Indonesia's Personal Data Protection Law represents the country's first comprehensive data protection framework. For organisations processing the personal data of individuals in Indonesia, understanding the current state of the law is essential. This article presents only verified facts.
The Foundation
Indonesia's Personal Data Protection Law is Law No. 27 of 2022, known locally as Undang-Undang Pelindungan Data Pribadi (UU PDP). It was enacted on 17 October 2022 and serves as a comprehensive regulatory framework for personal data processing, applicable to all types of businesses, industries, and organisations — whether private or public. It consolidated more than 30 previously fragmented regulations into a single framework and is widely noted as being modelled in part on the EU's GDPR.
Now Fully in Force
Article 74 of the PDP Law provided a two-year transitional period for organisations to come into compliance. That transition period expired on 17 October 2024. As of that date, all data controllers, data processors, and relevant parties are required to fully comply with the law's provisions, and non-compliance may be enforced.
Extraterritorial Reach
The PDP Law has extraterritorial effect. Overseas organisations — including companies, public entities, and international organisations — can be subject to the law for processing the personal data of Indonesian citizens, whether that processing occurs inside or outside Indonesia.
The Implementing Regulation and Supervisory Authority
An important nuance for organisations to understand: as of May 2026, certain structural elements of the framework are still being finalised. The implementing Government Regulation required by the statute (often referred to as the RPP PDP, last circulated in draft on 31 August 2023) has been drafted but, according to publicly available information, had not yet received presidential signature as of early-to-mid 2026.
Similarly, the dedicated supervisory agency (Lembaga PDP) that the law mandates the President to establish was still in the establishment process as of mid-2026, with enforcement in the interim sitting with the relevant directorate under Indonesia's communications ministry (Komdigi). Organisations should monitor these developments and confirm the current institutional status with qualified Indonesian counsel.
Data Classification
The PDP Law classifies personal data into two categories: personal data of a general nature, and specific (sensitive) personal data. The distinction affects the obligations that apply, with more stringent requirements for specific personal data.
How Simuna Infosec Helps
While the PDP Law is fundamentally about data governance, its consent, breach notification, and penalty provisions make demonstrable data security essential. Our security assessments help organisations identify and remediate the vulnerabilities in systems that process personal data — providing the technical security foundation that underpins genuine PDP Law compliance. We have experience securing a major Indonesian telecom operator, giving us direct familiarity with the local environment.
*This article reflects publicly available information verified as of mid-2026. The implementing regulation and supervisory authority status were evolving; consult qualified Indonesian legal counsel for current compliance decisions.*