Indonesia's Personal Data Protection Law — Undang-Undang Nomor 27 Tahun 2022 tentang Perlindungan Data Pribadi — came into full enforcement effect in late 2024 after a two-year transition period. It is Indonesia's first comprehensive personal data protection law, broadly modeled on the GDPR with adaptations for the Indonesian legal and regulatory context. For any Indonesian organization that collects, processes, or transfers personal data — which is essentially every organization with customers, employees, or digital operations — UU PDP creates legally binding obligations that carry administrative, criminal, and civil liability.
ISO 27001:2022 is the most directly relevant international standard for satisfying UU PDP's technical and organizational security requirements. Article 35 of UU PDP requires controllers and processors to implement 'appropriate technical and organizational security measures' — and a well-implemented ISO 27001 ISMS is the most credible evidence that this obligation has been taken seriously. But ISO 27001 alone does not fully satisfy UU PDP. There are six areas where UU PDP requires specific artifacts, processes, or mechanisms that ISO 27001 does not mandate — and organizations that treat their ISO 27001 certificate as proof of UU PDP compliance without addressing these gaps are exposed.
This article provides the complete practical mapping: the UU PDP chapter structure, article-by-article obligations with their primary ISO 27001 control mappings, the six gaps that require supplementary action, the enforcement landscape in 2026, and a unified implementation roadmap for organizations that want to pursue ISO 27001 certification and UU PDP compliance as a single integrated program rather than two separate workstreams.
UU PDP Structure: A Chapter Overview
UU No. 27 Tahun 2022 contains 82 articles organized into ten chapters (Bab). Understanding the chapter structure helps practitioners identify which parts of the law are most directly addressed by ISO 27001 controls and which require dedicated privacy program elements. The table below maps each chapter to its key ISMS-relevant content:
| Chapter (Bahasa Indonesia) | English title | Key ISMS-relevant content |
| Bab I — Ketentuan Umum (Arts. 1–4) | General Provisions | Defines personal data, data controllers, data processors, and the scope of the law. Establishes the territorial reach — applies to any processing affecting Indonesian data subjects regardless of where the processor is located. |
| Bab II — Jenis Data Pribadi (Arts. 5–6) | Types of Personal Data | Distinguishes general personal data (name, address, email, phone, financial data) from specific personal data (health, biometric, genetic, criminal, child data, personal beliefs). Specific personal data receives heightened protection — requiring explicit consent and enhanced security measures. |
| Bab III — Hak Subjek Data Pribadi (Arts. 7–21) | Rights of Data Subjects | Comprehensive rights: right to information, right to access, right to correction, right to completion, right to erasure and deletion, right to withdraw consent, right to object to automated processing, right to delay/restrict processing, right to data portability. Each right requires an organizational response procedure. |
| Bab IV — Pemrosesan Data Pribadi (Arts. 22–36) | Processing of Personal Data | Establishes the six lawful bases for processing: consent, contract, legal obligation, vital interest, public task, and legitimate interest. Requires purpose limitation, data minimization, accuracy, retention limits, integrity and confidentiality, and accountability. The most directly ISMS-relevant chapter. |
| Bab V — Kewajiban Pengendali dan Prosesor (Arts. 37–56) | Obligations of Controllers and Processors | Data controllers and processors must: implement appropriate technical and organizational measures (Article 35), conduct PIA for high-risk processing (Article 34), appoint DPO where required (Article 53), and establish a DPA with any processor handling personal data (Article 53). Breach notification to KOMINFO within 14 calendar days of discovery (Article 46). |
| Bab VI — Transfer Data (Arts. 57–63) | Data Transfers | Cross-border transfer requires: recipient country has equivalent protection level, or appropriate safeguards (contractual clauses, binding corporate rules), or data subject consent. Indonesian data residency requirements for certain data categories. KOMINFO publishes the list of countries with adequate protection. |
| Bab VII-X — Lembaga, Larangan, Sanksi (Arts. 64–82) | Institutional, Prohibitions, Sanctions | Establishes the Personal Data Protection Authority (under KOMINFO as of 2026). Prohibits unlawful processing, data theft, and privacy violations. Sanctions: administrative fines up to 2% of annual revenue; criminal penalties for intentional violations including imprisonment. Personal liability for corporate officers in some cases. |
