Indonesia’s PDP Law: Ease Compliance with Skyflow

Personal customer data is critical to the success of any modern business, but it's also of interest to malicious actors and subject to increasing regulation. So, how can companies manage their customers' personal data to better protect it and comply with laws like Indonesia’s Personal Data Protection (PDP) law?

With the increasing frequency and size of data breaches, companies in Indonesia are looking to improve their security and privacy posture so they can protect their customers’ most sensitive personal data – data like names, email addresses, dates of birth, NIK, NPWP, and other government ID numbers. With the passage of Indonesia's Law No. 27 of 2022 Concerning Personal Data Protection (PDP), the need for effective data privacy and protection has become acute. And recent breaches of banking and SIM card registration data are reminding companies that protecting sensitive personal data can be a challenge.

In this blog post, we’ll discuss how Indonesia’s new PDP law is part of a worldwide trend of data regulations, how companies who operate in Indonesia must protect customer data to comply with PDP, and the penalties for noncompliance with PDP. We’ll also show how Skyflow can help businesses ease compliance with PDP by isolating, protecting, and governing their Indonesian customers' personal data while avoiding data sprawl and cross-border data transfers. Finally, we’ll look at how Skyflow can help global businesses ease compliance with data protection laws from multiple jurisdictions, including Indonesia’s PDP law, India’s DPDP bill, and more.

Data Protection Laws are a Worldwide Trend

In an era where data breaches and privacy concerns dominate headlines, governments worldwide are enacting data protection laws to safeguard individuals' personal information. Indonesia's PDP law is part of this global trend and is designed to enhance the protection of personal data, provide individuals with greater control over their data, and impose stricter obligations on businesses that handle such data.

Let's take a closer look at Indonesia's PDP law.

Overview of Indonesia’s PDP Law

Before the passage of Indonesia's PDP law, the country witnessed several significant data breaches that compromised the personal information of millions of Indonesian residents, with a 22% year-over-year increase in cyberattacks in 2022. These incidents highlighted the need for stronger data protection measures and paved the way for the passage of comprehensive data protection legislation.

Indonesia's PDP law aims to regulate the processing of personal data by organizations operating within the country. It applies to any business or organization that controls or processes Indonesian residents' personal data, regardless of its location. The law sets out key provisions to protect individuals' privacy and give them greater control over their personal information.

Here's an overview of Indonesia's PDP law:

• Scope: The law applies to all organizations that handle the personal data of Indonesian residents, regardless of their size or industry.
• Rights of Data Subjects: Individuals have the right to obtain information about the purpose and nature of personal data collection and use. They also have the right to obtain, update, or correct their personal data, and to terminate the processing of their data – or request its deletion.
• Data Controller and Processor Obligations: Organizations are required to record all data processing activities, protect and secure personal data, prevent unauthorized use or processing, and prevent illegal access to personal data. Additionally, organizations must delete personal data when required.
• Penalties for Noncompliance: Penalties for noncompliance start with a written warning, but rapidly escalate to require cessation of personal data processing, and a possible requirement to delete all personal data. Noncompliance with PDP can even result in fines of up to 2% of an organization’s annual revenue.

To learn more about the PDP law, see this legal summary of its key provisions.

How Skyflow Protects Data and Eases PDP Compliance

Skyflow Data Privacy Vault is a comprehensive data privacy solution that ​​isolates, secures, and governs personal data, and eases compliance with any data privacy law, including Indonesia’s PDP law and the EU’s GDPR. Skyflow is ISO 27001, SOC2 Type2, and PCI Level 1 certified.  It uses a set of advanced privacy techniques, including advanced encryption, redaction, and access control to isolate, protect, and govern personal data:

• Isolate: Skyflow Data Privacy Vault isolates your customers’ personal data from the rest of your infrastructure so you can avoid data sprawl
• Protect: Skyflow employs industry-leading security measures like tokenization to protect personal data (more on this below)
• Govern: Skyflow provides effective governance capabilities, so you can manage and control access to personal data with fine-grained access controls, context aware authorization, and audit logging.

To learn more about these capabilities and how Skyflow can help you protect the privacy of personal data without sacrificing data utility, check out this post from our blog: What is a Data Privacy Vault?

