Skip to main content
← BlogCompliance

Indonesia's UU PDP: A Complete Compliance Guide for Businesses

A complete guide to Indonesia's Personal Data Protection Law (UU PDP No. 27/2022): how it compares to GDPR, its principles, lawful bases, data-subject rights, DPO duties, breach rules, and the technical measures businesses need.

N
Naren Krishnan · Cybersecurity Manager
May 30, 2026·Updated May 30, 2026·11 min read

Indonesia's Personal Data Protection Law, Undang-Undang Nomor 27 Tahun 2022 (UU PDP), is now in full force. It emerged in response to the rapid digitisation of personal information and a run of data breaches, replacing a patchwork of more than 30 sectoral rules with a single national framework. For a country with some of the highest mobile and internet penetration in Southeast Asia, that data carries real weight, and so does the obligation to protect it. As the Ministry of Communications has put it, in the digital era the protection of personal data is a basic human right, grounded in Article 28G and Article 28H of the 1945 Constitution.

This guide is a practical walkthrough for businesses: where UU PDP sits in Indonesia's regulatory landscape, how it compares to the GDPR, what it actually requires day to day, and the technical and organisational measures you need to stay compliant. For a structured, step-by-step companion, see our UU PDP compliance guide.

Where UU PDP sits in the regulatory landscape

UU PDP does not stand alone. It is the overarching framework that sits above and alongside a set of sectoral rules that already touched personal data. Understanding how they fit together is the first step to a coherent compliance programme.

The ITE Law (Law No. 1 of 2024) governs electronic transactions and the exchange of electronic information, including personal data. Government Regulation No. 71 of 2019 details how electronic systems must operate, including the protection of data within them. Sector regulators add their own layers: the Ministry of Communications and Informatics Regulation No. 20 of 2016 obliges telecommunications providers to obtain consent and protect user data, Ministry of Health rules restrict access to personal health data, OJK regulates consumer data in financial services, and Ministry of Manpower rules can cover employee data in the workplace.

For any organisation, the result is that data protection is no longer a single-regulation question. It is critical for maintaining customer trust, meeting legal requirements, and avoiding the financial and reputational damage of a breach. The law obliges businesses to put appropriate measures in place that protect the confidentiality, integrity, and availability of personal data.

How UU PDP compares to GDPR

UU PDP was clearly influenced by the EU's General Data Protection Regulation, part of a global trend toward robust privacy frameworks that make international trade and data flows possible. It aims for a level of protection that resonates with those global standards. Even so, it has distinct characteristics that set it apart. The comparison below draws on the law itself and a widely cited side-by-side analysis of the two regimes. Use the explorer to compare them across the dimensions that matter most.

The differences are real and worth internalising. UU PDP applies its exceptions to data-subject rights fully based on the areas of interest the law defines, where GDPR applies them partially based on necessity and proportionality. UU PDP frames controller obligations in general terms regardless of risk level, while GDPR scales them to the risk of the processing. On security, UU PDP covers requirements generally based on the controller's capacity and requires an annual data security review, much as GDPR recommends one.

Two contrasts stand out for any board. The first is sanctions.

UU PDP carries both criminal sanctions and administrative fines of up to 2 percent of annual revenue. GDPR relies on fines alone, with no criminal sanctions, but sets a higher ceiling of 20 million euros or 4 percent of global turnover. The second contrast is enforcement maturity: GDPR is overseen by independent data protection authorities with years of case history, while Indonesia's data protection authority is to be established under the government and its enforcement is still developing.

The breach-notification clocks look similar but differ in who must be told.

Both regimes work to a 72-hour window, expressed in Indonesia as 3 times 24 hours. Under UU PDP the controller must notify both the affected data subjects and the relevant authorities. Under GDPR the authority must be told within 72 hours, but data subjects only need to be notified when the breach is likely to result in a high risk to their rights and freedoms.