| ENFORCEMENT STATUS IN 2026 | UU PDP entered full enforcement as of November 2024, following the close of the two-year transitional period provided after its enactment on October 17, 2022. KOMINFO has been active in enforcement since late 2024 — the early enforcement focus has been on data breach notification failures (Art. 46), missing DPAs with processors (Art. 53), and inadequate security measures following public breaches (Art. 35). Organizations that have not yet built the foundational UU PDP compliance program are at material enforcement risk in 2026. |
Article-by-Article Obligation and ISO 27001 Control Mapping
The table below provides a complete mapping from UU PDP articles to ISO 27001:2022 Annex A controls. Each row covers the UU PDP obligation, the primary controls that address it, and the most common implementation gap — organized to be usable both as an implementation guide and as a regulatory response document:
| UU PDP Article(s) | Topic | Obligation | Primary ISO 27001 controls | Most common gap |
| Art. 5–6 | Types of personal data — general vs. specific | Identify and classify all personal data processed by the organization. Specific personal data (health, biometric, criminal, child, personal beliefs) requires explicit consent and heightened security measures. | • 5.9 Inventory of information and assets — personal data must be in the asset inventory • 5.12 Classification of information — personal data must be classified by type, with specific personal data at highest classification • 5.34 Privacy and PII — specific personal data types must be identified in the privacy framework | Most common gap: asset inventory does not specifically identify personal data assets and does not distinguish general from specific personal data. Classification policy does not reference UU PDP categories. |
| Art. 7–21 | Data subject rights — 9 rights requiring organizational response | Establish procedures to respond to data subject rights requests within defined timelines. Right to access (Art. 12): respond within 24 hours, fulfill within 72 hours of verification. Right to erasure (Art. 16): fulfill within 3×24 hours. Right to data portability (Art. 18): fulfill within 3×24 hours. | • 5.34 Privacy and PII — data subject rights procedures within the privacy framework • 5.26 Incident response — erasure requests that cannot be fulfilled must be documented and responded to • 5.18 Access rights — enabling data subjects to access their own data requires controlled access management • 8.10 Information deletion — right to erasure requires technical capability to permanently delete personal data | Most common gap: no documented procedure for each of the 9 rights. Rights are acknowledged in the privacy notice but no operational process exists for receiving, verifying, processing, and responding to requests within the statutory timelines. |
| Art. 22–28 | Lawful basis and processing principles | Every processing activity must have a documented lawful basis (consent, contract, legal obligation, vital interest, public task, or legitimate interest). Processing must comply with: purpose limitation, data minimization, accuracy, retention limits, integrity and confidentiality, and accountability. | • 5.34 Privacy and PII — lawful basis must be recorded per processing activity in the data processing register • 5.9 Asset inventory — processing activities are assets; must be inventoried with lawful basis • 5.12 Classification — data must be classified to implement data minimization and retention • 8.10 Information deletion — retention limit compliance requires automated or procedural deletion on schedule | Most common gap: lawful basis is recorded in the privacy notice but not in an internal data processing register. Purpose limitation is not enforced technically — data collected for purpose A is used for purpose B without separate lawful basis. |
| Art. 29–33 | Consent requirements | Where consent is the lawful basis: must be explicit, informed, specific, and freely given. Must be distinguishable from other matters. Must be easily withdrawable. Organizations must prove consent was given — burden of proof on the controller. Cannot condition service delivery on consent for unrelated processing. | • 5.34 Privacy and PII — consent management within the privacy framework • 5.1 IS policies — privacy policy must reflect consent requirements • 6.3 Awareness — staff who collect consent must be trained on UU PDP consent requirements | Most common gap: consent checkboxes are pre-ticked. Consent is bundled with terms and conditions rather than separate. No documented mechanism for withdrawing consent or evidence that withdrawal is honored. |
