From Policy to Practice: How Indonesia’s UU PDP 2022 Shapes Cybersecurity Readiness in 2025

From Policy to Practice: How Indonesia’s UU PDP 2022 Shapes Cybersecurity Readiness in 2025

By Dr. Semi Yulianto

Swiss German University Master of IT program Lecturer

Introduction

Indonesia’s digital economy is growing at an unprecedented pace. By 2025, the country is expected to have over 229 million internet users, representing more than 80% of the population [1]. Personal data now flows continuously across financial services, e-commerce, healthcare, and government platforms. While this digital expansion fuels innovation and inclusion, it also exposes individuals and organizations to new risks of cyberattacks and data misuse.

To confront these challenges, the Indonesian government enacted Law No. 27 of 2022 on Personal Data Protection (UU PDP) — the nation’s first comprehensive legal framework on privacy and data protection. The law officially came into force on 17 October 2022, with a two-year transition period, and became fully enforceable in October 2024 [1].

This landmark legislation marks a turning point for Indonesia’s digital trust ecosystem. Yet, beyond the regulatory milestone, its success depends on organizational awareness and readiness to implement its provisions. As of 2025, many institutions — especially micro, small, and medium enterprises (MSMEs) — remain at the early stages of compliance.

The Legal Foundation of UU PDP 2022

Scope and Definitions

UU PDP defines personal data as information relating to an identified or identifiable individual, in both electronic and non-electronic forms. It distinguishes between general and special (sensitive) personal data — such as biometric, genetic, health, sexual, and criminal record information — which require stronger protection [2].

The law applies to both data controllers (entities determining the purpose and means of data processing) and data processors (entities handling data on behalf of controllers). Importantly, it has extraterritorial reach, applying to organizations outside Indonesia that process data of Indonesian citizens.

Rights of Data Subjects

UU PDP grants individuals a set of fundamental data rights, including [3]:

  • The right to obtain information on how their data is processed.
  • The right to access, correct, and delete personal data.
  • The right to withdraw consent.
  • The right to object to automated decision-making.
  • The right to compensation in case of data misuse or violations.

These rights establish the foundation of individual control and transparency in Indonesia’s data ecosystem.

Obligations of Controllers and Processors

Data controllers and processors are required to uphold core data protection principleslawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, integrity, confidentiality, and accountability [1].

Key obligations include:

  • Obtaining valid consent before data processing.
  • Implementing technical and organizational security measures.
  • Conducting Data Protection Impact Assessments (DPIAs) for high-risk processing.
  • Keeping records of processing activities.
  • Ensuring secure cross-border data transfers.
  • Reporting data breaches within 72 hours of discovery [4].

 

Sanctions and Enforcement

UU PDP introduces administrative, civil, and criminal penalties. Administrative sanctions may include written warnings, temporary suspension of processing activities, deletion of unlawfully processed data, and fines of up to 2% of annual revenue. Criminal sanctions target intentional misuse or illegal disclosure of personal data [5].

To enforce the law, a Personal Data Protection Authority (PDPA) is being established as the main supervisory body. Until its formal operation, the Ministry of Communication and Digital Affairs (KOMDIGI) continues to perform interim oversight functions [6].

Indonesia’s Cybersecurity Threat Landscape

Indonesia records one of the highest rates of cyber incidents in Southeast Asia. Data breaches and ransomware attacks have surged across both public and private sectors. In 2022 alone, over 21,000 companies were affected by data leaks — with the healthcare, financial, and e-commerce sectors among the hardest hit [7].

As internet penetration grows, so does vulnerability. According to APJII’s 2025 survey, internet users increased from 221.6 million in 2024 to 229.4 million in 2025, widening the national “attack surface.” Meanwhile, phishing campaigns, credential theft, and unauthorized data trading on dark-web marketplaces persist.

These realities make compliance with UU PDP not only a legal obligation but also a strategic necessity. Data privacy is now a cornerstone of cyber resilience, requiring organizations to embed privacy controls into daily operations rather than treat them as stand-alone legal checklists.

