Indonesia’s Personal Data Protection Law, UU No. 27 of 2022, known as the UU PDP, became fully enforceable on 16 October 2024. That deadline passed, yet organisations still running on legacy data practices are now exposed.
Conducting a thorough Indonesia PDP law compliance audit is now a tactical necessity. While activity has been measured thus far, the landscape shifts in 2026 with the establishment of dedicated personal data protection in Indonesia. Once active, the regulatory posture will transition from observation to active intervention.
What the Law Covers and Who It Applies To
The law governs the collection, use, disclosure, and processing of personal data across all sectors. It applies to any organisation processing the data of Indonesian citizens, whether that processing occurs onshore or offshore. This reflects the broader trend of data sovereignty in Southeast Asia, where sensitive categories carry stricter controls.
The penalties are material. According to Schinder Law Firm’s analysis of the UU PDP:
- Administrative fines of up to 2% of annual revenue
- Falsifying personal data: up to 6 years imprisonment and fines up to IDR 60 billion
- Buying or selling personal data: up to 5 years imprisonment and fines up to IDR 50 billion
- Corporations: profit confiscation, operational freezing, and dissolution
The 2026 Indonesia PDP Law Compliance Audit Checklist
Use these ten core obligations to identify gaps before the regulators do.
1. Legal Basis for Every Processing Activity
Every data collection activity must map to one of the six valid legal bases defined in the PDP Law. Consent is the most commonly used and the most frequently misimplemented.
Consent must be explicit and informed. Pre-checked boxes and vague language do not meet the standard, and data subjects must fully understand the implications before agreeing.
Verify:
- Every processing activity has a documented legal basis on file
- Consent mechanisms are granular, explicit, and withdrawable at any time
- The purpose of collection is communicated clearly at the point of collection
2. Data Inventory and Classification
A current, maintained inventory is the foundation of an Indonesia PDP law compliance audit.
Verify:
- A current, maintained inventory covers all personal data held and processed
- General and sensitive data categories are classified and distinguished
- Each data type is mapped to its legal basis, retention period, and processing purpose
3. Data Protection Officer (DPO) Appointment
Chambers and Partners notes the PDP Law requires a Data Protection Officer (DPO) when processing personal data for public interest, when core activities involve systematic large-scale monitoring, or when processing sensitive or criminal-related personal data at scale.
Constitutional Court Decision No 151/PUU-XXII/2024 dated 30 July 2025 clarified these criteria. Chambers and Partners Non-appointment sanctions include written warnings, suspension of processing activities, erasure of personal data, and fines of up to 2% of annual income.
Verify:
- The organisation has formally assessed whether its activities trigger the DPO requirement
- If required, a DPO is appointed with documented qualifications
- The DPO’s contact details are accessible to data subjects and the MOCD
4. Data Protection Impact Assessments (DPIAs)
High-risk processing requires a completed DPIA before the activity begins, not after.
Under Article 34, controllers must conduct a DPIA whenever processing carries a high risk to data subjects, including automated decision-making with legal consequences, large-scale processing of sensitive data, and processing that restricts the exercise of data subject rights.
The use of new or emerging technologies, including artificial intelligence is expressly recognised as a high-risk processing indicator, triggering the DPIA requirement.
Verify:
- All high-risk processing activities have been identified and documented
- Completed DPIAs exist for each one
- DPIAs are reviewed and updated when processing scope or technology changes
5. Data Breach Response Within 72 Hours
Controllers must notify data subjects and the authority within 72 hours of a failure to protect data. Identifying structural weaknesses in this window is a critical part of the Indonesia PDP law compliance audit.
Verify:
- A documented incident response plan includes PDP Law notification workflows
- Named owners, escalation paths, and notification templates are in place and tested
- The organisation has validated its ability to detect and classify a breach inside the 72-hour window
6. Data Subject Rights and Response Time
Data subject rights under the PDP Law include access, rectification, erasure, and restriction of processing. These rights require functioning fulfilment mechanisms, not policy statements. Per the Future of Privacy Forum, for access, rectification, and restriction requests, organisations have 72 hours to respond.
Verify:
- Documented procedures exist for receiving and processing Data Subject Access Requests
- The organisation can respond within 72 hours for standard request categories
- Denial rationale is documented and communicated to the requesting party
7. Cross-Border Data Transfer Controls
Cross-border personal data transfer is permitted only when the receiving country has an equal or higher data protection standard, or when adequate and binding safeguards are in place. If neither condition is met, explicit consent from data subjects is required.
Verify:
- Every cross-border data transfer is mapped and documented
- The legal basis for each transfer is on file, whether adequacy, binding safeguards, or explicit consent
- Vendor and processor contracts reflect cross-border transfer obligations
8. Records of Processing Activities
Organisations must maintain a Record of Processing Activities (RoPA) detailing the types of data processed, legal basis, data subjects involved, and retention periods. This is the primary document a regulator will request, and it must be current, accurate, and reviewable on demand.
Verify:
- A structured, current ROPA is maintained across all processing activities
- The ROPA is updated when processing scope changes
- Retention periods are defined, enforced, and consistent with stated purposes
9. Third-Party and Vendor Risk
A vendor’s non-compliance creates exposure for the controller. This oversight must be integrated into your Indonesia PDP law compliance audit.
Verify:
- All data processing agreements include explicit PDP Law obligations
- Third-party processors are reviewed for compliance at defined intervals
- A vendor onboarding process assesses data handling practices before access is granted
10. Staff Training and Awareness
Common compliance failures trace back to three consistent gaps: absence of consent documentation, insufficient technical safeguards, and employees without training on their data processing obligations. Compliance is an operational function that requires awareness at every level that touches personal data.
Verify:
- Employees with data processing responsibilities have received formal PDP Law training
- Training is refreshed when regulations or risk conditions change
- New staff are onboarded to data protection requirements before handling personal data
The Enforcement Window Is Closing
The arrival of the new agency in 2026 marks a definitive inflection point for UU PDP regulatory enforcement. Organisations that treat this period as a sprint will struggle; those that build governance into their operational standards will thrive. Gaps in these ten areas create enforceable exposure that is technical, legal, and reputational.
Zentara’s Cybersecurity Consulting team works with organisations across Indonesia to assess readiness and implement the controls required for a successful Indonesia PDP law compliance audit.
Schedule a compliance review before the agency is active to ensure your Indonesia PDP law compliance findings are resolved proactively.
