021-7997973 | Hotline 08111211504
SIP Law Firm Logo
SIP LAW FIRM
Home
About
Legal Services
Our Team
Resources
Press ReleasesCase Studies
Platforms
Contact Us

Managing Personal Data Breach

22 September 2022inARTICLES
Share
data breach

Recent reports of data breach of 1.3 billion SIM Card registration data has incited public debate in Indonesia. The public debate continued following the controversy of a data breach involving 105 million Indonesian citizens, originated from the General Election Commission (KPU),which was illegally sold on an online forum namely  “Breached Forums”.[1]

The controversy provoked the rise of the hashtag #TuntutKominfo (literally sue Kominfo, referring to the Ministry of Communication and Information), which brought the hashtag to be a trending topic on Twitter. The Ministry of Communication and Information has publicly conveyed that the Ministry had nothing to do with the data breach and the case has been under investigation.[2]

The implementation of personal data protection in Indonesia has been a crucial issue for relevant stakeholders. In fact, the Government and the House of Representatives have initiated discussing the Bill on Personal Data Protection (RUU PDP) in 2019 as it was mandated in the 2019 National Legislation Program. The discussion of the bill, however, has yet to conclude up to  mid-2022.

A Law on Personal Data Protection is expected to serve as a guide for the protection of the public’s personal data and to provide certainty for relevant stakeholders, both government and private parties, in treating the personal data they manage.

What should our organization or company do in case of data leak or breach?

Personal Data

The Minister of Communication and Information Technology  Regulaion No. 20/2016 on Personal Data Protection in Electronic Systems defines personal data as certain personal data  (data perseorangan tertentu) that is stored, maintained, and protected its integrity and confidentiality. Based on this regulation, what is referred to as certain personal data (data perseorangan tertentu) is any true and real information that is attached to and can be identified, either directly or indirectly, on each individual whose utilization is in accordance with the provisions of laws and regulations while the owner of personal data (pemilik data pribadi) is the individual whose attached to certain personal data.

The regulation  specifically regulates the protection of specific personal data in electronic systems. However, the provisions of the regulation can be used as a reference in the implementation of personal data protection in Indonesia while the Bill on Personal Data Protection is under discussion.

The Minister of Communication and Information Technology Regulation No. 20/2016 stipulates the scope of personal data protection in electronic systems in the following processes:

1. acquisition of personal data,
2. collection of personal data,
3. processing of personal data,
4. analysis of personal data,
5. storage of personal data,
6. display of personal data,
7. announcement of personal data,
8. transfer of personal data,
9. dissemination of personal data, and
10. destruction of personal data.

Such processes in an electronic system must be based on the principle of good personal data protection. Every process from the acquisition of personal data to its destruction must secure the consent of the owner of the personal data. This approval is in the form of a written statement, both manually and/or electronically, given by the owner of the personal data after obtaining a complete explanation of the process mentioned above.

Electronic system operator (PSE) is any person, state administrator, business entity, and community that provides, manages, and/or operates an electronic system individually or jointly to users of electronic systems for their own needs and/or the needs of other parties. .

As a data controller, PSE is obligated to ensure the protection of the personal data it manages, starting from the stage of monitoring, preventing, to overcoming the occurrence of data leakage.

If there is a failure of protection such as personal data leakage, then PSE as the data controller must notify the owner of the personal data in writing, with the following conditions:[3]

1. must be completed with reasons or causes for the failure to protect confidential personal data;
2. can be done electronically if the owner of the personal data has given his/her consent, which was stated at the time of the acquisition and collection of his/her personal data;
3. must be ensured that it has been received by the owner of the personal data if the failure carries a potential loss for the person concerned; and
4. written notification is sent to the owner of the personal data no later than 14 days after the failure is known.

Managing Personal Data Breach

An organization or company that manages personal data needs to have internal rules that are used as guidelines in dealing with personal data leakage. The internal rules for dealing with data leakage are known as the Data Breach Management Policy (DTMP). DTMP is a guideline that contains a framework that stipulates the roles and responsibilities of each party involved in dealing with data leakage and contains instructions for steps that must be taken by the company in the event of a data leak. The company must also ensure that every employee understands the provisions and how to apply the DTMP in the event of a data leak.

Some of the reasons why an organization or company needs to have a DTMP are:

  1. to fulfill legal obligations based on Article 28 of the Minister of Communication and Information Regulation No. 20/2016 stipulating that PSE is required to have internal rules regarding the protection of personal data in accordance with the provisions of the legislation.
  2. to prevent, limit, and/or reduce the impact of losses due to breach of personal data.
  3. as a form of effort to build the trust of the owner of personal data whose data is managed by the company.

The cases of data breach that continues to happen in Indonesia should be considered as a warning for personal data controllers to continue to improve the personal data protection security system they manage. The prevention of data breach is something that every organization or company must commit to in order to ensure the protection of personal data and legal compliance with applicable laws and regulations.

