Urgensi RUU Perlindungan Data Pribadi

Urgensi RUU Perlindungan Data Pribadi

• 1.
  11 RUU PERLINDUNGAN DATAPRIBADI Eryk B. Pratama, S.Kom, M.M, M.Kom Data Privacy & Cyber Security Consultant at Global Consulting Firm Komunitas Data Privacy & Protection Indonesia (t.me/dataprotectionid) https://medium.com/@proferyk & https://slideshare.net/proferyk UPN Veteran Jakarta – Webinar DISK The Urgency for Data Resilience and Security
• 2.
  A perspective ondata breaches - Indonesia Setting-up the Context https://www.cnnindonesia.com/teknologi/20200506065657-185-500477/13-juta-data-bocor- bukalapak-dijual-di-forum-hacker https://tekno.kompas.com/read/2020/05/10/21120067/hacker-klaim-punya-data-12- juta-pengguna-bhinnekacom?page=all https://www.thejakartapost.com/news/2020/05/04/tokopedia-data-breach-exposes- vulnerability-of-personal-data.html https://www.thejakartapost.com/news/2019/09/19/lion-air-leak-puts-data- protection-in-spotlight.html Key Information Security Controls ▪ System configuration ▪ Access management ▪ Third party risk ▪ Human risks (Carelessness)
• 3.
  A perspective onmisuse of data - Indonesia Setting-up the Context https://www.cnnindonesia.com/nasional/20200711053527-20-523446/data-pribadi- bocor-denny-siregar-bakal-gugat-telkomsel https://www.cnnindonesia.com/nasional/20200711053527-20-523446/data-pribadi-bocor- denny-siregar-bakal-gugat-telkomsel
• 4.
  Data Privacy vsData Protection Ethics & Regulation Information Security Control
• 5.
  Privacy Management Complexity PrivacyProgram Management Source: https://assets.kpmg/content/dam/kpmg/be/pdf/2017/Factsheet_DATA_PRIVACY_AND_PROTECTION_2016.pdf
• 6.
  Key Challenges Privacy ProgramManagement Common Issues based on GDPR Enforcement Lawfulness, fairness and transparency Processing is based on legitimate grounds and conform to expectations. Purpose Limitation Data must only be collected for specified, explicit and legitimate purposes. Data Minimisation Collected data must be adequate, relevant and limited to what is necessary for the purpose. Accuracy Collected data must be accurate, and kept up to date. Storage Limitation Data must be retained only as long as necessary. Integrity and Confidentiality Data must be processed securely. Insufficient legal basis for data processing Insufficient technical and organizational measures to ensure information security Non-compliance with general data processing principles Insufficient fulfilment of data subjects rights Insufficient fulfilment of data breach notification obligations
• 7.
  Regulation: RUU PerlindunganData Pribadi Regulation Aspects Key Highlight ▪ Explicit Consent is required from the data owner for personal data processing. ▪ Responding timelines for Data subject rights have been separately called out in the RUU PDP. ▪ Data controller to notify the data owner and the Minister within 3 days of data breach. ▪ Penalties for non-compliance may range from Rp 10 Billion to Rp 70 Billion or Imprisonment ranging from 2 to 7 years Data Owner Data Controller Data Processor Data Protection Officer
• 8.