| Art. 34 | Privacy Impact Assessment (PIA) | Controllers must conduct a PIA before processing that is likely to result in high risk to data subjects — including: large-scale processing of specific personal data, systematic profiling, new technologies, processing of data about vulnerable groups. PIA must be documented and include risk mitigation measures. | • 5.8 IS in project management — PIA must be integrated into the project delivery process as a security gate • 6.1.2 Risk assessment methodology — PIA methodology should align with or reference the ISMS risk methodology • 5.34 Privacy and PII — PIA process within the privacy framework | Most common gap: PIA is not integrated into project delivery. New systems go live without a PIA having been conducted. ISMS risk assessment covers security risks but does not explicitly address privacy risks as a distinct category. |
| Art. 35 | Technical and organizational security measures | Data controllers and processors must implement appropriate technical and organizational security measures — commensurate with the risk level, the nature of data, and the state of the art. This is the article that ISO 27001 implementation most directly addresses. | • All applicable Annex A controls — the entire ISMS is the organizational response to Art. 35 • 8.24 Cryptography — encryption for personal data in transit and at rest • 8.12 DLP — prevention of unauthorized disclosure • 8.15 Logging — audit trail of personal data access • 8.5 Secure authentication — controls who can access personal data • 5.15–5.18 Access governance — limiting personal data access to need-to-know | Most common gap: ISO 27001 certification is cited as satisfying Art. 35 but the ISMS scope does not cover the systems that process personal data. A certificate for a limited scope does not satisfy Art. 35 for systems outside that scope. |
| Art. 37–45 | Accountability and data governance | Controllers must be able to demonstrate compliance (accountability principle). Must maintain records of processing activities. Must implement privacy by design and default. Must conduct periodic reviews of security measures and processing activities. | • 5.34 Privacy and PII — records of processing activities (Article 39 equivalent to GDPR Article 30) • 5.35 Independent review — periodic independent review of privacy and security measures • 9.2 Internal audit — ISMS internal audit process applies to personal data controls • 9.3 Management review — privacy compliance must be a management review input | Most common gap: records of processing activities (RoPA) do not exist. Organization has a privacy policy but no internal inventory of what is processed, where, for what purpose, and with what legal basis. The RoPA is the accountability instrument. |
| Art. 46 | Personal data breach notification | Notify KOMINFO within 14 calendar days of discovering a personal data breach. Notification must include: what was breached, how many data subjects affected, potential impacts, and corrective actions taken. Notify affected data subjects if the breach creates high risk to their rights and freedoms. The 14-day clock starts on discovery — not on confirmation. | • 5.24 Incident management planning — breach response procedure must explicitly address UU PDP notification • 5.25 Assessment and decision — breach classification must identify whether UU PDP notification is triggered • 5.26 Response to incidents — breach notification to KOMINFO within 14 days • 5.27 Learning from incidents — post-breach review must assess notification timeline compliance • 5.28 Collection of evidence — evidence preservation for potential regulatory investigation | Most common gap: incident response procedure describes technical response but does not include the KOMINFO notification step, the KOMINFO portal URL, the data elements required in the notification, or the responsible person. Organizations discover the obligation after a breach occurs, under time pressure. |
| Art. 47–53 | Data Processing Agreements (DPAs) and processor obligations | Where a controller engages a processor to handle personal data: a written DPA is required. DPA must specify: processing purposes, types of personal data, security obligations, sub-processor disclosure, data return or destruction on contract end, right to audit. Processors carry independent obligations and can be held liable. | • 5.19 IS in supplier relationships — security requirements apply to all processors • 5.20 IS in supplier agreements — DPA is a required component of processor agreements • 5.22 Monitoring of supplier services — ongoing monitoring of processor security performance • 8.30 Outsourced development — if development involves personal data, DPA requirements apply | Most common gap: supplier contracts exist but do not include DPA provisions. Organization assumes a generic service agreement satisfies UU PDP. KOMINFO enforcement has specifically targeted missing DPAs as an easy-to-identify compliance failure. |
