Law No. 27 of 2022 on Personal Data Protection (“Data Protection Law”) will be effectively enforced in October 2024. This means that the obligations and sanctions contained therein will be enforced immediately starting from October 2024, including the obligations for the Data Controller and Data Processor to have their Record of Processing Activities (“ROPA”) and/or Data Protection Impact Assessment (“DPIA”).
ROPA can be understood as a record that shows the data processing activity within a legal entity for each business stream within the legal entity. After the processing activity has been recorded in ROPA, the Data Controller and/or Data Processor must analyze the level of risk impact of such data processing activity. Should the risk impact be classified as high potential risk according to Article 34 of the Data Protection Law (e.g., large scale of data processing, specific, involving automated decision-making process, profiling, etc), then the Data Controller and/or Data Processor must further create a DPIA for each of the data processing in each business stream to evaluate the impact analysis of the data processing.
The spirit of the Data Protection Law, which enforces particular obligations towards the Data Controller and Data Processor, is to be treated as a preventive measure so that the data processing activities of an upcoming project shall be evaluated first prior to the project being executed. However, in the early stage of the implementation of the Data Protection Law, it shall also be utilized to evaluate the data processing activities of any ongoing project and/or business activities. Therefore, despite the current absence of the implementing regulation on the Data Protection Law, the legal entity who plays the role of a Data Controller and/or a Data Processor would be the subject of the enforcement of the obligations and sanctions stipulated under the Data Protection Law since October 2024.
Furthermore, it shall be noted that to implement the obligations as mentioned in the Data Protection Law shall not be the sole responsibility of a Data Protection Officer (“DPO”). On the contrary, the spirit of a DPO shall be understood as an advisor of Data Protection within a company that provides advice and guidance in the implementation of proper Data Protection measures. Therefore, as an advisor, the DPO shall not be the one who executes the obligations of the Data Controller or Data Processor, such as drafting ROPA and DPIA. Each of the department that conduct data processing shall be the one who creates the ROPA and DPIA under the guidance and advice of the DPO.
If you need experienced, practical and cost-effective lawyers to assist your company in ensuring compliance with the new Data Protection Law along with other relevant laws and regulations, . If you have inquiries about our services, don’t hesitate to get in touch with [email protected] or visit us at www.budidjaja.law.