Indonesia has progressively tightened its data protection laws in recent years, with a large focus on the financial services sector. According to one executive DCD spoke to last year, new regulations on the use of data are “very detailed”.
And though Indonesia’s Internet penetration of 50 percent lags slightly behind the average of 58 percent in Southeast Asia, its hefty population of more than 260 million gives it the largest base of Internet users in the region. Given how data centers are traditional custodians of digital data, this obviously impacts the rapidly expanding data center sector in the country.
As we reported previously, some data centers and service providers were caught off guard by the implementation of Government Regulation 82 in 2012 (PP82/2012), which ruled that Indonesians’ financial data should be housed within Indonesia. Additional guidelines stipulated in 38/POJK.03/2016 meant that the Financial Services Authority must be kept appraised of providers and given them the ability to audit service providers directly.
For local banks, this means that any reliance on cloud services overseas will have to be re-evaluated, while overseas data centers will have to be redeployed within Indonesia. But in a country where affordable land makes it relatively trivial to build one’s own data center, the stringent requirements also served as an implicit nod towards outsourced data centers that meet higher standards.
Despite the work involved, compliance by local banks remains a matter of proper planning and implementation. But what do these data protection regulations mean for foreign banks operating in Indonesia? Won’t the need to adhere to the rules be onerous for financial institutions with a presence in multiple countries – and indirectly harm investments into the country?
Foreign banks typically adopt the same set of controls that are adopted in their home country, observed Frenky Tjioe. He currently heads up information security governance and compliance at the largest e-commerce company in Southeast Asia.
Tjioe, who will be making a presentation at the upcoming DCD>Indonesia conference to be held in Jakarta next month, was drawing on his experience working at various Indonesian banks in the past. But how would these foreign financial institutions ensure that they comply with the data protection regulations in Indonesia?
One possibility may be to delineate the type of data that falls within the remit of the various data protection regulations. This will offer these organizations greater clarity and give them a way to more easily comply with the regulations and continue operating in Indonesia.
Regardless, financial institutions can expect the data protection regulations to eventually be strongly enforced across the board, says Andreuw Th.A.F, the CEO of Telin Singapore. Andreuw was the director of business data center at telkomsigma, a wholly owned subsidiary of Telkom Indonesia, prior to his posting to Singapore. Speaking to DCD, he expressed confidence that the regulations will be implemented in a way that will not alienate investors in Indonesia.
The road ahead
While it may take some time yet for the regulations to percolate across the financial institutions in the country, there are signs that the increased importance of data is slowly but surely changing how data is stored and protected in the region’s most populous country.
Tjioe observed that industry players in developed countries tend to adopt best practices before the regulators do, while the mentality in others is to wait for the government “to lead”.
“However, I see the increasing trend that players in Indonesia are keen with best practices to attract businesses beyond just regulatory requirements, whether in access control, physical security, network security, IT operations security, [and] auditing standards,” he said.
“[I see an increase in investment] in the form of training both the in-house experts and end users, as well as investing in adoption of the tools and practices.”