Skyflow offers a wide range of capabilities to protect the privacy and security of your customers’ personal data, including:

• Data Governance Engine: How much control do you have over your data if employee credentials are compromised? With Skyflow’s unique data governance engine, you can control who sees what, when, where, and how. You can also add column- and row-level data access controls, based on any combination of policy, role, or attribute; so you can keep personal data beyond the reach of employees who don’t need it. And with context-aware authorization, you can go beyond the limits of traditional access control.
• Polymorphic Encryption: Encryption-at-rest is required by several industry standards, and it's far better than storing unencrypted data. But in many cases, encryption-at-rest isn’t sufficient. Skyflow’s polymorphic encryption lets you treat each type of personal data differently, so when you only need the last four digits of a customer’s ID number, that’s all you decrypt. And, it lets you run matching and comparison operations on encrypted data without the need to decrypt it, so you can run credit and KYC checks while keeping personal data fully encrypted.

All of that is great, you might be thinking, but what if my customers’ personal data is scattered across various systems and services? How can I isolate personal data if I need to use it and it’s present everywhere: databases, logs, data warehouses, etc?

This is such a common problem that it has a name: data sprawl. A typical example of an architecture with data sprawl looks like the following:

To avoid data sprawl, Skyflow puts all of your sensitive data and access controls in one place, where they can be centrally managed. And isolating plaintext personal data in a data privacy vault makes it easier to protect from unauthorized use.

Isolate Personal Data in a Data Privacy Vault

Isolating personal data in a data privacy vault reduces your compliance scope, simplifying the task of protecting personal data. But, you still need a method to refer to sensitive data records from your other systems. Tokenization gives you this method – providing “pointers” or “stand-ins” to let you reference personal data while keeping plaintext personal data out of your databases, logs, and data warehouses.

Tokenization is a non-algorithmic data obfuscation technique that swaps personal data for tokens. For example, if you tokenize a customer’s name, like “Luke”, it gets replaced by an obfuscated string like “A12KTX”. 

Because there’s no mathematical relationship between “Luke” and “A12KTX”, even if someone has the tokenized data, they can’t get the original data without access to the tokenization process. So, even if an environment populated with tokenized data is breached, this doesn’t compromise the original data.

By using Skyflow’s APIs to collect personal data and isolate it, you can manage this data without having your backend systems ever touch it. Instead, your backend manages tokens that point to personal data that’s centralized and isolated in your Skyflow vault.

With personal data isolated in Skyflow, honoring a deletion or access request from a data subject becomes as easy as an API call.

The result looks like this:

To detokenize personal data, your backend provides those tokens to Skyflow, which confirms that your request meets strict zero trust access controls before detokenizing and returning the requested data. You can learn more about our flexible approach to tokenization in Demystifying Tokenization: What Every Engineer Should Know.

With personal data isolated in Skyflow Data Privacy Vault, you can also use polymorphic encryption to run operations on fully-encrypted data. This lets you perform operations like credit checks and know-your-customer (KYC) checks while keeping personal data isolated and protected in your Skyflow vault.

Avoiding Cross-Border Data Transfers

Skyflow's availability in AWS Jakarta offers a localized data privacy vault solution that lets your business store and process personal data within Indonesia. This eliminates the need for cross-border data transfers and simplifies compliance with data residency requirements, like the requirement that personal data is not moved outside of Indonesia except to jurisdictions with a law that’s equivalent to the PDP law, or with the data subject’s consent. 

Ease Global Compliance with Skyflow

Skyflow is not limited to helping businesses comply with Indonesia's PDP law. Skyflow Data Privacy Vault is designed to ease compliance with data protection laws and regulations from various jurisdictions worldwide.

For example, a company operating in multiple APAC markets could leverage Skyflow to ease compliance with data protection laws in Indonesia, Australia, India, and other countries without the need to replicate their infrastructure in each market. Instead, a multinational company can store the personal data of their customers in a Skyflow instance located in each of these markets, close to these customers.

Skyflow's unified solution simplifies the compliance process, reduces complexity, and enables businesses to efficiently manage data protection requirements across multiple jurisdictions. 

And, we have partnered with Jakarta-based FUTR to help ease evaluation and onboarding for companies based in Indonesia.

Try Skyflow

In an era of increasing data regulations and heightened privacy concerns, businesses must prioritize the protection of their customers’ personal data. Compliance with Indonesia's PDP law is not only a legal obligation but also an opportunity to build trust and enhance customer relationships.

Skyflow provides a powerful solution that lets your business isolate, protect, and govern personal data while easing compliance with Indonesia's PDP law and other data protection regulations. By leveraging Skyflow Data Privacy Vault, your organization can safeguard customer data, mitigate the risks of data breaches, and meet the evolving demands of data privacy laws.

If you’d like to learn more about how Skyflow can help you protect the privacy and security of your customers’ personal data while easing compliance, contact us to learn more.