On September 20, the DPR finally passed the Personal Data Protection bill, the UU PDP, after years of drafts and delays. If you run a business in Indonesia and you store customer names, phone numbers, or addresses anywhere, PDP law compliance for business is now a real item on your list, not a someday topic.
Before the panic sets in: the law comes with a transition period of up to two years for organizations to comply. That is genuinely enough time for an SME, but only if you treat it as a runway and not as a snooze button. The companies that will scramble in 2024 are the ones telling themselves "we're too small to matter" today.
I am an engineer, not a lawyer, so this is not legal advice. What I can give you is the practical, technical-and-operational action list I am walking my own clients through, in the order that actually makes sense.
First, Understand What Changed
Until now, personal data rules in Indonesia were scattered across sector regulations, mainly Permenkominfo 20/2016 and PP 71/2019, with limited teeth. The UU PDP consolidates this into one law that applies to essentially every organization processing personal data of Indonesian citizens, private or public, large or small.
The parts an SME owner should register:
- Consent becomes central. You need a lawful basis to process someone's data, and for most SME use cases that basis is explicit consent for a stated purpose.
- Individuals get rights: to know what data you hold, to correct it, to delete it, to withdraw consent.
- Breach notification is mandatory. If personal data leaks, you must notify the affected individuals and the authority, with a 3x24 hour window in the current text.
- Sanctions are real: administrative fines that can reach a percentage of annual revenue, and criminal provisions for the worst abuses like unlawfully selling personal data.
You do not need to memorize the articles. You need to build a business that would not be embarrassed by any of them.
Step 1: Inventory Your Data (This Week, Not This Quarter)
You cannot protect what you have not listed. Sit down with whoever touches customer data and answer four questions:
- What personal data do we hold? Names, phone numbers, addresses, emails, KTP numbers, dates of birth, transaction history.
- Where does it live? The answers are usually messier than expected: the POS system, a marketing Excel file on someone's laptop, a WhatsApp Business contact list, an email inbox, the e-commerce seller dashboard, a form vendor from a campaign in 2020.
- Who can access it? Every shared password and every ex-employee who still has a login is a finding.
- Why do we have it? If there is no current business purpose, it is pure liability. A leaked database of customers you no longer serve hurts exactly as much as a leaked active one.
Write this into a simple spreadsheet: data type, location, access, purpose, retention. For a typical SME this takes one afternoon and it is the single highest-value compliance activity you can do. Everything else builds on it.
Step 2: Fix Consent Capture Going Forward
Look at every point where you collect data: web forms, registration flows, loyalty sign-ups, offline forms at the cashier.
- Say what you collect and why, in plain Indonesian, at the point of collection. One short sentence beats a 20-page policy nobody reads.
- Stop bundling. Consent to receive marketing broadcasts should be a separate, unticked checkbox, not buried inside terms of service.
- Collect less. Every field you drop is a field you never have to protect. Do you truly need date of birth to sell someone a shirt? Data minimization is both a legal principle and a free security upgrade.
- Keep a record. Your system should be able to show that this customer agreed, to this, on this date.
If your website or app was built by a vendor, this is a small, cheap change request. Somewhere between Rp3 juta and Rp10 juta of work for most SME systems, which is a rounding error against the fine exposure.
Step 3: Basic Breach Readiness
Most SMEs have no plan for the day data leaks, and improvising during an incident produces the worst possible decisions. You need one page, agreed in advance:
- Who is the decision maker when a suspected breach is reported, including on a Saturday night?
- Who do we call technically? Your vendor or internal engineer needs to be reachable and contractually obligated to help investigate.
- What do we tell customers, and when? Draft the skeleton of the notification now, calmly, instead of at 2 AM in a panic. The law's 3x24 hour notification window is very short if you are starting from zero.
- What are we logging? If your systems keep no access logs, you cannot even determine what leaked. Ask your vendor this question this month.
While you are at it, close the boring holes that cause most SME incidents: shared admin passwords, no offboarding process for departing staff, customer databases exported to personal laptops, and admin panels with no two-factor authentication.
Step 4: Check Your Vendors, Because Their Breach Is Your Problem
Under the UU PDP, using a third party to process data does not transfer your responsibility to them. Your hosting provider, your software vendor, your marketing agency with the customer list, your courier integration: their leak is your notification, your customers, your reputation.
Send each vendor three written questions:
- Where is our data stored, and who at your company can access it?
- What security measures protect it, and when were they last reviewed?
- If you have a breach involving our data, how fast will you inform us, in writing?
Vague answers are answers too. This overlaps with the quarterly vendor conversation I recommend in Understanding Your Cloud Bill Before It Understands You: the vendors worth keeping can answer specific questions specifically.
What You Can Safely Defer
To keep this honest, not everything needs to happen in 2022. Implementing regulations will follow the law and will clarify details like data protection officer requirements and the exact shape of the supervisory authority. Formal appointment of dedicated compliance roles, certification exercises, and heavyweight legal documentation can wait for that clarity.
What cannot wait is the substance: knowing your data, collecting it honestly, securing it sensibly, and being able to respond when something goes wrong. Those four things are simply good operations, and they were worth doing before the law existed.
The Takeaway
The UU PDP passed, the transition period is your runway, and PDP law compliance for business is achievable for an SME without a legal department. The order of operations: inventory your data this week, fix consent capture at every collection point, write the one-page breach plan, and put your vendors on written record. Delete the data you have no reason to keep.
Start with the inventory. It costs an afternoon, it will surprise you, and every other step becomes obvious once you can see what you are actually holding. Two years disappears faster than you think.