Introducing the Premium Assessment Template for Indonesia’s PDP Law in Microsoft Purview Compliance Manager

To provide a single pane of glass on compliance fulfilment, Microsoft has introduced the Premium Assessment Template for Indonesia’s PDP Law in Microsoft Purview Compliance Manager. This template can help organizations in streamlining their overall compliance efforts, including to PDP Law, by automating critical compliance tasks and simplifying the assessment process. This latest addition unlocks more possibility for organizations to accelerate their compliance with national, regional, and industry-specific requirements governing the collection and use of data. The complete regulation list can be found here.

By leveraging the Compliance Manager, organizations could:

Make compliance faster and more straight forward by referring to the assessment template, which breaks down the specific requirements of the PDP Law and maps them to Microsoft’s tools and controls
Complete each of their risk assessments through a single tool using workflow capabilities
Have detailed step-by-step guidance on suggested improvement actions to help them comply with the standards and regulations that are most relevant for each organization
Check their risk-based compliance score to help them understand their compliance posture by measuring their progress in completing improvement actions

Image 3. Microsoft Purview Compliance Manager

In addition to the mentioned tools, Microsoft is also standing behind organizations through contractual commitments for our cloud services in accordance with the new PDP Law requirements. This commitment is reflected through our Data Protection Addendum.

Security above all else

Behind every effective data protection is a robust security system. Therefore, it’s critical for every individual in organizations to take part in this protection efforts by applying Zero Trust Framework, built on the principle of “never trust, always verify”.

Recognizing the criticality of cybersecurity, from Microsoft’s standpoint, we have been investing over USD 4B billion annually in cybersecurity. Most recently, as part of our company’s Secure Future Initiative (SFI) promises that prioritize security above all else, Microsoft has appointed 13 Deputy Chief Information Security Officers (Deputy CISOs) responsible for spearheading SFI across the company, mobilized 34,000 full-time engineers to integrate security into the fabric of their work (making it the largest cybersecurity engineering effort in history), launched Security Skilling Academy to help train all employees on cybersecurity, and implemented the security core priority as a performance measure for all employees.

Coming soon, Indonesia Central–Microsoft’s first cloud region in Indonesia–will be generally available, enabling customers and partners to unlock Indonesia’s new digital economy using trusted cloud services locally, with world-class data security, privacy, and the ability to store data in country.

A collaboration to protect Indonesia

All the above contexts suggest how the success of PDP Law compliance relies on three critical areas: people, processes, and technology. While Microsoft is committed to helping organizations successfully comply with the PDP Law from technology area, it is important to recognize that compliance is a shared responsibility.

New requirements – like carrying out data mapping/classification/labelling, determining standard operating procedures for the implementation of subject rights, and notifying data breach incident awareness to relevant authorities & data subjects withing 3×24 hours (process), in addition to appointing Data Protection Officer and bringing the Zero Trust Framework into life (people) – will mean internal changes within organization, which require each organization’s internal alignment.

To start, here’s a compliance checklist that organizations could refer to:

Source: Microsoft EY Indonesia PDP Playbook 2024, page 55

Compliance with the PDP Law is not just a legal obligation; it is a commitment to upholding the privacy and trust of all stakeholders. Let’s take our parts in bringing the personal data protection practices into life. Together, we can build a resilient digital future where privacy is respected, and personal data is protected.

###