The existence of citizen data guardians or data protection officers will become a necessity when the draft law on personal data protection is passed into law.
By
TIM KOMPAS
·5 minutes read
KASPERSKY
The state of the cybersecurity landscape for 2020, based on Kaspersky cybersecurity research.
The existence of citizen data guardians or data protection officers will become a necessity when the draft law on personal data protection is passed into law. They are like satpam (security guards) who keep people’s private data that are managed by institutions from being leaked.
However, preserving personal data is not easy. Director of cybersecurity at Binder Dijker Otte (BDO) Indonesia, M. Novel Ariyadi, said he must be on standby 24 hours a day to ensure that personal data managed by tens of his clients is not leaked. Telecommunications and banking companies, both domestic and international, have entrusted the security of their users\' personal data to a team led by Novel.
BDO is an international public accounting and management consultancy headquartered in Belgium. In this institution, Novel develops and operates an information security system to increase security against cyberattacks, cyber risks and cyber crises.
"In short, I am a satpam [security guard]. The difference is, in the real world I prepare security by carrying a padlock or safe key to protect important company assets. In cyberspace, I fortify the information and data management with software. Its function is basically to secure the system so that important data is not compromised,” he said in an online interview from Jakarta, Sunday (21/3/2021).
With a relatively large team and various types of threats that may be faced, Novel and his team must work with precision. Data leakage can be subject to sanctions amounting to 4 percent of the company\'s revenue. BDO provides data protection officers (DPOs) like Novel because the company refers to the provisions of the European Union\'s General Data Protection Regulation (GDPR).
In short, I am a satpam [security guard].
Finding DPOs, according to Novel, is not easy. In Indonesia, undergraduate study in cybersecurity is still limited. When referring to the European Union\'s GDPR, at least one DPO is sufficient for one company. However, DPOs must be equipped with three competencies, namely technology, law and specific industries. However, if this is not possible, the company can recruit three people in a team, each having one of those competencies.
Hasan Addahroni (41), an IT security officer at SpiderLabs Trustware, which is based in Australia, said data protection was a necessity. In Australia, for example, in order to improve application services, it is first necessary to carry out checks, and that is what he is doing. During his six years in Australia, he has been in charge of checking for weaknesses in the information system or software in new applications.
"We are working like hackers, namely entering into the application system. We hacked into the system and saw if we could break into the app\'s private data. If it turns out that it can be broken into, we will report the weakness to the client so that it is repaired,” he said, when contacted from Jakarta.
We are working like hackers, namely entering into the application system.
Become necessity
Article 45 Paragraph (1) of the personal data protection (PDP) bill stipulates, "In certain cases the personal data controller and the personal data processor are obliged to appoint an official or officer who carries out the function of protecting personal data".
So, as soon as the bill is passed into law, a lot of DPOs will be needed in Indonesia. The PDP draft bill gives two years after its ratification before the provisions in the law become effective and binding, including the issue of DPOs.
A number of companies and agencies in central government have started preparing DPOs.
KOMPAS/LARASWATI ARIADNE ANWAR
Online ojeg drivers park their motorbikes and sit on the sidewalk at Jalan Cikini Raya, Menteng, Central Jakarta on Wednesday (3/2/2021). Go-Jek has hidden the phone numbers of both the customer and the driver. Phone number is one of the personal data that must be protected.
Chief of public policy and government at Gojek, Shinto Nugroho, during an online discussion, shared her institution’s efforts to develop DPOs as a sustainable program. "Imagine, for our chief information security officer, we recruited engineers who had worked at NASA. Because, if the [information about] rockets didn\'t even leak, we hope this will be the case in managing our data," said Shinto.
Tokopedia has also made efforts to secure data. Tokopedia external communications senior lead Ekhel Chandra Wijaya said his company implemented a layered security system. Tokopedia also collaborates with strategic partners who specialize in cybersecurity to secure user data.
The Foreign Ministry’s Center for Information and Communication Technology of the Ministry and Representatives (Pustik KP Kemenlu) has the task of maintaining the cybersecurity system of the ministry as well as the representative offices abroad. Pustik KP has been around since 2017. The Defense Ministry also owns the Cyber Defense Center.
Pustik KP head Agus Trenggono said the center had a working group that focused on maintaining the ministry\'s cybersecurity. Working group members are educated to have competencies that are not inferior to DPOs in private companies. They are among other experts in the field of network security and cryptography.
Head of the Defense Ministry’s Cyberdefense Center (Pushansiber), Raja H. Manalu, some time ago, said that in order to overcome the challenge regarding limited human resources, Pushansiber was building relationships with the cyber community. "We succeeded in bringing them in. Even though their characters are not the same as employees at the Defense Ministry, they are both Red and White [patriotic],” he said, referring to the color of the national flag. (REK/DEA/BOW/EDN)