What the law actually requires

Beyond the comparison, UU PDP sets out a clear set of obligations. As the compliance deadline passed, businesses had to prioritise the core pillars: defining controller and processor responsibilities, establishing breach-notification procedures, appointing a Data Protection Officer where required, and respecting data-subject rights.

The law distinguishes two kinds of data. General personal data is any information relating to an identifiable individual, such as names, addresses, and email addresses. Specific personal data is more sensitive and needs additional protection, covering categories such as religious beliefs, biometric data, and health information. The law applies to any processing by public or private entities, whether or not it takes place in Indonesia, as long as it concerns Indonesian citizens or residents.

It also draws clear lines between the actors. The data controller determines the purpose and means of processing and is responsible for lawful processing, protecting rights, and applying data protection principles. The data processor acts on the controller's behalf, following instructions and helping meet obligations, including breach response. The data subject is the individual the data belongs to, with rights that both controllers and processors must facilitate. Where two entities independently decide purposes, they are separate controllers; where they decide jointly, they are joint controllers and must agree their respective responsibilities; and where one processes on behalf of another under contract, it is a controller-processor relationship. If a processor acts outside the controller's instructions, it may itself be treated as a controller and carry the associated liability.

The seven principles every business must follow

UU PDP requires that every act of processing satisfy a set of core principles. They are the test any new product, campaign, or system should be measured against.

These are not abstract ideals. Collecting more data than you need fails minimisation; keeping it indefinitely fails storage limitation; processing it for a purpose the subject never expected fails purpose limitation. Building the principles into how teams work is far cheaper than retrofitting them after a complaint.

The six lawful bases for processing

You cannot process personal data simply because it is useful. Every processing activity must rest on at least one of six lawful bases, and you should be able to name which one applies before you start.

Consent is the most visible, but it is not always the strongest footing, because it can be withdrawn. For many business activities, contractual necessity or legitimate interests provide a more durable basis, provided you can justify them. The discipline is to map each processing activity to a basis deliberately, rather than defaulting to consent for everything.

The rights you must be ready to honour

Data subjects, defined as the individuals to whom personal data pertains, are granted a broad set of rights under Articles 5 through 15 of the UU PDP. Your systems and processes need to be able to act on each one, often within tight timeframes. Explore them below.

These rights are not unlimited. Article 15 allows them to be restricted for defined reasons, including national defence and security, law enforcement, public interest in state administration, oversight of the financial services sector and financial system stability, and statistical or scientific research. The exceptions exist to balance individual rights against broader societal and state interests, but they are specific, and a business cannot invoke them casually.

Privacy policy and notice

UU PDP expects organisations to document and communicate how they handle data, through two distinct artefacts. An internal privacy policy governs the collection, use, storage, and transfer of personal data inside the company; it drives legal compliance, sets data-management standards, builds employee awareness, and supports risk management. It typically shows up in the employee handbook, on the intranet, in training materials, in data processing agreements with vendors, and embedded in IT security systems.

An external privacy notice is the public-facing declaration of your practices. It builds trust, enables informed consent, demonstrates legal compliance, and sets out data-subject rights. It belongs on your website, inside mobile apps, in customer account portals, on online forms and checkouts, in marketing sign-ups, and on social media profiles. The absence of either one carries real consequences: legal sanctions, loss of consumer trust, operational disruption from disorganised data practices, and reputational damage that is slow and costly to repair.

Implementing data protection measures

Controllers and processors carry specific obligations: implementing appropriate technical and organisational measures, maintaining a Record of Processing Activities, conducting Data Protection Impact Assessments for high-risk processing, and appointing a Data Protection Officer where the law requires it. A DPIA is required when processing is likely to result in a high risk to individuals, particularly with new technologies, and should describe the processing, assess the risks, and set out the safeguards that address them.

The DPO sits at the centre of this. Under Article 53, the role is mandatory in defined situations, and the penalty for skipping it is among the most concrete in the law.