[1] https://tekno.kompas.com/read/2022/09/06/21193067/105-juta-data-kependudukan-warga-indonesia-diduga-bocor-diklaim-dari-kpu?page=all

[2] https://tekno.sindonews.com/read/873801/207/soal-kebocoran-data-pendaftar-kartu-sim-kominfo-bukan-dari-kami-1662084541

[3] Pasal 28 Peraturan Menteri Komunikasi dan Informatika No. 20 Tahun 2016

 

 

R. Yudha Triarianto Wasono, S.H., M.H.

Partner

Contact:

Mail       : yudha@siplawfirm.id

Phone    : +62-21 799 7973 / +62-21 799 7975

 

About Author

Muninggar S

Muninggar S

Written by Muninggar S, part of the SIP Law Firm team delivering insights and updates on the latest legal developments.

Read Profile →

More on this category

  • Memahami Dolus dan Culpa pada Tindak Pidana
  • Reformasi Regulasi Sertifikasi ISPO: Kewajiban Baru bagi Industri Bioenergi Sawit
  • Buktikan Keunggulan di Top 100 Indonesian Law Firms 2026, SIP Law Firm Raih Gelar Managing Partner of the Year

Pinned Posts

  • Peringatan Resmi terhadap Modus Penipuan yang Mengatasnamakan SIP Law Firm

    13 MAR 2026inARTICLES
  • SIP Law Firm Partners Named to The 200 Club 2026 by Hukumonline

    03 MAR 2026inARTICLES
  • Indonesia’s Halal Certification: Legal Framework and Global Market Strategy

    29 SEP 2025inARTICLES

Ask Us Legal Questions!

Click here to ask a question to our legal experts

Ask a question illustration

We Can Speak on Your Media

View our media experts or contact us to request for your next program

Media experts illustration

We are here to help

Get in touch now to let us know how we can help you. Connect with our LinkedIn and subscribe to our newsletter to stay updated with our latest updates.

Contact Us
Connect on LinkedIn
SIP Law Firm Logo

Full-Service Legal Solutions with Integrity and Professionalism Since 2011

Indonesia's Leading #EcoLawFirm🍀

All Rights Reserved of SIP Law Firm © 2026
Supported by SIP Corp

Services

  • Legal Services & Practice Areas
  • Intellectual Property
  • Find a Media Expert

Platforms

  • SIP-R Consultant
  • Regulasip
  • SIP Library
  • Book Publications

SIP Law Firm

  • About Us
  • Awards and Recognitions
  • Our Team
  • Info
  • Career
  • Sustainability Reports
  • Contact Us
Jakarta Head Office

No. 7 Building, Jl, Buncit Raya No.7, Jakarta Selatan 12760, DKI Jakarta, Indonesia

Phone : +62-21 799 7973
Phone: +62-21 799 7975
Fax : +62-21 799 7981
E-mail : head-office@siplawfirm.id
Yogyakarta Branch Office

Prima SR Hotel & Convention Lt.3 Jalan Magelang KM.11, Yogyakarta, Indonesia

Phone : +62-274 2880777
E-mail : yogyakarta-office@siplawfirm.id
Surabaya Branch Office

Puri Regency Bussines Centre Jl. Puri Jambangan Baru III, No.19, Blok AK, Surabaya, Indonesia

Phone : +62-31 9900 3117
Fax : +62-31 9900 3110
E-mail : surabaya-office@siplawfirm.id

SIP Law Firm The Best Law Firm in Jakarta

SIP Law Firm is a law firm providing premium legal solutions for local and international clients based in Jakarta. The firm has two representative offices in Yogyakarta and Surabaya.

Largest Litigation Practice of the Year - Hukum Online - Juara 1 - 2025

SIP Law Firm is a law firm ranked first in the Largest Litigation Practice of the Year 2025 category by Hukumonline. This recognition affirms SIP Law Firm's standing as a leading litigation practice in Indonesia, with a strong and consistent focus on handling strategic and complex litigation matters across various sectors.

SIP Law Firm Provides Health Law Services

We provide comprehensive Healthcare Legal services for all those involved in the healthcare industry, such as healthcare employment contracts, medical supplier agreements, healthcare business acquisitions, medical disputes, etc. Our Healthcare Legal team has years of experience handling major cases in the medical world related to facilities, medical practitioners, and other related matters.

Trusted Intellectual Property and Patent Consultant

SIP Law Firm, through SIP-R Consultant, provides legal consultation and advice to assist clients in protecting their Intellectual Property Rights (IPR) and Patent Rights. We provide legal advice, assist with IPR registration, and handle patent disputes in court. The SIP-R Consultant team has been trusted by individual clients, SMEs, and multinational corporations across various industries, including the creative industry, musicians, fashion, technology, and others.

SIP Law Firm Pioneer of Eco Law Firm