citizenship in the Philippines as to the laws applicable
Personal Data Protection in Indonesia
1. 11
PERSONAL DATA PROTECTION
Eryk B. Pratama, S.Kom, M.M, M.Kom
Data Privacy & Cyber Security Consultant at Global Consulting Firm
Komunitas Data Privacy & Protection Indonesia (t.me/dataprotectionid)
https://medium.com/@proferyk & https://slideshare.net/proferyk
Universitas Negeri Makassar
Regulation and Technical Aspects
3. A perspective on data breaches - Indonesia
Setting-up the Context
https://www.cnnindonesia.com/teknologi/20200506065657-185-500477/13-juta-data-bocor-
bukalapak-dijual-di-forum-hacker
https://tekno.kompas.com/read/2020/05/10/21120067/hacker-klaim-punya-data-12-
juta-pengguna-bhinnekacom?page=all
https://www.thejakartapost.com/news/2020/05/04/tokopedia-data-breach-exposes-
vulnerability-of-personal-data.html
https://www.thejakartapost.com/news/2019/09/19/lion-air-leak-puts-data-
protection-in-spotlight.html
Key Information Security
Controls
▪ System configuration
▪ Access management
▪ Third party risk
▪ Human risks (Carelessness)
4. A perspective on misuse of data - Indonesia
Setting-up the Context
https://www.cnnindonesia.com/nasional/20200711053527-20-523446/data-pribadi-
bocor-denny-siregar-bakal-gugat-telkomsel
https://www.cnnindonesia.com/nasional/20200711053527-20-523446/data-pribadi-bocor-
denny-siregar-bakal-gugat-telkomsel
5. Case Study – Personal Data Breach via
Vulnerable Web Application
6. Data Privacy vs Data Protection
Ethics & Regulation Information Security Control
7. Bring it in one page
Setting-up the Context
Regulation Technical Aspects
EU General Data Protection
Regulation (GDPR)
US California Consumer
Protection Act (CCPA)
RUU Perlindungan Data
Pribadi (RUU PDP)
Pre-Breach
Identity & Access Management
Data Loss/Leakage Prevention
Privilege Access Management
Cyber Hygiene
During & Post Breach
Incident Management
Crisis Management
PP 71 2019 - PSTE
Peraturan Kominfo No 20
2016 - Data Pribadi pada PSE
9. RUU Perlindungan Data Pribadi
Regulation Aspects
Key Highlight
▪ Explicit Consent is required from the data owner for
personal data processing.
▪ Responding timelines for Data subject rights have been
separately called out in the RUU PDP.
▪ Data controller to notify the data owner and the Minister
within 3 days of data breach.
▪ Penalties for non-compliance may range from Rp 20 Billion
to Rp 70 Billion or Imprisonment ranging from 2 to 7 years
Data Owner Data Controller Data Processor Data Protection Officer
10. Data Owner – Pemilik Data Pribadi
Regulation Aspects
Hak Pemilik Data Pribadi
Pasal Deskripsi
Pasal 4 meminta Informasi tentang kejelasan identitas, dasar kepentingan hukum, tujuan permintaan dan penggunaan Data
Pribadi, dan akuntabilitas pihak yang meminta Data Pribadi.
Pasal 5 melengkapi Data Pribadi miliknya sebelum diproses oleh Pengendali Data Pribadi.
Pasal 6 mengakses Data Pribadi miliknya sesuai dengan ketentuan peraturan perundang-undangan.
Pasal 7 memperbarui dan/atau memperbaiki kesalahan dan/atau ketidakakuratan Data Pribadi miliknya sesuai dengan
ketentuan perundang-undangan.
Pasal 8 mengakhiri pemrosesan, menghapus, dan/atau memusnahkan Data Pribadi miliknya.
Pasal 9 menarik kembali persetujuan pemrosesan Data Pribadi miliknya yang telah diberikan kepada Pengendali Data Pribadi
Pasal 10 mengajukan keberatan atas tindakan pengambilan keputusan yang hanya didasarkan pada pemrosesan secara otomatis
terkait profil seseorang (profiling).
Pasal 11 memilih atau tidak memilih pemrosesan Data Pribadi melalui mekanisme pseudonim untuk tujuan tertentu
Pasal 12 menunda atau membatasi pemrosesan Data Pribadi secara proporsional sesuai dengan tujuan pemrosesan Data Pribadi
Pasal 13 menuntut dan menerima ganti rugi atas pelanggaran Data Pribadi miliknya sesuai dengan ketentuan peraturan
perundang-undangan.
