This article aims to review comprehensively qualification that necessary for a Data Protection Officer (DPO) as implementation that effective in personal data protection in Indonesia. Through detailed search of role and responsibility DPO, include education, technical expertise, and deep understanding of applicable data protection regulation, this article aims to give technical guide for organization and individual in achieving the highest standards in personal data security. With focus on data processing, information security, and data incident reporting, this discussion also trying to motivate professionals in the IT field, law, and information security for developing necessary skill, create effective DPO, and encourage optimal personal data protection in digital era nowadays.
Regulation of Minister of Manpower Number 13 of 2016 manage about Procedures for Determining Indonesian National Work Competency Standards. This regulation explain competency that required by personnel in various aspects, including relevant knowledge, skills and work attitudes, to be able to carry out certain tasks or positions in accordance with the requirements set by the organization or user. This aims to ensure that the competency certification provided is equivalent to the work competency that has been determined by the government.
One form of legal protection implemented by the Indonesian government is the ratification of legal products with the hope of providing massive efforts to protect personal data with the enactment of Law Number 27 of 2022 concerning Personal Data Protection (UU PDP). With the DPO concept as follows:
Learn more...
Article 53 – DPO Appointment
Article 53 paragraph 1 regulates that Personal Data Controllers and Personal Data Processors are obliged to appoint officials or officers who carry out the function of Personal Data Protection in the event of:
a. Processing Personal Data for public service purposes;
b. The core activities of the Personal Data Controller have the nature, scope and/or objectives that require regular and systematic monitoring of Personal Data on a large scale; and
c. The core activities of the Personal Data Controller consist of processing Personal Data on a large scale for Personal Data of a specific nature and/or Personal Data relating to criminal acts.
Article 53 paragraph 2 regulates that officials or officers who carry out the Personal Data Protection function as intended in paragraph (1) are appointed based on professionalism, knowledge of the law, Personal Data Protection practices, and ability to fulfill their duties.
Article 53 paragraph 3 regulates that officials or officers who carry out the Personal Data Protection function as intended in paragraph (2) can come from within and/or outside the Personal Data Controller or Personal Data Processor.
Article 54 – Duty of DPO
Article 54 paragraph (1) Protection of Personal Data has at least the following tasks:
a. Inform and provide advice to Personal Data Controllers or Personal Data Processors to comply with the provisions of this Law;
b. monitor and ensure compliance with this Law and the policies of the Personal Data Controller or Personal Data Processor;
c. provide advice regarding the assessment of the impact of Personal Data Protection and monitor the performance of Personal Data Controllers and Personal Data Processors; and d. coordinate and act as a contact person for issues related to the processing of Personal Data.
Article 54 paragraph (2) regulates that in carrying out the duties as intended in article (1) the DPO must pay attention to the risks related to the processing of personal data by considering the nature, scope, context, and purpose of the processing.
To implement Data Protection Officer (DPO) work competencies in the Personal Data Protection Law (UU PDP), an Indonesian National Work Competency Standard (SKKNI) has been prepared which includes three measurable dimensions, namely knowledge and attitudes. This SKKNI aims to identify and determine the competencies required by a DPO in accordance with the provisions of the PDP Law. The DPO must be appointed as a professional, who has knowledge of the law and has knowledge of personal data practices. The DPO officer will be someone who understands the law and governance of personal data protection and also has technical skills in information system security.
SKKNI becomes a reference for developing and accessing DPO competency in the context of personal data protection regulations in Indonesia. This has been regulated in Minister of Manpower Decree Number 103 of 2023 concerning Determination of Indonesian National Work Competency Standards for Information and Communication Categories, Main Classes of Programming Activities, Computer Consulting and Related Activities (YBDI) in the Field of Personal Data Protection Expertise.
There are 19 competency units for someone to be able to obtain qualifications as a DPO, namely being able to:
- Determine the basis of the work programs.
- Conduct impact assessments.
- Formulate suggestions to management.
- Determine the need for PDP team structure.
- Testing the effectiveness of the PDP work program.
- Manage audits related to PDP work programs.
- Determine the PDP framework.
- Develop protection management.
- Ensure follow-up to PDP audit results.
- Identifying laws and regulations related to PDP.
- Arrange PDP management.
- Formulate the process of obtaining consent for personal data processing.
- Determine the PDP strategy.
- Implementing the PDP work programs.
- Provide responses to requests for personal data information.
- Develop PDP risk matrix criteria.
- Monitoring PDP work programs.
- Ensure that PDP is integrated into incident response management.
- Ensure the implementation of incident response management related to PDP failures.
To carry out the functions of a Data Protection Officer (DPO) in the business world in Indonesia in accordance with the Indonesian National Skills Competency Standards (SKKNI) Number 103 of 2023 and Law Number 27 of 2022 concerning Personal Data Protection, here are several requirements that companies need to consider:
a. Compliance with SKKNI Number 103 of 2023: Ensure that the appointed DPO meets the requirements and competencies listed in SKKNI Number 103 of 2023. This includes a good understanding of data protection law, privacy policies, as well as the ability to manage and protect personal data.
b. In-depth Understanding of Personal Data Protection Law: DPO must have in-depth knowledge of Law Number 27 of 2022 concerning Personal Data Protection in Indonesia.
c. They must be able to understand the applicable legal provisions and apply them correctly in the company context.
d. Risk Management Capability: The DPO must have the ability to identify and manage risks related to personal data protection. They must be able to design, implement, and oversee the policies and procedures necessary to minimize the risk of data breaches.
e. Technology Skills: Understanding the technology, a company uses and how personal data is stored and processed is important. The DPO must be able to provide relevant guidance and advice in terms of technology and information security.
f. Communication Skills: Excellent communication skills are required to interact with a variety of parties, including supervisory authorities, company employees, and affected individuals. The DPO must be able to explain data protection policies and procedures clearly.
g. Ability to Handle Data Breaches: The DPO must know how to deal with data breaches and report them in accordance with applicable regulations. They must also be able to cooperate with supervisory authorities and other relevant parties.
h. Independence: The DPO must be independent in carrying out its duties. They must not be involved in conflicts of interest that could interfere with data protection functions.
i. Training and Knowledge Updates: Ensure the DPO continuously follows training and knowledge updates regarding personal data protection. Data protection is an ever-evolving field, and DPOs must stay updated on legal developments and best practices.
j. Management Support and Sufficient Resources: Ensure the company provides sufficient support, both in terms of human and financial resources, to enable the DPO to carry out their duties effectively.
k. Documentation and Reporting: Create adequate documentation procedures and report regularly to management about personal data protection issues in the company.
Thus, it can be concluded that solid qualifications for a Data Protection Officer (DPO) play a crucial role in protecting personal data in Indonesia. Through a deep understanding of regulations, established technical expertise, and a strategic role in data processing, a DPO can be at the forefront of ensuring information security. This article hopes to inspire professionals to continue developing their skills, create a reliable data security environment, and encourage the implementation of best practices to safeguard individual privacy amidst the ever-evolving dynamics of the digital era.