| Art. 57–63 | Cross-border data transfers | Transfer of personal data outside Indonesia requires: (a) the recipient country offers equivalent protection (KOMINFO publishes an adequacy list), or (b) appropriate safeguards are in place (contractual clauses, binding corporate rules), or (c) specific data subject consent. Must be coordinated with KOMINFO. | • 5.14 Information transfer — transfer policy must address cross-border transfers under UU PDP • 5.20 Supplier agreements — international processor contracts must include transfer safeguards • 5.34 Privacy and PII — cross-border transfer rules within the privacy framework • 5.31 Legal requirements — UU PDP Art. 57–63 must be listed as a compliance obligation for organizations transferring data internationally | Most common gap: organization uses US/EU-based SaaS providers that process Indonesian personal data without a cross-border transfer mechanism. 'The provider has ISO 27001' does not satisfy UU PDP's transfer requirements — a specific adequacy decision or contractual safeguard is required. |
| Using this mapping with regulators: When KOMINFO, OJK, or BI examiners ask how the organization addresses specific UU PDP articles, this mapping provides the direct answer — citing specific ISO 27001 controls and their implementation evidence. The mapping should be maintained as a controlled document in the ISMS, updated when the risk register, SoA, or control implementation status changes. Organizations that can produce this mapping on demand demonstrate the level of regulatory engagement that examiners find credible. |
Six Gaps: Where ISO 27001 Alone Is Not Enough
ISO 27001 is necessary but not sufficient for UU PDP compliance. There are six specific UU PDP requirements where the standard does not mandate the specific artifact, process, or mechanism required by Indonesian law. Organizations that obtain ISO 27001 certification without addressing these gaps are not UU PDP compliant — and the gaps are precisely the ones most likely to be identified in KOMINFO examinations:
| Gap area | UU PDP article | ISO 27001 partial coverage | What ISO 27001 does not require | Supplementary action required |
| Records of Processing Activities (RoPA) | UU PDP Art. 39 (accountability principle / Article 37–45 governance obligations) | ISO 27001 5.9 (asset inventory) partially covers this — assets include information, but the RoPA requires processing activity detail beyond what a standard asset inventory captures. | ISO 27001 does not explicitly require a RoPA. Organizations implementing ISO 27001 without UU PDP awareness typically maintain an asset inventory but not a processing register. The RoPA must be built as a supplementary artifact. | Build a RoPA covering: processing activity name, purpose, lawful basis, data categories, data subjects, recipients, cross-border transfers, retention period, security measures. Integrate into the ISMS as a Clause 4.2 interested parties documentation artifact. |
| Data Subject Rights Response Process | UU PDP Art. 7–21 (9 enumerated rights with specific response timelines) | ISO 27001 5.34 (Privacy and PII) and 5.18 (Access rights) partially address this, but the standard does not specify response timelines or enumerate specific rights. | ISO 27001 requires managing personal data appropriately but does not require a formal procedure for each data subject right with statutory response timelines. | Build a data subject rights procedure covering each of the 9 rights with: intake channel, verification process, response timeline (aligned to UU PDP timelines), response template, escalation path, and logging for accountability. |
| Privacy Impact Assessment (PIA) | UU PDP Art. 34 (mandatory for high-risk processing) | ISO 27001 5.8 (IS in project management) and Clause 6.1.2 (risk assessment) address security risk in projects but do not specifically require a privacy-focused impact assessment. | ISO 27001 risk assessments are information security risk assessments — they assess CIA risks to organizational assets. UU PDP requires assessment of risks to data subjects' rights and freedoms — a different analytical perspective. | Develop a PIA methodology and template aligned to UU PDP Art. 34. Integrate PIA as a project security gate in the SDLC (8.25). Define high-risk processing triggers: large-scale processing of specific personal data, profiling, new technology deployment, vulnerable populations. |
