Indonesia has just promulgated and enforced Law Number 27 of 2022 concerning the Protection of Personal Data (UU PDP) on October 17, 2022. These new provisions will undoubtedly have an impact on various activities in the public and private sectors. It is on this basis that PT. Telekomunikasi Selular (Telkomsel), in collaboration with the Center of Human Rights Law Studies Faculty of Law, University of Airlangga (HRLS FH UNAIR) held a webinar entitled “Challenges and Opportunities for Personal Data Protection by Telecommunications Service Providers After the Promulgation of the PDP Law” on Wednesday, November 16, 2022. Cyber Law Expert, Faculty of Law, Airlangga University, Masitoh Indriani, S.H., LL.M. also attended as a speaker to review what companies must prepare to comply with the regulations contained in the PDP Law.

According to him, data management in the telecommunications business is identical to the processing of personal data as regulated in the PDP Law. Any personal data processing activity must be based on the Principles of Personal Data Protection and ensure control of the data subject over his personal data. This prompted him to issue a prescription that telecommunication service providers must implement TIPS (translate, identify, prioritize, prepare) to ensure compliance with the PDP Law. First, the company must translate the Personal Data Protection Principles contained in Article 16, paragraph (2) of the PDP Law in the company’s data management cycle. The data management cycle in question, of course, is the processing of personal data, which includes collection to destruction.

Second, companies must identify the obligations of controllers and processors of personal data in the data management cycle. Companies must know who will be controlling and processing data. Later the results of the identification of these parties will make it easier to determine the obligations and prohibitions stipulated in the PDP Law. Of course, the existence of these parties must also be stated in the company’s privacy policy so that the data subject is well known and control over personal data can still be guaranteed. Third, prioritize data subject control over their personal data. This means that company policies must be able to prioritize data subject access to the personal data they possess, from the collection, and correction to data deletion. Priority over the data subject’s control is also a form of guaranteeing the data subject’s rights.

Finally, companies must also prepare a company ecosystem that complies with the provisions of the PDP Law. This means that companies must create new divisions specialized in maintaining service users’ personal data. For example, a company must have a data protection officer (DPO). In closing, she also explained that the work to adapt to the provisions of the PDP Law was challenging because they had to review the privacy policy, standard operating procedures, and company culture so that they are, of course, under the PDP Law.