Data Governance and Management in Personal Data Protection
Veda Praxis | Jan 19, 2026 | Technology
In recent months, Indonesia has been shaken by disruptions to immigration services at Soekarno-Hatta International Airport, which were later confirmed to have affected all other airports nationwide. It has been confirmed that these immigration service disruptions were caused by issues at the National Data Center (Pusat Data Nasional/PDN) resulting from a ransomware cyberattack carried out by the Brain Cipher group, which is derived from LockBit 4.0.
In its official press release, the Government stated that the cyberattack caused data to be encrypted, with the most severe impact being data loss. The situation was further exacerbated by the absence of an implemented backup procedure. This is particularly critical given that the PDN stores state data originating from various government institutions.
This incident has raised public awareness of the importance of securing and backing up data. Proper data management and adequate cybersecurity measures are essential. More than merely having frameworks or policy documents in place, these must be implemented consistently and on an ongoing basis. Through such implementation, all data management activities can be monitored, controlled, and held accountable by relevant stakeholders and data managers.
The Importance of Data Governance and Data Management
In practice, data governance and data management within government organizations have not yet met the standards of good data governance. In the PDN case, it was found that only 2% of institutions performed independent data backups.
Conceptually, data governance differs from data management in terms of function. Data governance serves to define rules, roles, and responsibilities in data management, whereas data management focuses on controlling and delivering data and information [1].
As illustrated above, data governance and data management should be collaboratively implemented to produce reliable data and to facilitate value creation for organizational decision-making purposes.
With a focus on data protection—whether personal data, non-personal data, or other data according to their respective classifications—the implementation of data governance and data management can be applied across organizations of various types and sizes.
Fundamentally, organizations are required to establish policies, standards, and procedures that serve as the primary references for data management. The roles and responsibilities assigned to each function significantly influence the success of data governance and data management.
Challenges in Personal Data Protection (PDP)
Personal data refers to data relating to an identified or identifiable individual, either independently or in combination with other information, directly or indirectly, through electronic or non-electronic systems.
In addition to the low level of public awareness in Indonesia regarding personal data, challenges in personal data protection (PDP) also arise from inadequate Information Technology (IT) infrastructure used for data processing. The Institute for Policy Research and Advocacy (ELSAM) recorded alleged unlawful disclosures involving at least 668 million personal data records by the end of 2023 [2].
In the PDN case, the IT systems were protected only by the default Windows Defender. Furthermore, there were no clear provisions governing routine backup processes to ensure data security.
ISO 27001 in PDP Implementation
ISO/IEC 27001:2022 on Information Security Management Systems (ISMS) is currently the most widely implemented standard in Indonesia. In addition, ISO/IEC 27701:2019 has been introduced as an extension of ISO/IEC 27001:2022 to support the implementation of a Privacy Information Management System (PIMS).
ISO/IEC 27001:2022 states that organizations must identify and comply with requirements related to privacy preservation and the protection of Personally Identifiable Information (PII), in accordance with applicable laws, regulations, and contractual obligations, as part of strengthening information security controls [3].
ISO/IEC 27701:2019 enhances information security management by strengthening privacy information protection and has the potential to provide a competitive advantage for organizations that implement it [4]. Furthermore, ISO/IEC 27701:2019 assists organizations in identifying and mitigating information security risks related to personal data through established standards.
Organizations that have implemented ISO/IEC 27001:2022 are required to carry out specific activities within defined timeframes, including risk assessments, internal audits, operational reviews, security testing, Business Continuity Plan (BCP) testing, and other related activities. By adopting ISO/IEC 27701:2019, organizations can further strengthen their privacy protection programs while continuously improving existing information security management processes.
Compliance with Laws and Regulations
The Government of Indonesia currently mandates all organizations to comply with Law Number 27 of 2022 concerning Personal Data Protection [5]. Under this law, the stages of personal data processing include:
-
collection and acquisition;
-
processing and analysis;
-
storage, correction, and updating;
-
display, announcement, transfer, dissemination, or disclosure; and/or
-
deletion or destruction.
In response to these legal requirements, organizations are expected to translate such processes into internal policies, standards, and procedures, as well as to determine the functions responsible for data management. Clear roles and responsibilities must be defined for Data Controllers, Data Processors, Data Protection Officers (DPOs), and other relevant functions involved in data management.
Equally important is the categorization of organizational data into two main categories: personal data and non-personal data. This categorization serves as the foundation for subsequent decisions regarding how organizations implement PDP, both in terms of documentation and supporting technology, systems, and security measures.
Alignment in Implementing Data Governance, Information Security Standards, and PDP Law Compliance
In implementing the PDP Law, both data governance and ISO 27001 standards emphasize three core assets: People, Process, and Technology.
People
Organizations must define clear roles and responsibilities for each function involved in data management. Organizations seeking to implement PDP should conduct background checks and competency assessments of appointed personnel.
Given that the risk of data breaches may originate internally due to human error, it is essential to ensure that appointed individuals possess the required competencies, understand the importance of data and privacy security, and are capable of using data appropriately in accordance with applicable requirements and regulations [6].
Process
Clearly defined and well-documented processes serve as practical guidance for all functions involved in data management.
Organizations that have established data categories are expected to translate each process into policies, standards, and procedures. These documents should detail the treatment of each data category to facilitate investigations when issues arise in data management or data processing.
Technology
Personal data is predominantly processed using technology. Therefore, organizations must ensure the security and reliability of the systems they use. Cloud computing may be utilized as a data storage solution, provided that data is consistently backed up and supported by high availability standards to minimize system failures and data loss that could disrupt operations and damage organizational reputation.
From an information security perspective, organizations must also ensure that data protection aligns with recognized security principles, including Confidentiality, Availability, Integrity, Authentication, and Non-Repudiation.
The implementation of encryption through cryptographic management, data masking, and access management is essential to support personal data protection and to build trust and confidence among stakeholders affected by personal data management activities.
A Holistic Approach to Strengthening Personal Data Protection
Major cyber incidents that have occurred in Indonesia have underscored the importance of data governance and data management in defining rules, assigning roles and responsibilities, and establishing effective data control mechanisms.
Personal data protection in Indonesia remains challenged by low awareness among human resources and insufficient security measures for existing technological infrastructure. Accordingly, a holistic approach is required to strengthen personal data management through the effective implementation of data governance and data management. This approach includes the availability of policies underpinning data protection activities, the enhancement of awareness and competencies among involved stakeholders, and the deployment of reliable and secure information technology systems.
Referensi:
[1] Data Management Body of Knowledge (DMBOK)
[3] ISO/IEC 27001:2022 Information Security Management System
[4] ISO/IEC 27701:2019 Privacy Information Management
[5] Undang-undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi.