UU PDP Overview
Indonesia's Personal Data Protection Law (Undang-Undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi — UU PDP) establishes comprehensive personal data protection requirements. The law became effective in October 2024 and imposes obligations on all organizations processing Indonesian residents' personal data.
UU PDP establishes key obligations: organizations must have a lawful basis for processing personal data (contract performance, legal obligation, consent, legitimate interest, or vital interest protection); organizations must respect data subject rights (access, correction, deletion, restriction, portability, objection); organizations must protect personal data through appropriate security measures; organizations must notify data subjects and regulators in case of data breaches; organizations must appoint data protection officers and establish governance processes.
UU PDP is enforced by the Otoritas Jasa Keuangan (OJK) for financial services, the Ministry of Communication and Information Technology (Kominfo) for general supervision, and BSSN for government data. Enforcement penalties are significant — up to 6% of annual revenue or IDR 60 billion, whichever is greater.
How IT Service Management Intersects with UU PDP
Every IT service that processes personal data is subject to UU PDP. Email systems process employee and customer personal data. Customer relationship management (CRM) systems process customer personal data. HR management systems process employee personal data. Cloud storage services process user personal data. The SMS governs how these services operate and must ensure that personal data processing aligns with UU PDP.
IT service management is not just a governance framework — it is a compliance enabler for UU PDP. The documented information generated by the SMS (incident records, service request records, change records, configuration records) provides evidence of personal data protection compliance.
Service Portfolio and UU PDP
The service portfolio should identify which services process personal data. For each service that processes personal data, document the legal basis for processing (contract performance, legal obligation, consent, etc.), the data subject categories whose data is processed (customers, employees, partners), and the personal data categories processed (names, contact information, financial data, health data, etc.).
The service portfolio documentation becomes part of the data processing register required by UU PDP. The register must describe all personal data processing activities, their legal basis, retention periods, and security measures. The service portfolio, enhanced with these attributes, satisfies UU PDP's register requirements.
Incident Management and Personal Data Breaches
A personal data breach — unauthorized access, disclosure, or loss of personal data — is a category of security incident. UU PDP requires notification of significant personal data breaches to BSSN/Kominfo within 72 hours and notification to affected data subjects within reasonable timeframes.
The major incident management procedure must identify personal data breaches as a specific category of incident requiring accelerated response. The procedure must include decision-making about whether a breach is significant enough to trigger regulatory notification. The procedure must specify the notification authority (data protection officer, executive leadership) and the notification process.
Incident records for personal data breaches become compliance evidence. The record must document the breach discovery date, the nature of personal data affected, the number of data subjects affected, the cause of the breach, actions taken to contain the breach, and notifications sent. These records are fundamental to demonstrating compliance with UU PDP's breach notification obligations.
Service Request Management and Data Subject Rights
UU PDP provides data subjects with specific rights: the right to access personal data, the right to correct inaccurate data, the right to request deletion of data, the right to restrict processing, the right to port data to another controller, and the right to object to certain processing.
Organizations must handle data subject rights requests through a documented, trackable process. The service request management practice can formalize this process: a data subject right request is treated as a category of service request, handled through the same ticketing system as other service requests, assigned to the data protection officer or designated handler, tracked to completion, and documented.
UU PDP specifies response timeframes for data subject rights — typically 30 days. The service request SLA for data subject rights requests must align with this regulatory requirement. If a data subject requests data access, the organization must provide a copy of the data within 30 days.
Technical Capability to Fulfill Rights Requests
Fulfilling data subject rights requires technical capability. To provide a right of access, the organization must be able to retrieve and export a data subject's personal data. To provide a right of deletion, the organization must be able to identify and delete all instances of a data subject's data. To provide a right of portability, the organization must export data in a structured, machine-readable format.
These technical capabilities must be built into IT services at design time. A service that stores personal data without export or deletion capability cannot satisfy UU PDP's rights requirements. The SMS service design process must explicitly require that services include data subject rights fulfillment capability.
Change Management and UU PDP
Changes to services that process personal data may require a Data Protection Impact Assessment (DPIA) under UU PDP. A DPIA is an analysis of how a change affects personal data protection — does the change increase processing risk, introduce new personal data categories, extend retention periods, or change the legal basis for processing?
The change management procedure must integrate DPIA requirement: when a change is proposed for a service that processes personal data, the change impact assessment must include DPIA elements. High-risk changes (changes affecting access controls, retention, encryption, or processing purposes) must trigger formal DPIA before authorization.