| Data Protection Officer (DPO) | UU PDP Art. 53 (mandatory for certain categories of controller) | ISO 27001 5.2 (IS roles and responsibilities) covers ISMS roles but does not specifically require a DPO. | DPO requirement under UU PDP applies to: public bodies, private organizations whose core activities involve large-scale processing of specific personal data, and organizations whose core activities involve systematic monitoring. A named DPO with defined responsibilities is a UU PDP requirement — ISO 27001 roles do not substitute. | Assess whether the organization meets UU PDP DPO criteria. If yes: appoint a DPO with a formal role description. If no: document the assessment and rationale. Either way, assign privacy responsibilities explicitly in the ISMS RACI. |
| Cross-border transfer mechanism | UU PDP Art. 57–63 (specific requirements for international data transfer) | ISO 27001 5.14 (Information transfer) and 5.20 (Supplier agreements) address information transfer broadly, including security requirements in supplier contracts. | ISO 27001 does not require a legal transfer mechanism for cross-border data flows. Supplier agreements under ISO 27001 include security requirements — but not the adequacy determination, contractual standard clauses, or consent mechanisms required by UU PDP for international transfers. | Map all cross-border data transfers (particularly to US-based cloud providers and SaaS). For each transfer: identify the applicable mechanism (KOMINFO adequacy decision, contractual clauses, or consent). Update supplier agreements to include transfer mechanism documentation. |
| Breach notification to affected data subjects | UU PDP Art. 46 (notification to data subjects where breach creates high risk) | ISO 27001 5.26 (Incident response) covers breach notification broadly, including notification to 'relevant stakeholders'. KOMINFO notification is explicitly addressed in Indonesian implementations. | ISO 27001 requires notification to relevant stakeholders — but does not specifically require individual notification to affected data subjects based on risk assessment of the breach. UU PDP requires this additional notification step when the breach creates high risk to data subjects. | Update incident response procedure to include: assessment of whether the breach creates 'high risk' to data subjects under UU PDP, and if so: notification to affected data subjects with defined content requirements, timeline, and method. |
| The DPA gap is the highest-risk gap for enforcement: KOMINFO's early enforcement actions have specifically targeted the absence of Data Processing Agreements with processors. A bank that uses a SaaS-based core banking provider without a DPA, or a health platform that uses a US-based cloud provider without a cross-border transfer mechanism, is exposed to enforcement regardless of its ISO 27001 certificate. The DPA program — identifying all processors, executing DPAs with each, and monitoring compliance — is a discrete project that should run concurrently with ISO 27001 implementation, not after certification. |
The UU PDP Enforcement Landscape in 2026
Understanding how UU PDP is enforced helps organizations prioritize compliance investments. The enforcement landscape as of early 2026 reflects the beginning of an active enforcement regime — KOMINFO has demonstrated willingness to act, and the enforcement mechanisms are fully operative:
| Enforcement type | UU PDP basis | Detail and severity | Most common trigger |
| Administrative sanctions | UU PDP Art. 57–60 | Warning, temporary suspension of data processing, deletion of personal data, or administrative fines up to 2% of annual revenue (domestic) for each violation. Fines may be imposed per occurrence — multiple violations can compound. | Non-compliance with processing principles, failure to implement adequate security measures, missing DPA with processors, failure to notify KOMINFO within 14 days of breach. |
| Criminal penalties | UU PDP Art. 67–73 | Intentional unlawful processing: criminal imprisonment of 5–6 years and fines of IDR 5–6 billion. Unlawful transfer or disclosure: criminal imprisonment of 4–5 years and fines of IDR 4–5 billion. Personal liability for officers: UU PDP creates direct personal criminal liability for corporate officers who authorize violations. | Intentional unauthorized processing, data theft, profiling without consent, disclosure of specific personal data without authorization, international transfer in violation of Art. 57–63. |
| KOMINFO supervisory examination | UU PDP Art. 64–66 | KOMINFO (or the designated personal data protection authority) has authority to examine organizations' compliance with UU PDP. Examinations may be triggered by complaints, breach notifications, or sector risk assessments. Organizations must respond to examination requests within defined timelines. | Data breach notification triggers automatic examination. Consumer complaints. Sector-based supervisory programs (similar to OJK IT examinations for financial institutions). |