  Data Controller –Pengendali Data Pribadi Regulation Aspects Kewajiban Data Controller Pasal Deskripsi Pasal 24 ▪ wajib menyampaikan Informasi mengenai legalitas dari pemrosesan , tujuan pemrosesan , jenis dan relevansi pemrosesan, periode retensi dokumen, rincian informasi yang dikumpulkan, dan jangka waktu pemrosesan data ▪ menunjukkan bukti persetujuan yang telah diberikan oleh Pemilik Data Pribadi Pasal 25 wajib menghentikan pemrosesan Data Pribadi dalam hal Pemilik Data Pribadi menarik kembali persetujuan pemrosesan Data Pribadi Pasal 27 wajib melindungi dan memastikan keamanan Data Pribadi yang diprosesnya dengan melakukan: ▪ penyusunan dan penerapan langkah teknis operasional untuk melindungi Data Pribadi ▪ penentuan tingkat keamanan Data Pribadi dengan memperhatikan sifat dan risiko dari Data Pribadi yang harus dilindungi dalam pemrosesan Data Pribadi Pasal 28 wajib melakukan pengawasan terhadap setiap pihak yang terlibat dalam pemrosesan Data Pribadi Pasal 29 wajib memastikan pelindungan Data Pribadi dari pemrosesan Data Pribadi yang tidak sah Pasal 36 wajib melakukan pemrosesan Data Pribadi sesuai dengan tujuan pemrosesan Data Pribadi yang disetujui oleh Pemilik Data Pribadi. (Explisit / Implicit Consent) Pasal 38 Pasal 39 Penghapusan dan pemusnahan data pribadi
• 9.
  Data Protection Officer– Fungsi Perlindungan Data Pribadi Regulation Aspects ▪ harus ditunjuk berdasarkan kualitas profesional, pengetahuan mengenai hukum dan praktik pelindungan Data Pribadi. ▪ dapat berasal dari dalam dan/atau luar Pengendali Data Pribadi atau Prosesor Data Pribadi. ▪ menginformasikan dan memberikan saran untuk Data Controller dan Data Processor ▪ memantau dan memastikan kepatuhan terhadap Undang-Undang ini dan kebijakan Pengendali Data Pribadi atau Prosesor Data Pribadi ▪ memberikan saran mengenai penilaian dampak pelindungan Data Pribadi dan memantau kinerja Data Controller dan Data Processor ▪ berkoordinasi dan bertindak sebagai narahubung untuk isu yang berkaitan dengan pemrosesan Data Pribadi ▪ Dalam melaksanakan tugas, harus memperhatikan risiko terkait pemrosesan Data Pribadi, dengan mempertimbangkan sifat, ruang lingkup, konteks, dan tujuan pemrosesan Data Privacy Officer Data Protection Officer
• 10.
  Common Mistakes inData Privacy – GDPR Enforcement [SAMPLE] Regulation Aspects https://www.enforcementtracker.com/ Common Issues ▪ Insufficient legal basis for data processing ▪ Insufficient technical and organizational measures to ensure information security ▪ Non-compliance with general data processing principles ▪ Insufficient fulfilment of data subjects rights ▪ Insufficient fulfilment of information obligations ▪ Insufficient fulfilment of data breach notification obligations ▪ Insufficient cooperation with supervisory authority
• 11.
  Operationalize Data ProtectionRegulation Privacy Program Management ▪ Privacy Vision & Mission ▪ Privacy Program Scope ▪ Develop & Implement Framework ▪ Develop Privacy Strategy ▪ Privacy Team & Governance Model ▪ Inventories & Record ▪ Record of Processing Activities ▪ Impact Assessment ▪ Vendor/Third Party Assessment ▪ Privacy in Mergers, Acquisitions, & Divestiture Privacy Policy ▪ Privacy Notices & Policies ▪ Choice, Consents, and Opt-out ▪ Data Subject Request ▪ Handling Complaint Training & Awareness Privacy by Design & Privacy by Default Incident Management Monitoring & Auditing Program Performance Privacy Governance Data Assessment Data Subject Rights Privacy Program Management is the structured approach of combining several disciplines into a framework that allows an organization to meet legal compliance requirements and the expectations of business clients or customer while reducing the risk of a data breach. The framework follows program management principles and considers privacy regulations from around the globe.
• 12.
  Independent Data ProtectionSupervisor Big Questions “ Can government be sued if there is a data and privacy breach? “
• 13.
  Thank You ☺ https://medium.com/@proferyk https://www.slideshare.net/proferyk ITAdvisory & Risk (t.me/itadvindonesia) Data Privacy & Protection (t.me/dataprivid) Komunitas Data Privacy & Protection (t.me/dataprotectionid)