The Indonesia data protection law is not law yet, but it is closer than it has been in the decade since the idea first surfaced. The RUU Perlindungan Data Pribadi (RUU PDP) is in active deliberation between the government and the DPR in 2022, the long-standing dispute over the supervisory authority appears to be moving toward resolution, and most observers expect passage in the near term. When it passes, businesses will get a transition period, and then real obligations with real sanctions.
I am not a lawyer, and this is not legal advice. I am an engineer who has spent years building systems that hold customer data for Indonesian companies, and I have watched what happened in other markets when comprehensive data rules arrived: businesses that prepared early spent modest money calmly, and businesses that waited paid consultants panic prices for the same work.
Here is the practical read: what the bill will likely require, why the smart move is starting now, and the specific cheap steps worth taking this quarter. No scare tactics, just hygiene.
What the RUU PDP Will Likely Mean for a Normal Business
Based on the drafts discussed publicly, the bill follows the broad shape of modern data protection regimes worldwide. For an SME holding customer data, the likely core obligations look like this:
- Lawful basis and consent. You need a legitimate reason to collect and use personal data, and for many uses that means clear consent, not a checkbox buried in nothing, and not "we have their number so we can blast them forever."
- Purpose limitation. Data collected for delivery should not quietly become data sold to a partner.
- Data subject rights. Customers will be able to ask what data you hold, ask for corrections, and ask for deletion. You will need to actually be able to answer.
- Security obligations. Reasonable technical and organizational protection for the data you hold.
- Breach notification. If data leaks, you will likely have a duty to notify within a defined window.
- Sanctions. Drafts have included administrative fines and, for serious misuse, criminal provisions.
Details will only be certain when the final text passes. But notice something: every item on that list is something a well-run business should want anyway. That is the frame I recommend, compliance as a deadline for hygiene you already owed your customers.
Why Early Preparation Is a Competitive Move, Not a Cost
Three reasons to move before the Indonesia data protection law is enacted rather than after:
- The work is cheaper without a deadline. Data inventory, consent fixes, and access control are calm, incremental tasks today. After enactment, the same tasks compete with everyone else's panic for the same consultants.
- Enterprise customers will push compliance down the chain. If you supply banks, multifinance companies, insurers, or large retailers, expect their vendor questionnaires to grow data protection sections quickly. Being ready wins deals; scrambling loses them. I have already seen a multifinance company reject a capable vendor over data-handling answers, and that was before any law forced the question.
- Breaches are already expensive. Indonesia has had a steady drumbeat of high-profile leaks in recent years, and public tolerance is thin. The reputational cost of leaking customer data exists today, law or no law.
There is also a quieter benefit: the exercise of mapping your data usually surfaces operational mess, duplicate customer records, spreadsheets nobody owns, ex-employees with live access. Cleaning that up pays for itself even if the bill took another five years.
Cheap Steps to Take This Quarter
None of these require a lawyer or a big budget. Most require an afternoon of discipline at a time.
1. Build a data inventory
One spreadsheet. For each place personal data lives, your POS, e-commerce platform, CRM, accounting system, WhatsApp business phone, Google Sheets, the marketing agency's list, record: what data (names, phones, addresses, KTP numbers, financial data), why you have it, who can access it, and where it physically sits. You cannot protect, disclose, or delete what you have not mapped. This document becomes the backbone of everything else, and it is free.
While you are at it, flag the high-risk items. KTP numbers, financial records, and anything about children deserve stricter handling than a newsletter email list.
2. Fix consent at the collection points
Look at every form and flow where you collect data. Add one honest sentence: what you collect and what you will use it for. If you send marketing broadcasts, make joining them a choice, and honor opt-outs immediately. If you bought or "inherited" contact lists of people who never agreed to hear from you, understand that this practice is exactly what the bill targets.
3. Tighten access control
The cheapest security win available:
- Remove access for everyone who left the company. Do it today, then make it a standard offboarding step in your documented SOPs.
- Stop sharing one admin password across the team. Individual accounts, so access is attributable.
- Apply least privilege: the packing staff does not need the full customer export, the marketing intern does not need financial records.
- Turn on two-factor authentication on email, marketplace seller accounts, and anything holding customer data.
4. Stop hoarding
Data you no longer need is pure liability. Old customer exports on someone's laptop, five-year-old campaign lists, backup spreadsheets emailed around in 2019, delete what has no business purpose. A leak can only expose what you kept.
5. Put data handling in your vendor conversations
If a third party touches your customer data, your logistics app, marketing agency, software vendor, ask how they store and protect it and what happens to the data when the contract ends. When commissioning custom systems, make data protection an explicit requirement in the scope, it is far cheaper to build in than to retrofit, a point I make repeatedly when explaining what actually drives custom software cost.
6. Sketch a breach response, one page
Who investigates, who decides on notification, who talks to customers. Writing this after a breach, at midnight, is the wrong time.
What Not to Do
Do not buy a six-hundred-page compliance binder from a seminar, and do not pay enterprise-GDPR prices for an SME reality. Do not wait for the final text to do the obviously right things above, none of them will be wasted regardless of what the enacted law says. And do not treat this as an IT-only project; most of the steps are about people and habits, not servers.
The Takeaway
The Indonesia data protection law will arrive, and the final details will matter, but the foundation does not depend on them: know what data you hold, collect it honestly, restrict who touches it, delete what you do not need, and know what you would do in a breach. That is a quarter of unhurried work for a typical SME, at almost no cash cost, and it doubles as operational cleanup you owed yourself anyway. Start the inventory spreadsheet this week. When the law passes, you will be adjusting details while your competitors are starting from zero.