Change records for personal data-processing system changes become UU PDP compliance evidence. They demonstrate that changes were assessed for data protection impact and that authorized changes met UU PDP requirements.
Configuration Management and Personal Data
Configuration management should flag CIs that process or store personal data. This enables rapid identification of data-processing systems during incident investigation. When a security incident occurs, investigators can quickly identify which personal data may be affected by reviewing flagged CIs.
The CMDB access control policy must protect the confidentiality of the data processing register. Not all employees need to know which systems process which personal data categories. Access to the data-processing register within the CMDB should be restricted to authorized roles (data protection officer, security team, IT leadership).
Supplier Management and UU PDP
Data processors — suppliers who process personal data on behalf of the organization — must have appropriate data processing agreements under UU PDP. The organization (data controller) must ensure that processors have the technical and organizational capability to protect personal data and must maintain contractual safeguards.
The supplier register should identify which suppliers are personal data processors and should note the categories of personal data they process. Supplier performance monitoring should include data protection compliance assessment. Processors should be required to maintain ISO 27001 or equivalent security certification.
The SMS-UU PDP Integration
The SMS documented information set supports UU PDP compliance through multiple mechanisms. Incident records provide evidence of breach management and notification. Service request records document data subject rights fulfillment. Change records document DPIA and change authorization for data protection changes. Configuration records identify data-processing systems. Supplier agreements document processor safeguards.
An organization with a mature ISO 20000 SMS has most of the documented information management infrastructure for UU PDP compliance already in place. The SMS is not a UU PDP-specific compliance program — rather, it is a governance framework that enables UU PDP compliance through standard IT service management practices.
| KEY CONCEPT | UU PDP does not require ISO 20000 certification, but an organization with a mature ISO 20000 SMS has most of the documented information management infrastructure needed for UU PDP compliance already in place. The SMS is a UU PDP compliance enabler. |
| IMPORTANT | Personal data breach notification under UU PDP has a 72-hour timeline — this is shorter than many organizations' major incident resolution timelines. The major incident procedure must identify personal data breaches as a specific category with accelerated notification decision-making. |
| BITLION INSIGHT | Bitlion GRC UU PDP compliance module integrated with ISO 20000 SMS — data subject rights request tracking, breach notification workflow, and data processing register within the unified compliance platform. |
UU PDP Obligations and SMS Process Integration
| UU PDP Obligation | Relevant SMS Practice | Integration Mechanism | Evidence Generated |
|---|---|---|---|
| Lawful basis for processing; documented justification | Service portfolio design | Service portfolio documents legal basis for personal data processing for each service | Service portfolio entries noting legal basis (contract, consent, legitimate interest, etc.); data processing register extract |
| Data subject access right; 30-day response | Service request management | Data subject rights requests treated as service requests; SLA requires 30-day response; closure requires data export | Service request records with fulfillment evidence; data export records with subject confirmation |
| Data subject correction right | Service request + change management | Correction request logged as service request; data update processed as change; change record documents data correction; closure verifies accuracy | Service request record with correction details; change record documenting data update; subject confirmation of correction |
| Data subject deletion right; 30-day response | Service request + change management | Deletion request logged as service request; data deletion processed as change; change record documents deletion with date/time; closure verifies deletion | Service request record; change record with deletion evidence; log records showing data removal |
| Personal data breach notification; 72-hour timeline | Major incident management | Personal data breach identified as major incident category; escalation triggers breach notification decision; BSSN notification recorded; 72-hour timer enforced | Incident record with breach flag; breach notification decision record with timestamp; BSSN notification evidence; affected data subject notification records |
| Data protection impact assessment for high-risk changes | Change management | Change impact assessment template includes DPIA for personal data-processing changes; high-risk changes require formal DPIA before authorization | Change request records documenting DPIA completion; DPIA assessment documents; authorized change records |
| Personal data security measures; encryption | Configuration management; change management | CMDB flags CIs storing personal data; encryption requirements documented in CI configuration baselines; changes to encryption reviewed for data protection impact | CMDB CI security attributes; CI baseline documentation; encryption audit evidence; change records for encryption-relevant changes |
| Data processor agreements; processor oversight | Supplier management | Supplier register identifies processors; supplier agreements include data protection clauses; supplier performance monitoring includes data protection compliance | Supplier register with processor designation; supplier agreements documenting data protection obligations; supplier audit records demonstrating compliance |