UU PDP Overview
Undang-Undang No. 27/2022 on Personal Data Protection (UU PDP) is Indonesia's first comprehensive data protection law, effective since October 2023. It establishes rights for individuals whose personal data is processed and obligations for organizations that collect, process, or store personal data. UU PDP covers the controller (the organization deciding how data is used) and processor (service providers handling data on behalf of the controller) roles, aligns with international data protection standards like GDPR, and includes a 60-day implementation period for existing data processing activities.
Enforcement of UU PDP is led by the Personal Data Protection Authority (Otoritas Perlindungan Data Pribadi), which has authority to investigate complaints, conduct audits, and issue enforcement actions. UU PDP applies to organizations in Indonesia processing personal data of Indonesian residents, regardless of whether the organization is Indonesian or foreign, if the processing relates to offering goods or services to Indonesian residents.
The Intersection of Business Continuity and Data Protection
Business continuity events and data protection obligations create a complex intersection. During a disruption—particularly a cybersecurity incident like ransomware—organizations activate BCPs that often involve emergency access to systems, use of backup or recovery environments that may not have the same security controls as production systems, and temporary expansion of who can access personal data. Each of these emergency measures creates data protection risk.
Additionally, a cyber incident that triggers business continuity activation may simultaneously trigger a personal data breach. The organization must then manage both the BCP activation (restoring operations) and the breach notification obligation (notifying affected individuals and authorities within 72 hours). These parallel obligations create operational complexity and potential conflicts in priorities.
Data Protection Obligations During a Disruption Event
UU PDP obligations do not suspend during a business continuity event. However, the regulatory framework recognizes that emergency measures may be necessary during disruption. The key is to build data protection considerations into BCPs from the start. The following table shows how data protection obligations apply in different phases:
| UU PDP Obligation | Normal Operations Approach | During BCP Activation | BCM Integration Requirement |
|---|---|---|---|
| Data access controls (role-based access) | Restrictive, least-privilege model | Emergency access may be necessary and broader than normal | BCP must specify authorized emergency access roles; documented exceptions to normal controls |
| Breach notification (72 hours) | Structured notification process with investigation | May be competing priorities with incident response | Pre-drafted notification procedure and decision criteria in BCP |
| Data minimization | Collect and process only necessary data | Recovery operations may use broader data than normal operations | Recovery procedures must respect minimization principle; post-recovery review of emergency data access |
| Data subject rights (access, correction, deletion) | Standard response process with timelines | May be suspended during active emergency | BCP must address right-of-access handling during disruption phase and resumption timeline |
| Processor oversight | Contractual oversight and auditing | Emergency processors may be engaged without standard vetting | Pre-vetted list of emergency processors in vendor management; backup processor agreements |
Backup and Recovery: Data Protection Implications
Personal data in backups requires encryption and access controls equivalent to production data. When backups are recovered to a disaster recovery environment, the organization must ensure that the DR environment has appropriate data protection controls before personal data is transferred. A common mistake is treating DR recovery as a purely technical operation without considering data protection compliance. Recovery environments are often created quickly and may lack some security controls of the production environment—this gap must be identified and managed.
UU PDP includes a data localization requirement: personal data of Indonesian residents must be stored within Indonesia (with limited exceptions for processing or backup copies). This affects disaster recovery planning. Organizations using cloud providers with global data centers must ensure that personal data recovery does not route data through non-Indonesian jurisdictions, which could violate UU PDP data localization requirements.
The 72-Hour Breach Notification During a Crisis
UU PDP requires notification to affected individuals and the Personal Data Protection Authority within 72 hours of discovering a personal data breach. This obligation applies regardless of whether a disruption event is ongoing. If a ransomware attack has compromised personal data and the organization is simultaneously managing BCP activation, the organization must meet both obligations in parallel.
Pre-drafted breach notification templates in the BCP are essential. These templates should specify what information must be included (nature of breach, types of data, recommended precautions, contact information for more information) and who has authorization to approve breach notification during a crisis. When an incident is occurring, the organization is under stress and time pressure. Without pre-drafted procedures, the 72-hour notification window may be missed.
Integrating UU PDP Compliance into the BCMS
Organizations should integrate UU PDP considerations into each BCMS component: In the BIA, include personal data breach as a disruption impact dimension (how would personal data breach affect the organization, affected individuals, and regulatory standing?). In the BCP, include data protection procedures during activation (emergency access procedures, breach notification procedures, recovery environment data protection requirements). In crisis communication planning, establish clear procedures for breach notification, specifying authorized communicators and pre-drafted templates. In exercise programs, include data breach scenarios in tabletop exercises to test breach notification responses. Track data breach during activation as a BCM KPI.
Building the Integrated BCMS + Privacy Compliance Architecture
The most efficient approach is to build privacy considerations into BCM from the start, rather than treating privacy as a separate compliance domain. Privacy by design in BCP development means that every BCP procedure considers data protection implications. Data Protection Officer involvement in BCMS development ensures that privacy expertise shapes continuity planning. A combined incident response playbook addresses both cybersecurity response and privacy obligations. ISO 27001 (information security management) serves as the bridge connecting ISO 22301 (business continuity) and UU PDP (data protection), creating a unified resilience architecture.
| KEY IDEA | A business continuity event does not suspend your data protection obligations. The BCP activation period is often when personal data is most at risk—through emergency access grants, use of less-secure recovery systems, and elevated stress on data handling staff. |
| IMPORTANT | UU PDP's 72-hour breach notification obligation applies even during a major disruption. If a cyber incident (such as ransomware) both activates your BCP and triggers a personal data breach, you must manage both responses simultaneously. Pre-drafted procedures for this scenario are essential. |
| BITLION INSIGHT | Organizations that have built integrated BCMS + ISMS + privacy programs find that the three disciplines reinforce each other: security incidents feed continuity planning, continuity events surface data protection gaps, and privacy requirements drive security and continuity investment decisions. |