Organizational Awareness and Implementation (2022–2025)

Awareness Levels

During the two-year transition period (2022–2024), KOMDIGI, universities, and industry associations launched numerous awareness programs. However, research indicates that understanding of UU PDP remains inconsistent across organizations.

In 2021, only 32% of respondents were aware of the draft PDP Law [8]. By 2024, large corporations—especially in banking, telecom, and e-commerce—had begun aligning with global standards such as GDPR and ISO 27001, but most MSMEs lagged behind.

A 2024 study involving 126 MSMEs revealed the following [9]:

  • Legal awareness: 3.13/5 (low)
  • Consent management: 3.49/5 (moderate)
  • Third-party management: 2.67/5 (weak)
  • Appointment of DPO: 2.98/5 (weak)

The findings suggest that limited resources, lack of technical knowledge, and absence of structured training are major obstacles to compliance.

Readiness of Large and Medium Enterprises

Larger organizations tend to be more advanced in compliance, often due to regulatory and market pressures. Many have appointed Data Protection Officers (DPOs), conducted internal audits, and developed breach response frameworks.

However, they still face challenges such as:

  • Maintaining detailed records of processing activities.
  • Conducting periodic DPIAs.
  • Managing third-party vendor compliance.
  • Ensuring secure international data transfers.

Medium enterprises, by contrast, often see compliance as a paper exercise—producing privacy policies but lacking enforcement mechanisms like audit trails or employee training.

Barriers to Compliance

Several systemic challenges hinder full compliance across Indonesian organizations [1], [5], [8]:

  1. Incomplete regulations: Implementation guidelines—such as fine mechanisms and breach notification templates—were still under development in 2025.
  2. Talent shortage: The country lacks skilled privacy professionals to conduct DPIAs or manage privacy programs.
  3. Financial constraints: MSMEs often prioritize operational costs over cybersecurity investments.
  4. Cultural mindset: Privacy is still perceived as a legal burden, not a business enabler.
  5. Weak enforcement visibility: With the PDPA still forming, many organizations underestimate short-term compliance risk.
  6. Complex vendor networks: Dependence on cloud or foreign service providers complicates data flow mapping.

Strengthening Organizational Compliance: Practical Measures

For organizations seeking to align with UU PDP and international best practices, the following actions are essential:

  1. Leadership Commitment
    Treat privacy as a strategic priority at the executive level. Allocate dedicated budgets, KPIs, and accountability mechanisms.
  2. Data Inventory and Mapping
    Identify and classify personal data. Document lawful bases, storage locations, and access rights.
  3. Appoint a Data Protection Officer (DPO)
    Assign qualified personnel responsible for privacy governance and regulatory communication.
  4. Develop Policies and SOPs
    Create clear procedures covering data collection, access, sharing, retention, and disposal.
  5. Implement Security Controls
    Apply encryption, multi-factor authentication, endpoint protection, and regular patching.
  6. Establish Breach Response Plans
    Define escalation protocols, reporting templates, and notification timelines (within 72 hours).
  7. Conduct DPIAs
    Assess privacy risks before deploying new technologies or high-risk processing activities.
  8. Manage Third-Party Risk
    Include confidentiality and data-processing clauses in vendor contracts; conduct periodic audits.
  9. Ensure Cross-Border Safeguards
    Implement standard contractual clauses or binding corporate rules aligned with future PDPA guidelines.
  10. Continuous Awareness and Training
    Educate all employees—from executives to developers—using scenario-based learning and simulations.
  11. Perform Regular Audits
    Carry out internal and independent audits to validate compliance and strengthen accountability.
  12. Be Transparent to Users
    Maintain clear privacy notices and accessible channels for user data requests.

By institutionalizing these measures, organizations not only comply with UU PDP but also enhance cyber resilience and customer trust.

The Outlook for 2025 and Beyond

Enforcement Trends

With the PDPA set to begin active enforcement, focus areas will likely include:

  • Failure to report breaches within required timelines.
  • Absence of mandatory DPO appointments.
  • Lack of consent documentation.
  • Insufficient technical safeguards.

