Actions for Data Controller in the event of a Data Breach

Actions for Data Controller in the event of a Data Breach


Protection of personal data in Indonesia has been regulated under Law No. 27 of 2022 on Personal Data Protection (“PDP Law”). There are multiple obligations that are restated from the previous set of laws on data protection in Indonesia such as notification in the event of a data breach.

Previously under Minister of Communications and Informatics Regulation No. 20 of 2015 on Personal Data Protection in Electronic Systems (“MOCI Regulations 20/2016”), the notification period of a data breach must be conducted in at the latest 14 (fourteen) days from the data breach incident identified by the Data Controller. Such a notification must be delivered to the data subject which includes: (i) the cause of the data breach; and (ii) the Data Controller must ensure that such notification was received by the data subject if such a breach contains potential harm.

PDP Law offers a much stricter rule that the Data Controller must deliver a data breach notification at the latest 3 x 24 hours to the data subject and to the authority. PDP Law does not specify the agency to which such data breach has to be reported. Since under PDP Law states that any such previous laws shall prevail as long they do not contradict with the PDP Law, the notification to authority will be by way of a notification to the Ministry of Communications and Informatics under MOCI Regulations 20/2016. Data Controller may require disclosing such data breach to the public in the event such breach interferes with public services and/or has a serious impact on public interest. Furthermore, PDP Law requires such notifications to at least contain: (i) explanation of the breached personal data; (ii) how and when the breach occurred; and (iv) the mitigation and recovery efforts of such a breach by the Data Controller.

Failure in delivering such a data breach in notification, the Data Controller may receive administrative sanctions in the form of: (i) written reprimand; (ii) temporary suspension of personal data processing activities; (iii) erasure or removal of personal data; and/or (iv) administrative fines. Such administrative fines have a maximum value of 2 (two) percent of the annual revenue of the data controller.

Furthermore, specific business under Otoritas Jasa Keuangan (“OJK”) is required to deliver initial notification on the data breach at the latest 24 (twenty-four) hours after the data breach incident is discovered. Such data controllers are also required to submit incidental reports no later than 5 (five) business days after a data breach incident is discovered.

In order to be able to deliver such notification, a Data Controller must take certain actions in parallel to prevent additional data being lost and recovery actions such as:

  1. Data Controller should have a team to conduct comprehensive breach responses. Such a team may consist of data forensics, legal counsel, information security and technology, data protection officer depending on the size and nature of the Data Controller.
  2. Since there is a tight timescale in delivering data breach notifications, the Data Controller should have a data breach response plan to determine the courses of action in the event of a data breach. Standardizing such action will prevent inefficient actions taken by related teams.
  3. The Data Controller must identify and secure the data and system related to the breach. The Data Controller must identify the breach to precisely assess the damage. It also helps to determine the cause of the breach e.g., ransomware, data exfiltration, internal human error, or social engineering. By identifying the cause, it could address any possibility of multiple data breaches.
  4. Delivery notification required according to prevailing laws. This will help to minimize additional sanctions imposed on the Data Controller.

While data breaches can inevitably happen to any Data Controller, it is important to mitigate data risks and any vulnerabilities to prevent future incidents by having:

  1. Data Protection Officers (“DPO”). DPO will ensure Data Controller compliance with applicable personal data protection laws. Everything related to the processing of personal data within a company shall involve a DPO.
  2. Data breach response plan, business continuity plan, disaster recovery plan or other relevant policy. As previously mentioned, this will prevent inefficient action being taken by related teams. Furthermore, testing such response plans regularly is also important to ensure the response team is involved and understands its responsibilities.
  3. Data Protection Policy. While data protection has been regulated under prevailing laws in Indonesia, it is important to have internal set of rules in data protection. This will regulate more technical issues that yet have been regulated under the laws.
  4. Detailed log of all data processing activities. As required by laws that certain details need to be informed along with the notification, it is important to have detailed log for ease in providing such information. This will also help in determining breach data and causes in the event of a data breach.
  5. Standardized Data Processing Agreement and Service Provider Agreement. Standardizing such agreements will determine the obligations of relevant parties on the data processing in addition as stated in prevailing laws. It is also important to differentiate Data Processing Agreement and Non-Disclosure Agreements (“NDA”) since NDA is usually limited to confidentiality and does not set conditions on how the data will be processed.

Please note that the information contained in this article should be only used as a general guideline with respect to the subject hereof and may not contain legal advice or legal opinion for your specific cases. The information herein should not be used or relied upon in regard to any particular facts or circumstances without seeking legal advice from us. We will not be liable nor be responsible for any consequences, damages or other similar forms which may be suffered by any party who had used or relied upon this article.

If you require further information on the new regulation, please do not hesitate to contact:

Nurjadin Sumono Mulyadi & Partners

Contact information:

Diki Andikusumah

Partner

diki.andikusumah@nurjadinet.com

Merdhitia Mahadirja

Associate

merdithia.mahadirja@nurjadinet.com


© 2020 Nurjadin Sumono Mulyadi & Partners . All Rights Reserved.