
Introduction
Data is critical assets for many business in the digital age. However, in 2022 data has become one of tightly regulated assets in Indonesia with the enactment of Law No. 27 of 2022 on Personal Data Protection (Undang-undang No.27 Tahun 2022 Tentang Perlindungan Data Pribadi /UU PDP). For many business, UU PDP has important implication as it raise regulatory risk for non-compliance with penalties of up to 2% of company’s annual revenue. Furthermore, the law also provide stronger claim for the user civil damages in the event of such non-compliance cause damages to the user.
The law itself can be considered necessary considering the string of scandals of data privacy leaks in Indonesia. However, for many business, especially startups, fintech companies, emerging AI firm and even traditional business such as healthcare provide this law raises more questions than the answer. For instance, who exactly is bound by the law? Does it apply for company without physical presence in Indonesia? How compliance actually implemented?
This guide is written to answer such practical question. We hope that this guide will help early stage startup founders, new compliance officers and business owners to understand the important matter related to UU PDP.
What is UU PDP?
UU PDP is the first comprehensive and foundational regulatory framework that govern how personal data is collected, stored, and deleted. In short, anyone that collect and use personal data will be the subject of the law.
Who the Law Regulates?
UU PDP distinguishes between two primary roles:
1. Data Controllers which refer to entities that determine the purpose and means of processing personal data. This is usually your organisation/business.
2. Data Processors which refer to the party that process personal data on behalf of or under the instruction of a data controller. This often includes your vendors, cloud service providers, or service partner.
The law applies to both public and private sectors. This means the scope of the law are broadly encompassed government agencies, state owned enterprises, private companies and even individuals.
Business often assumed that UU PDP only concern ‘tech companies’ or large enterprise but this is false as UU PDP also apply to non-tech business and small business as well.
Extraterritorial Reach
One of the most consequential and peculiar feature of UU PDP is its extraterritorial reach. Similar with EU GDPR that apply for entities outside its border, Indonesia UU PDP apply to data controllers and processors located abroad as long as they process the personal data of Indonesian citizens.
This has significant implications for:
- Foreign SaaS and tech companies serving Indonesian users without a local office or legal entity
- E-commerce platforms with Indonesian customer bases, regardless of where the company is headquartered
- Multinational corporations whose regional or global data infrastructure touches Indonesian personal data, even indirectly
In practice, this means a company with no physical presence in Indonesia can still face administrative sanctions under UU PDP if it processes Indonesian residents’ personal data without compliance. Most generic compliance guides treat this as a footnote; businesses serving Indonesian users from abroad should treat it as a primary compliance trigger.
What “Processing” Actually Covers
UU PDP defines personal data processing broadly, encompassing the full data lifecycle:
- Collection
- Storage
- Modification/updating
- Disclosure or transfer
- Deletion or destruction
This lifecycle framing is important because it signals that compliance isn’t a single event (e.g., publishing a privacy policy) but an ongoing operational obligation spanning every stage of how data moves through an organization.
Key Obligations for Businesses
UU PDP’s obligations map naturally onto the personal data lifecycle of collection, storage, use, transfer, and deletion. Thus the compliance need to be seen as set of data lifecycle end-to-end obligations.
1. Lawful Basis for Processing
Every instance of personal data processing must rest on a lawful basis recognized under UU PDP most commonly, explicit and documented consent from the data subject. This has two practical implications businesses frequently underestimate:
- Consent must be specific. A single, broadly worded consent clause buried in terms of service is unlikely to satisfy the law’s intent. Consent should be tied to defined processing purposes.
- Consent must be documented and retrievable. In a dispute or audit, the burden falls on the data controller to demonstrate that valid consent was obtained — not merely that a checkbox existed somewhere in the user flow.
Other lawful bases exist beyond consent (contractual necessity, legal obligation, legitimate interest), but consent remains the most commonly relied-upon basis for consumer-facing businesses, and the one most often implemented incorrectly.
2. Data Subject Rights
UU PDP grants individuals a defined set of rights over their personal data, including the right to:
- Access their data held by a controller
- Correct inaccurate data
- Delete data under certain conditions
- Object to certain processing activities
- Withdraw consent previously given
For businesses, this means compliance isn’t purely a policy-drafting exercise — it requires operational capability. A privacy policy that promises data subjects a right to deletion is not compliance unless the business actually has an internal process for fulfilling that request within a reasonable timeframe.
3. Cross-Border Data Transfer Requirements
Given how much of Indonesia’s digital economy runs on international cloud infrastructure, cross-border transfer rules affect far more businesses than founders often assume. Transferring personal data outside Indonesia — including to overseas servers, SaaS vendors, or regional headquarters — triggers additional compliance requirements, generally requiring that the receiving jurisdiction offer an equivalent or adequate level of data protection, or that additional safeguards be put in place.
This is particularly relevant for startups using foreign-hosted infrastructure (AWS regions outside Indonesia, international CRM or analytics tools) — a detail that’s easy to overlook when the “cloud” feels borderless but the law treats it as a jurisdictional transfer.
4. Data Protection Impact Assessment (DPIA)
For processing activities carrying higher risk — large-scale processing, sensitive personal data, or new technologies with uncertain privacy implications — UU PDP contemplates a formal DPIA process. A DPIA generally involves:
- Systematically describing the processing activity and its purpose
- Assessing necessity and proportionality
- Identifying and evaluating risks to data subjects
- Documenting mitigation measures
Businesses often treat DPIAs as optional paperwork; in practice, having a documented DPIA is one of the strongest pieces of evidence a company can produce if a regulator later questions its processing practices.
5. Breach Notification Obligations
This is where the stakes of non-compliance become most concrete. When a personal data breach occurs, UU PDP requires timely notification — both to the relevant authority and, in many cases, to affected data subjects.
The critical point businesses consistently underestimate: delayed or concealed breach reporting doesn’t reduce exposure — it multiplies it. A breach handled transparently and promptly, even if the underlying incident was serious, is treated very differently under enforcement than one where a company attempted to manage the incident quietly and was later found to have concealed it. The reputational and regulatory cost of concealment consistently outweighs the short-term discomfort of disclosure.




Leave a Comment