Organizations that demonstrate governance maturity—through robust record-keeping and incident management—will be better positioned during regulatory audits.

Business and International Implications.

Privacy compliance is becoming a competitive differentiator. Global business partners now demand proof of compliance before data sharing or joint ventures. Firms adhering to UU PDP 2022 and global frameworks such as GDPR or ISO 27701 gain greater credibility, while non-compliant organizations risk exclusion from global supply chains [10].

Challenges for MSMEs

MSMEs face the toughest road ahead. Simplified government toolkits, affordable compliance templates, and localized training are needed to bridge the gap. Without support, smaller businesses may remain vulnerable to both cyber incidents and regulatory penalties.

The Evolving Threat Landscape

Cybercriminals are increasingly leveraging artificial intelligence to automate phishing, identity theft, and data scraping. As technology evolves, privacy and cybersecurity must operate as integrated disciplines. Organizations should continuously update controls, simulate incidents, and collaborate with industry peers to share threat intelligence.

Conclusion

The implementation of UU PDP 2022 represents Indonesia’s firm commitment to protect personal data and strengthen digital trust. It also signals a broader cultural shift toward accountability, transparency, and resilience in the digital era.

By 2025, compliance progress remains uneven — large corporations lead, while MSMEs continue to struggle due to resource and knowledge constraints. However, organizations that move beyond minimal compliance and integrate privacy into their core operations and cybersecurity frameworks will emerge stronger.

As Indonesia transitions into full enforcement, the true test will lie not in legislation alone but in organizational behavior. Building a trustworthy digital ecosystem requires continuous learning, investment, and leadership commitment.

Ultimately, privacy is no longer just about protecting data — it’s about protecting people. Organizations that recognize this principle will not only comply with the law but also gain public confidence and long-term digital advantage.

References

[1] Hukum Online, “Strategi dan Tantangan Implementasi UU Pelindungan Data Pribadi di Perusahaan,” 2023. [Online]. Available: https://www.hukumonline.com
[2] FH Untar, “Perlindungan Data Pribadi: Implementasi UU No. 27 Tahun 2022 dan Tantangan Penegakannya,” 2025. [Online]. Available: https://fh.untar.ac.id
[3] DKIS Cirebon City Government, “UU PDP No. 27 Tahun 2022: Hak Masyarakat dan Urgensi Mencegah Kebocoran Data Pribadi,” 2023. [Online]. Available: https://dkis.cirebonkota.go.id
[4] JD IH Komdigi, “Undang-Undang Nomor 27 Tahun 2022 Tentang Pelindungan Data Pribadi,” 2022. [Online]. Available: https://jdih.komdigi.go.id
[5] Learning Hukum Online, “Undang-Undang No. 27 Tahun 2022: Hukum Online Edition,” 2023. [Online]. Available: https://learning.hukumonline.com
[6] Tech for Good Institute, “Strengthening Indonesia’s Personal Data Protection Framework,” 2023. [Online]. Available: https://techforgoodinstitute.org
[7] Monash University Lens, “Finding a Fix for Indonesia’s Data Protection Problems,” 2024. [Online]. Available: https://lens.monash.edu
[8] Asia Society Policy Institute, “Raising Standards for Data and AI in Southeast Asia: Indonesia,” 2021. [Online]. Available: https://asiasociety.org
[9] IIETA Journal, “Assessing Indonesian MSMEs’ Awareness of Personal Data Protection,” International Journal of Safety and Security Engineering, vol. 14, no. 5, pp. 523–534, 2024.
[10] S. Yulianto, E. Chua, and M. Tayag, “Investigating Data Privacy Awareness and Implementation in Philippine SMEs,” Proc. 2024 Int. Conf. Informatics, Multimedia, Cyber and Information System (ICIMCIS), pp. 72–82, IEEE, Nov. 2024.

By SGU Public Relation | Oktober 7, 2025 | Berita |

Previous

WPA3 is Broken: Why Your "Next-Gen" Wi-Fi is Still Not Safe
Next

Cybersecurity in an Age of Complexity: Outlook Since 2022 and What To Do Next