| Civil claims by data subjects | UU PDP Art. 58–59 | Data subjects may bring civil claims for damages resulting from UU PDP violations. Compensation can include actual damages and non-material damages. Class action by groups of affected data subjects is possible under Indonesian civil procedure law. | Any UU PDP violation that causes damage to data subjects — including unauthorized disclosure, failure to respond to rights requests, processing without lawful basis. |
The practical enforcement priorities emerging from KOMINFO's first year of active enforcement (late 2024 – early 2026): breach notification failures are the most common trigger for formal enforcement action, because they are self-disclosing — organizations that report breaches are simultaneously disclosing potential non-compliance. Missing DPAs are the most common gap identified in supervised examinations — they are easy to verify (request the supplier contract) and easy to sanction. Inadequate security measures following a breach are the most severe enforcement scenario — they trigger both administrative and potentially criminal consequences.
Specific Personal Data: The Heightened Protection Requirement
UU PDP Article 6 creates a category of 'specific personal data' (data pribadi yang bersifat spesifik) that requires heightened protection: health and medical data, biometric data, genetic data, criminal records, financial data beyond general financial information, personal beliefs and religious views, and personal data of children.
Organizations that process specific personal data must implement security measures commensurate with the higher risk level — which in practice means stronger encryption, more stringent access controls, separate classification handling, and specific consent and retention requirements. In the ISO 27001 context, specific personal data should be classified at the Restricted level (or equivalent top tier) in the data classification scheme, with controls calibrated to that classification level.
Fintech-specific exposure: financial data
UU PDP includes 'financial data beyond general financial information' in the specific personal data category. For fintech organizations and financial institutions, this creates a practical question: does transaction data, account balance history, loan repayment records, and credit scoring data constitute 'specific personal data'? The safe interpretation — adopted by most compliance professionals in 2026 — is that detailed financial data should be treated as specific personal data, triggering the heightened protection requirements. This has direct implications for encryption standards, access controls, DPA requirements, and breach notification assessment.
Unified Implementation Roadmap: ISO 27001 + UU PDP
The most efficient approach to achieving both ISO 27001 certification and UU PDP compliance is to treat them as a single integrated program from the beginning — not sequential projects. The unified roadmap below shows how the two programs' activities integrate across a 12-month implementation cycle, identifying the integration points where a single artifact or process satisfies both requirements simultaneously:
| Phase | Duration | ISO 27001 activities | UU PDP activities | Integration point |
| Phase 1 — Unified Foundation | Month 1–3 |
|
| Scope statement explicitly includes personal data processing systems. IS policy references UU PDP articles by number. Asset inventory = RoPA foundation. |
| Phase 2 — Risk and Control Selection | Month 3–6 |
|
| Risk assessment includes 'risk to data subjects' as an impact dimension alongside CIA risks. SoA justifications reference UU PDP articles for privacy-relevant controls. PIA methodology references ISMS risk methodology. |
| Phase 3 — Control Implementation | Month 6–9 |
|
| Supplier security addenda include DPA provisions. DLP configuration covers personal data classification categories. Incident response procedure includes UU PDP 14-day notification step. Deletion schedule aligns to retention policy. |
| Phase 4 — Assurance and Certification | Month 9–12 |
|
| Internal audit covers both ISMS clauses and UU PDP obligations. Management review includes UU PDP compliance status as an input. Stage 1 documentation demonstrates UU PDP alignment. |
The key insight in the unified roadmap is that the integration points are more numerous than most organizations expect. A scope statement that explicitly includes personal data processing systems satisfies both ISO 27001 Clause 4.3 and UU PDP's accountability requirement for organizational coverage. An IS policy with UU PDP article references satisfies both ISO 27001 Clause 5.2 and UU PDP's requirement for a documented privacy policy. A risk register that includes 'risk to data subjects' as an impact dimension satisfies both ISO 27001 Clause 6.1.2 and UU PDP's requirement for risk-based decision-making. Building these integrations from the start reduces the total implementation effort by 30–40% compared to running two separate compliance programs.
