Countdown to Indonesia’s PDP Law implementation: navigating whistleblowing in safeguarding personal data

It’s been two years since Indonesia enacted Law No. 27 of 2022 on Personal Data Protection (PDP Law) on October 17, 2022. As the transition period draws to a close, organizations across Indonesia that manage personal data will soon be required to achieve full compliance with these regulations.

The PDP Law was introduced to address the increasing significance of data protection in today’s digital landscape. As technology rapidly evolves and personal data usage expands, the law is designed to protect individuals’ rights over their personal information, ensure data security, and prevent misuse.

Given the urgency and complexity of this regulation, it is crucial for organizations to partner with vendors who are well-versed in integrating this law into their business operations, such as through the implementation of an effective whistleblowing system.

A whistleblowing system is essential for effective corporate governance. Key considerations include the collection of personal data, ensuring data security, establishing consent mechanisms, and implementing data retention policies.

Personal data protection in whistleblowing systems

The PDP Law underscores the principle of data minimization, requiring that any collected data be relevant and used strictly for its intended purpose. In the context of whistleblowing, this may include personal information such as the whistleblower’s name, contact details, and specifics of the report submitted.

Whistleblowing platforms must adhere to the law when obtaining consent for data collection and processing. These systems should provide whistleblowers with the option to disclose their identity, keep it confidential, or report anonymously, ensuring compliance with the legal requirements.

For anonymous reports, whistleblowing systems might encounter the challenge of balancing the protection of the whistleblower’s identity with the need for comprehensive investigations as investigators may require follow-up communication with the whistleblower for further details. Therefore, it is crucial for third-party whistleblowing systems to provide secure two-way communication channels that do not necessitate the disclosure of personal information, such as email addresses or phone numbers.

In addition to their features, whistleblowing systems must be designed to protect sensitive data from unauthorized access. Implementing security measures such as data encryption, multi-factor authentication (MFA), and restricted access for authorized personnel is essential to safeguard the investigation process.

Data retention in the PDP Law and long-term compliance

Data retention is another critical aspect that must align with it, even though specific timeframes are not explicitly outlined. For instance, whistleblower data and investigation outcomes should be retained for a defined period based on regulatory requirements or the needs of the investigation. Once this period expires, the data must be permanently deleted to comply with retention rules and protect the privacy of both whistleblowers and the organization. 

The Canary Whistleblowing System has fully integrated the requirements outlined by this law. Its features are specifically designed to fulfill all necessary reporting elements, enabling organizations to comply with Indonesia’s PDP regulations effectively. By collaborating with a trusted third party, companies can save valuable time, reduce costs, and conserve resources that would otherwise be spent on developing their own whistleblowing system.

For more information, please contact us via email at info@integrity-asia.com, or click here for a free demo of the Canary Whistleblowing System.