Undang-Undang Perlindungan Data Pribadi, UU PDP, was signed in 2022 with a two-year transition period. That period ends this October. From then on, PDP law compliance is not a future concern you can defer to next year's planning cycle. It is enforceable now, and the businesses I talk to are split between two camps: the ones who quietly built a data inventory over the past year, and the ones who are only realizing this week that "compliance" means something specific and testable.
I am not a lawyer, and this is not legal advice. What I can offer, after fifteen years building the systems that actually hold customer data for retail chains, finance companies, and service businesses in Indonesia, is a practical read of what regulators and auditors will actually check first. Most SMEs do not need a compliance department. They need four things done properly, and I will walk through each one.
The businesses most exposed are the ones that collect customer data as a side effect of doing business, a loyalty program here, a delivery address there, a scanned KTP for a service agreement, without ever writing down where any of it lives. That is the gap PDP law compliance is designed to close.
Start With a Data Inventory, Not a Policy Document
Every guide to PDP law compliance leads with drafting a privacy policy. Do that last. A privacy policy you write before you know what data you actually hold is fiction, and fiction is worse than silence when an auditor asks you to prove it.
Spend a week mapping this instead:
- What personal data do you collect (names, phone numbers, addresses, ID numbers, payment details, location data)?
- Where does it live (spreadsheets, your POS system, a CRM, WhatsApp chat exports, a vendor's cloud dashboard)?
- Who inside your business can access it, and who outside (payment processors, delivery partners, marketing agencies)?
- How long do you keep it, and does anyone actually delete it?
I did this exercise recently with a retail chain in Tangerang. They assumed their customer data lived in one loyalty app. It actually lived in four places: the loyalty app, a Google Sheet the marketing team used for WhatsApp blasts, an old POS export nobody had touched in two years, and a third-party SMS vendor's dashboard. None of that was malicious. It was just normal SME sprawl, and it is exactly what a data inventory is supposed to surface.
Consent Needs to Be Specific, Not Buried
UU PDP requires that consent be informed and specific to the purpose. A blanket "by using our app you agree to our terms" checkbox, written once and never revisited, will not hold up. If you collect a phone number for order confirmation and then use it for marketing SMS six months later, that is a second purpose requiring its own basis for processing.
Practical minimum for most SMEs:
- State clearly, at the point of collection, what the data will be used for.
- Separate operational consent (processing an order) from marketing consent (sending promotions). Do not bundle them.
- Give customers a real way to withdraw consent, and honor it within a reasonable time, not "eventually."
This is not about legal wording. It is about your forms, your checkout flow, and your WhatsApp opt-in messages actually matching what you do with the data afterward.
Appoint Someone Who Owns a Breach Response
The law does not require every SME to hire a Data Protection Officer, but it does expect someone to be accountable when something goes wrong. If your database vendor gets breached, or an employee's laptop with a customer export gets stolen, who in your company is the one making the call on notification timing and customer communication?
Write down, in one page:
- Who gets notified first internally.
- Which vendor or technical contact investigates scope (this is often where the hidden cost of legacy systems becomes painfully visible, since old systems are harder to audit under pressure).
- The template for notifying affected customers and the regulator, drafted calmly now rather than under panic later.
This single page, reviewed twice a year, is worth more than a compliance binder nobody reads.
Audit Your Vendor Contracts
Most PDP law compliance failures I expect to see this year will not originate inside the business asking for help. They will originate with a vendor: the SMS gateway, the cloud hosting provider, the freelance developer who built your customer database three years ago and still has admin credentials.
Pull every contract involving a third party that touches customer data and check for two things: does it specify how that vendor is allowed to use the data, and does it obligate them to notify you of a breach on their end. If those clauses are missing, you are exposed regardless of how careful you are internally. This is the same discipline behind good vendor exit planning: know exactly what leaves your control and under what terms.
What This Actually Costs
For a typical SME, the real cost of PDP law compliance is not legal fees. It is engineering time to consolidate scattered data into fewer, auditable systems, and management time to write the two or three governance documents above. Businesses I have worked with budget somewhere between fifteen and forty million rupiah for the initial cleanup, mostly spent on data consolidation and access control fixes, not on lawyers.
The businesses that treat this as a checkbox exercise, buying a template privacy policy and calling it done, are the ones that will struggle when a customer files a complaint and the regulator asks to see the actual data flow. The law cares about substance, not paperwork.
Where to Start This Week
Do the data inventory first. It costs nothing but time, and it tells you exactly how big your real problem is before you spend a single rupiah on fixes. Most SMEs I have walked through this discover the gap is smaller and more concentrated than they feared, usually two or three systems, not twenty.
If the inventory turns up data scattered across systems that were never designed to talk to each other, that is a systems problem before it is a legal one, and it is worth getting outside eyes on it. If you want a second opinion on where your exposure actually sits, reach out through partner and we can walk through it together.