The Indonesian Privacy Program: Required Artifacts Beyond ISO 27001
Beyond the six gaps identified above, a complete UU PDP compliance program requires the following artifacts that ISO 27001 does not produce — each of which can and should be integrated into the ISMS documentation library:
- Records of Processing Activities (RoPA): A structured register of all processing activities covering processing name, purpose, lawful basis, data categories, data subjects, recipients, cross-border transfers, retention periods, and security measures. The RoPA is the accountability instrument for Art. 37–45.
- Privacy Notice(s): Public-facing disclosure of processing activities, lawful bases, data subject rights, and contact information for rights requests. Must be updated when processing activities change.
- Data Subject Rights Procedure: Documented process for receiving, verifying, processing, and responding to each of the 9 UU PDP rights, with response timelines per article.
- Consent Management Mechanism: Where consent is the lawful basis, a documented and technical mechanism for capturing, recording, and honoring consent and withdrawal.
- Privacy Impact Assessment (PIA) Methodology and Register: A documented PIA process triggered by defined high-risk processing criteria, with a register of completed PIAs and their outcomes.
- Data Protection Officer (DPO) Appointment (where applicable): A named DPO with a documented role description, independence protections, and contact information published for data subjects.
- Data Processing Agreement (DPA) Template and Register: Standard DPA template and a register of all processors with DPA execution status.
- Cross-Border Transfer Documentation: For each international transfer: the applicable transfer mechanism (adequacy, contractual clauses, or consent) and supporting documentation.
| Bitlion UU PDP module: Bitlion's GRC platform includes a UU PDP compliance module that maintains the RoPA, data subject rights request tracker, PIA register, DPA register, and consent management documentation as integrated components of the ISMS. The module maps each UU PDP article to the relevant Annex A controls in real time — when control implementation status changes, the UU PDP compliance dashboard updates automatically. The breach notification workflow includes the KOMINFO 14-day notification tracker with automated reminders at Day 7, Day 10, and Day 13 after breach discovery. |
ISO 27001 and UU PDP: Complementary, Not Competing
The relationship between ISO 27001 and UU PDP is complementary rather than competitive. ISO 27001 provides the information security management framework — the risk-based approach, the governance structure, the operational controls, and the independent audit certification. UU PDP provides the legal obligations that define what must be protected, how it must be protected, and what happens when it is not.
For Indonesian organizations, the most credible UU PDP compliance posture in 2026 is an ISO 27001 certificate combined with a documented privacy program that addresses the six gaps identified in this article. The certificate demonstrates that security controls are systematic, risk-based, and independently verified. The privacy program demonstrates that the specific obligations of UU PDP — rights management, DPAs, breach notification, transfer mechanisms — have been operationalized. Together, they constitute the level of accountability that UU PDP's Article 37–45 governance obligations require.
Organizations that choose between them — pursuing either ISO 27001 without UU PDP compliance measures, or UU PDP compliance without the governance structure of ISO 27001 — produce a compliance posture that is either unverifiable (UU PDP compliance without ISO 27001) or incomplete (ISO 27001 without UU PDP gaps addressed). The integrated approach is both more efficient to build and more credible to regulators.