11. Data Controller – Pengendali Data Pribadi
Regulation Aspects
Kewajiban Data Controller
Pasal Deskripsi
Pasal 24 ▪ wajib menyampaikan Informasi mengenai legalitas dari pemrosesan , tujuan pemrosesan , jenis dan relevansi
pemrosesan, periode retensi dokumen, rincian informasi yang dikumpulkan, dan jangka waktu pemrosesan data
▪ menunjukkan bukti persetujuan yang telah diberikan oleh Pemilik Data Pribadi
Pasal 25 wajib menghentikan pemrosesan Data Pribadi dalam hal Pemilik Data Pribadi menarik kembali persetujuan
pemrosesan Data Pribadi
Pasal 27 wajib melindungi dan memastikan keamanan Data Pribadi yang diprosesnya dengan melakukan:
▪ penyusunan dan penerapan langkah teknis operasional untuk melindungi Data Pribadi
▪ penentuan tingkat keamanan Data Pribadi dengan memperhatikan sifat dan risiko dari Data Pribadi yang
harus dilindungi dalam pemrosesan Data Pribadi
Pasal 28 wajib melakukan pengawasan terhadap setiap pihak yang terlibat dalam pemrosesan Data Pribadi
Pasal 29 wajib memastikan pelindungan Data Pribadi dari pemrosesan Data Pribadi yang tidak sah
Pasal 36 wajib melakukan pemrosesan Data Pribadi sesuai dengan tujuan pemrosesan Data Pribadi yang disetujui oleh Pemilik
Data Pribadi. (Explisit / Implicit Consent)
Pasal 38
Pasal 39
Penghapusan dan pemusnahan data pribadi
13. Data Masking - Tokenization
Regulation Aspects
Source: https://blog.thalesesecurity.com/2015/02/05/token-gesture-vormetric-unveils-new-tokenization-solution/
No sensitive data is stored in the production
database
16. Information Security Complexity - Example
Technical Aspects
Source: https://gallery.technet.microsoft.com/Cybersecurity-Reference-883fb54c
17. From Simply Managing Identities to Managing Complex Relationships
Technical Aspects – Identity & Access Management
Identity Access Management Identity Relationship Management
Source: Forrester Research
18. Simplifying the complexity
Technical Aspects – Identity & Access Management
Authoritative/Trusted Source
Middleware / Identity
Management Solution
Target System
HR Data IDM Solution
Active Directory
Email Server
ERP
Others Applications
Provisioning
Reconciliation
Create,Update,Revoke
19. Access Management Basic Process
Technical Aspects – Identity & Access Management
Receive Request Verification Provide Rights Log and Track Access
▪ Change requests
▪ Services requests
▪ HR requests
▪ App / Script requests
▪ Valid user ?
▪ Valid request ?
▪ Request access ?
▪ Remove access ?
▪ Provide access
▪ Remove access
▪ Restrict access
▪ Check and monitor
identity status
▪ Violations to Incident
Management Process
Business Rules, Policies, Procedures, Controls
ISMS
20. Data Loss/Leakage Prevention Solution
Technical Aspects – Data Loss Prevention
A Data Loss Prevention (DLP) solution typically incorporates people, process, and technology to protect sensitive data traversing
throughout an organization. Data within an organization is often categorized and protected by DLP in the following three different
forms:
Data in Motion Data at Rest Data in Use
Data that is transmitted or moved, both
through electronic or non-electronic
means. Data that is actively traveling on
a network, such as email or web traffic.
Data that resides on a stable medium,
including servers, network shares,
databases, individual computers, and
portable media.
Data that has been obtained and are
being processed or actively used.
Typically, referring to data on end-user
computing device or host systems.
Structured Data Unstructured Data Semi-structured Data
Data commonly stored in
databases or applications
Exists in filesystems or
documents
Examples of such data format
types include email
Data Type
21. Incident Management Definition
Technical Aspects – Incident Management
What is an IT incident?
An IT incident is any disruption to an organization's IT services that affects anything from a single user or the entire business . In
short, an incident is anything that interrupts business continuity.
What is IT incident management?
Incident management is the process of managing IT service disruptions and restoring services within agreed
service level agreements (SLAs). The scope of incident management starts with an end user reporting an issue and
ends with a service desk team member resolving that issue.
Analyst Incident Responder Digital Forensic
Incident Escalation
Layer 1 (L1) Layer 2 (L2) Layer 3 (L3)
Incident Classification
MediumHigh Low
Incident Prioritization
Critical High Medium Low
23. Implement Cyber Hygiene as Foundational Action
Key Takeaways
What is Cyber Hygiene?
Cyber hygiene refers to steps taken by users to maintain the health of their computers and devices and improve online security to
prevent the theft or corruption of data.
Cyber Hygiene Practices
1. Keep an inventory of the hardware and software on your network
2. Install reputable antivirus and malware software
3. Conduct cybersecurity education and awareness activities
4. Update and patch software regularly
5. Regularly back up your data and keep multiple copies
6. Limit the number of employees who have administrative privileges
7. Establish an incident response plan.
8. Establish network security and monitoring
9. Perform regular vulnerability assessment and secure configuration review
10.Implement some controls to protect and recover data if a breach occurs
Keep update with regulation and cyber threat
24. Cyber Hygiene in Public Environment
Key Takeaways
Check Legitimate
WIFI ID/SSID
Be careful with piggyback/tailgating Don’t click malicious pop-up and URL
Use VPN (if possible)
25. Staying Safe when Online
Key Takeaways
Use secured personal device
Activate pop-up/Ad blocker
Activate private / incognito mode
Use VPN (if possible)
Use strong/complex
password
Make Online Purchases From
Secure Sites
Be Careful on What You Access &
Download