THE full implementation of the Personal Data Protection (PDP) Law will begin tomorrow. It will mark the end of the two-year transition period for businesses to comply with new legal mandates.

From that day forward, banks and other industries must take into account personal data protection rules in their business decisions and operations. It will align Indonesia with global data protection standards.

As we enter this new regulatory era, banks must ask themselves: How will the PDP Law reshape their approach to data protection and risk management?

At first glance, the PDP Law provides a vital framework for managing growing risks related to data breaches and cyber threats.

However, the real challenge for banks is incorporating data protection into their overall risk management strategies.

Indonesian banks, which have long dealt with complex regulations and financial risks, now face the challenge of reassessing their risk appetite.

This involves expanding their focus beyond traditional financial risks. Banks must now also address the rising threats associated with personal data protection. Safeguarding personal data should now be embedded in the bank’s governance framework.

It must become central to the bank’s overall risk management. Even though incorporating data protection into a bank’s governance framework is essential, it may add complexities, extending beyond conventional focuses.

Hence, it must not be viewed merely as a compliance requirement handled by the bank data protection officer. Instead, it should permeate every aspect of the bank’s operations.

By embedding data protection into daily risk management strategy, banks can proactively address potential threats before they escalate.

The Financial Services Authority (OJK) plays a critical role in regulating banking risks in Indonesia. The OJK regulation on risk management implementation for commercial banks, as amended by the OJK regulation on commercial bank products, mandates comprehensive risk-management frameworks.

They include various types of risks, such as credit, market, liquidity and operational risks. With the PDP Law now in effect, banks must incorporate personal data protection-related risks into these frameworks.

Failure to secure personal data could lead to financial penalties and result in reputational damage, potentially triggering more stringent regulatory scrutiny.

Although the government regulation for the PDP Law is not yet issued, the OJK’s regulation has mandated compliance.

Banks must adhere to the PDP Law under the current consumer and public protection rules in the financial sector.

This requires banks to implement robust measures for safeguarding customer data. Data protection must therefore be seen as a key component of operational risks. Banks should regularly assess their vulnerabilities, ensure internal controls are effective and improve data security protocols to meet both OJK regulations and the PDP Law.

Emerging legal risks

Under the PDP Law, banks face threats from emerging legal risks in addition to traditional hackers and cybercriminals.

These risks may arise from potential vulnerabilities that could be exploited by bad actors. For example, a cybercriminal could take advantage of the 72-hour time frame for a data subject access request by posing as a legitimate data subject.

Under pressure to respond quickly, a bank might rush the verification process.

This could potentially lead to the unintentional disclosure of sensitive information, exposing banks to further risks.

Such challenges could drain resources and affect operational efficiency.

Accordingly, banks must invest not only in technology but also in legally sound policies.

Proactively addressing these threats, whether from cyber issues or legal claims, will be vital. The PDP Law introduces strict requirements for maintaining records of processing activities and conducting data protection impact assessments.

Burden to resources

While these tools are essential for transparency and accountability, they can burden internal resources.

Banks need to streamline compliance processes to avoid being overwhelmed.

One solution is to leverage digital tools and automation. Although this translates into higher technology expenses for the bank, in the long run, it can reduce administrative overheads while ensuring compliance with the PDP Law.

Additionally, cross-departmental collaboration will be key to embedding these processes into the bank’s daily operations.

Many banks still rely on legacy systems that were not designed to handle today’s rigorous data protection requirements.

As the PDP Law mandates higher standards, upgrading these systems will be necessary. This becomes even more complex when considering cross-border data transfers.

The PDP Law imposes strict conditions on transferring data overseas, making it essential for banks to review their arrangements with their affiliates, partners or third-party service providers.

To address this, banks must assess the adequacy of their IT infrastructure and ensure compliance with both the PDP Law and international data protection standards. By enhancing system capabilities and securing data transfers, banks can strengthen their defenses against external threats and ensure compliance with the law. Fostering a cultural shift within banks is equally important.

Personal data protection

Banks must cultivate a culture that prioritises personal data protection at all levels. This means training employees to understand the importance of safeguarding personal data and recognising their role in this effort. By embedding data protection principles into everyday practices, employees will become more vigilant in identifying potential risks.

Regular workshops and training sessions can reinforce the significance of data protection, ensuring that all staff are equipped with the knowledge to handle personal data responsibly.

This culture of accountability will help strengthen the bank’s defences against data breaches and compliance failures.

As Indonesia embraces the full implementation of the PDP Law, banks must rethink their approach to compliance and risk management.

The PDP Law offers more than just regulatory hurdles; it presents an opportunity for banks to demonstrate their commitment to data protection. By doing so, they can build greater trust with customers and strengthen their competitive edge in an increasingly data-driven world.

The challenges ahead are significant, but with careful planning and a focus on excellence, Indonesia’s banking sector can thrive in this new era of data protection.

Yosea Iskandar is head of the legal and corporate secretariat at Bank DBS Indonesia. The views expressed here are the writer’s own.