The DPO informs and advises the organisation, monitors and ensures compliance, advises on impact assessments, and acts as the contact point for data subjects and the authority. Crucially, the DPO must be able to act independently, without instructions on how to exercise the function. The role can be filled internally or, increasingly, through a DPO-as-a-Service arrangement that brings in external subject-matter experts, a flexible and cost-effective route for organisations that want compliance without building the function from scratch.

Breach notification is the other obligation that tends to catch teams out. Within 3 times 24 hours of becoming aware of an incident, the controller must notify the affected data subjects and the relevant authorities in writing. That notice should, at minimum, describe the personal data involved, the timing and method of the disclosure, and the response measures taken. Under conditions in Article 46 paragraph 3, public disclosure of the failure may also be required. The clock is short, so the time to design this process is now, not during an incident.

Technical and organisational measures

UU PDP requires both controllers and processors to adopt technical and administrative measures that match the risk involved. These are not optional extras; they are how the principles and obligations become real in day-to-day operations. Switch between the organisational and technical views below.

On the security baseline specifically, the law points organisations toward a foundational set of controls that underpin any technology initiative. Many organisations formalise these measures through an ISO/IEC 27001 information security management system, and a security operations centre gives them the continuous monitoring the law expects. Multi-factor authentication, conditional access, identity protection, advanced email security, and endpoint security together form a baseline that aligns with a Zero Trust framework, the global standard of continuous verification and strict access control.

For cross-border transfers, the law allows data to move to another country where the supervisory authority has determined an adequate level of protection, or, in the absence of such an adequacy decision, where the controller or processor provides appropriate safeguards such as binding corporate rules or standard contractual clauses, and enforceable data-subject rights and effective remedies are available.

What non-compliance costs

The consequences of getting this wrong are significant and cumulative. Non-compliance can bring fines, legal sanctions, and enforcement actions. It can trigger reputational harm that erodes consumer trust and business. And it can cause operational disruption, including orders to cease processing activities altogether. For the specific failure of not appointing a DPO, the law sets fines of up to IDR 10 billion or 2 percent of annual revenue, whichever is higher, alongside the heightened breach risk and loss of trust that come with weak oversight.

How Alpha Code can help

Getting to compliance, and staying there, is where most of the effort lives. At Alpha Code we support Indonesian organisations across the full picture: a compliance and GRC service that runs a gap assessment aligned to Indonesian law and turns it into a prioritised remediation roadmap with document drafts and advisory support; governance framework development that defines clear roles, escalation paths, and reporting; DPO support, including DPO-as-a-Service that acts as an extension of your team; and practical training and human risk management programmes that build a real culture of data protection.

If you are not sure where your gaps are, a PDP gap assessment is the right first step. It turns a 28-page law into a clear, prioritised plan you can act on. Talk to our team to scope where you stand today.

References

  1. Undang-Undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi (UU PDP), Database Peraturan, BPK RI. An English translation is also available.
  2. General Data Protection Regulation (Regulation EU 2016/679), GDPR.eu, including fines and penalties.
  3. Ini 8 Perbedaan Antara RUU Perlindungan Data Pribadi dan GDPR Uni Eropa, Cyberthreat.id.
  4. Alpha Code Technologies, Indonesia Personal Data Protection Law (UU PDP) Thoughtpaper, May 2026.
On This Page
Where UU PDP sits in the regulatory landscapeHow UU PDP compares to GDPRWhat the law actually requiresThe seven principles every business must followThe six lawful bases for processingThe rights you must be ready to honourPrivacy policy and noticeImplementing data protection measuresTechnical and organisational measuresWhat non-compliance costsHow Alpha Code can helpReferences
Written By
N
Naren Krishnan
Cybersecurity Manager

Naren is a cybersecurity manager at Alpha Code, leading IT audit, identity and access management, and SOC operations for Indonesian enterprises. A CISA-certified professional, he helps organisations strengthen their security posture and meet compliance requirements.

LinkedIn
Related Articles