Indonesia’s data protection law, called UU PDP (Law No. 27 of 2022), has been active since October 2024. Companies can already be penalised for breaking it. What is changing now in 2026 is who enforces it: the government is setting up a dedicated agency to check whether businesses follow the rules of this landmark PDP law Indonesia.
This article explains what that means in plain terms, and why having a solid plan to keep your business running during a disruption is now part of staying compliant.
What Is UU PDP?
UU PDP (Undang-Undang Perlindungan Data Pribadi) is the core Indonesia data protection law safeguarding individual privacy rights. Known fundamentally across the region as the overarching regulation for pelindungan data pribadi, it sets strict rules for how organisations collect, store, use, and share information about individuals. It applies to a broad ecosystem, including local companies of any size, government bodies, and foreign companies that serve or target the Indonesian market.
The law splits information into two distinct groups:
- General personal data: Standard identifiers such as name, address, phone number, or email.
- Specific (sensitive) personal data: High-impact information requiring extra layers of protection, such as health records, financial details, and biometric data.
Who Enforces the Law Right Now
At the moment, a part of the Communications Ministry (Komdigi) handles enforcement on a temporary basis. According to a May 2026 guide from Recording Law, this unit checks compliance, takes complaints from the public, and can issue penalties.
But this is only a stopgap. The law requires a separate, dedicated agency, the Personal Data Protection Authority, often called Lembaga PDP. As reported by the law firm Rajah & Tann Asia in March 2026, the draft rule to create this agency became public at the end of February 2026, almost four years after the law passed.
DLA Piper’s Data Protection Laws of the World notes the agency is expected to start operating in 2026.
Once it does, enforcement moves from a temporary setup to a permanent regulator whose job is to audit businesses. That is the shift companies need to prepare for.
The Penalties for Breaking the Law
There are two kinds of penalties: administrative and criminal.
Administrative Penalties
These are handled by the regulator, not the courts. Based on summaries from the US Library of Congress and Baker McKenzie’s Global Data and Cyber Handbook, they come in steps, from lightest to heaviest:
- A written warning
- A temporary order to stop processing data
- An order to delete the data that was handled improperly
- A fine of up to 2% of the company’s yearly revenue
The fine gets the most attention, but the order to stop processing data can hurt more. It freezes part of your operation while the business still has to run. Baker McKenzie also notes that the exact method for calculating the fine had not been finalised at the time of its review.
Criminal Penalties
These go through the courts and apply to serious cases, like deliberately misusing or faking data. The Chambers and Partners 2026 Indonesia guide records an early example: in March 2023, a court in Karanganyar sentenced someone to four years in prison and a fine of IDR 1 billion for faking data.
The same guide notes that criminal cases have been moving through the courts since the law took effect, but the regulator has not yet handed out major administrative fines, because the new agency and its detailed rules are still being set up.
So the risk is real today, and the agency that will enforce it more actively is on the way.
Why a Business Continuity Plan Now Matters for Compliance
A business continuity plan (BCP) is simply your plan for keeping the business running when something goes wrong, like a system crash, a cyberattack, or a data breach. Many companies treat it as an IT backup task: a server fails, you restore from backup, you carry on.’
Under UU PDP, that IT-centric view is too narrow. The law expects you to keep protecting data even during an operational crisis, and to prove you can. This is why formal business continuity planning must be treated as a core data governance responsibility rather than an isolated backup exercise.
According to the Chambers and Partners 2026 guide, organisations must maintain clear rules, assign data protection teams, check risks before starting high-risk projects, and run functioning processes for handling and reporting serious breaches within 72 hours.
Where the Law and Business Continuity Planning Overlap
Several of these duties are really continuity duties in disguise. Here are three places where they connect directly.
1. You have only 72 hours to report a breach
If a serious breach happens, you have three days to tell the regulator and the people affected. If your team can’t move from “we found a problem” to “we’ve reported it” within that window, your plan isn’t good enough, no matter how strong your backups are.’
2. Backups aren’t enough on their own
Being able to restore data is not the same as proving you restored the right data, kept it accurate, and have a record of doing so. An auditor will ask for the proof: when you last tested your recovery, who ran it, what went wrong, and how you fixed it.
3. You’re responsible even if a vendor fails
Many companies rely on outside vendors to process data. If one of them gets breached or goes offline, the responsibility to report it still falls on you. Your continuity plan has to cover systems you don’t run yourself.
The idea underneath all three is simple: data protection has to keep working during a crisis, not just after it. UU PDP makes that something a regulator can check.
How to Build a Plan That Passes an Audit
A good plan isn’t a document that sits in a drawer. It’s a set of clear steps, each with an owner, a schedule, and proof that it works. Here are the core parts.
1. Keep an up-to-date list of your data
A resilient plan is an active operational capability. Integrating these five pillars into your business continuity planning will help ensure your architecture remains audit-ready:
2. Match recovery speed to data sensitivity
Not all data deserves the same urgency. As the ASEAN Briefing guide explains, sensitive data gets stronger protection under the law. So health, financial, and biometric data should be recoverable faster and more reliably than something like a newsletter list.
3. Write your breach response as a step-by-step guide
Spell out who confirms a breach, who decides how serious it is, who writes the reports, and who signs off. Practise it as a drill at least twice a year, and keep a record each time. The goal is to save time when it counts.
4. Test your recovery and save the proof
Every time you test a data restore, log the basics: the date, what you tested, who ran it, whether the data stayed intact, what failed, and how you fixed it. That log is what turns “we have a plan” into “here’s proof it works.”
5. Cover your vendors too
List which vendors touch your data, how fast they promise to report problems, and what happens if they go down. A plan that only covers your own systems leaves a gap you’re still liable for.
6. Assign an owner and review regularly
Things change: new threats, new systems, new vendors, new rules. Put one person in charge of the plan and review it every quarter so it doesn’t quietly fall out of date.
Don’t Wait for the First Fine
The temporary waiting period is over in everything but name. The law has teeth today, and the dedicated agency built to use them is nearly established. Most companies will not act until a major administrative fine hits the news, but by then, the auditors will already be at the door.
The companies that come out ahead are simply the ones that execute the foundational work early. At Zentara, we help organisations secure their operational standards before it becomes an emergency. Our Managed SOC watches for threats around the clock, and our VAPT testing uncovers critical vulnerabilities before an attacker or a regulator does.
If you are unsure where your current business continuity planning stands against the shifting expectations of the UU PDP, contact the Zentara team today for a clear assessment of what to resolve first while the timeline is still yours to control.
