As organizations in Indonesia begin adjusting to the newly enforced UU No. 27 Tahun 2022 (Data Protection Law), the need to shift from theoretical compliance to practical implementation is more urgent than ever. That urgency formed the core focus of our latest #CyberTalks, hosted in collaboration with PT Perkom and OneTrust. The event was held on 2 October 2025 at AYANA MidPlaza, Jakarta.

Attended by professionals across legal, compliance, and cybersecurity sectors, the forum explored how companies can scale data privacy, as something that is not just meant to check off regulatory boxes, but to truly embed privacy into their systems and culture.

Here’s a look at some of the key insights, tools, and discussion points shared throughout the sessions, from regulatory framing to automation demos, and a cross-sector panel on future-ready privacy strategies.

Session 1: Framing the Privacy Imperative

Opening the event, Ilafi Firsta Putri, CIPP/E, our Data Privacy Consultant at Cisometric, highlighted the evolving landscape of personal data protection in Indonesia, marked by both global shifts and local urgency. She emphasized that UU PDP is a call to action for all organizations to rethink how they collect, store, and manage personal data.

Also read: Comparing Indonesia’s PDP Law with GDPR and U.S. Privacy Rules

The keynote of this session unpacked the foundational principles of UU PDP, including:

• The rights of data subjects, such as the right to access, correct, and erase personal data
• The obligations of data controllers and processors, especially the timeliness and transparency of data handling

Also read: Who Could Be the Data Protection Officer?

• The need for clear governance, internal SOPs, and documentation to demonstrate compliance during audits or incidents

A case study was also presented to illustrate how misunderstandings around "consent" and lack of documentation often lead to reputational damage and regulatory risk. In the example, the organization had failed to document user consent clearly and was unable to prove lawful processing when challenged, resulting in loss of customer trust and regulatory risks. It served as a reminder for other companies that compliance has to be backed up with traceability and proof.

Also read: Customer Consent: The Trust Currency of the Digital Age

Session 2: Privacy Automation in Action

In the second session, Jefri Gabriel Tjong, the Country Sales Lead (Indonesia & Philippines) at OneTrust, offered a live demonstration of how privacy automation tools like OneTrust can make privacy compliance scalable and efficient.

One key feature he shared was how automation supports the “Right to Erasure”, which is a core requirement in UU PDP that gives individuals the right to request the deletion of their personal data. With automation, once a request is received, the system can quickly identify all relevant data across platforms and ensure it is deleted within the legally required time frame. 

Under UU PDP, once a data subject requests deletion, organizations must act within a specific time frame. With automation, personal data across systems can be mapped, identified, and deleted quickly. This significantly reduces both operational burden and compliance risk.

More points being discussed included:

• Data mapping and ownership visibility that identify where personal data lives, who owns it, and how it flows between systems and vendors
• Real-world examples of organizations using automation to handle consent tracking, access requests, and risk assessments efficiently

Jefri also addressed a common misconception: that automation is a quick fix. He emphasized the need to align tools with internal processes and measure meaningful operational outcomes.

Session 3: Panel Discussion — Building a Future-Ready Privacy Ecosystem

After two focused sessions on the regulatory landscape and privacy automation, the event continued with a panel discussion designed to bridge policy, practice, and product. The conversation brought together voices from the private sector, technology providers, and regulatory bodies, each offering a unique lens on how Indonesia can navigate the future of data privacy.

The panel featured:

• Hana Abriyansyah – Founder & CEO at Cisometric
• Eryk Budi Pratama – Vice Chairman, Standing Committee for AI & PDP at KADIN (Indonesian Chamber of Commerce and Industry)
• Jefri Gabriel Tjong – Country Sales Lead, Indonesia & Philippines at OneTrust

The panel discussion was structured into three rounds:

1. Bridging the Gap Between Intent and Execution

Hana highlighted the disconnect between executive-level privacy goals and on-the-ground execution. In many organizations, privacy programs are seen as legal formalities. He encouraged leaders to start with simple but high-impact governance actions, which is cybersecurity maturity assessment, even within the first 90 days, especially when resources are limited.

Eryk emphasized that privacy compliance is often misunderstood as a cost center, when in fact, it can be a strategic differentiator, as cybersecurity is rather political than it is technical. He called on businesses to view compliance as a trust-building opportunity, especially in cross-border data and fintech ecosystems.

Jefri addressed the misconception that automation tools are plug-and-play solutions. He stressed the need to define the core program, operational objectives and metrics, as well as internal ownership to ensure these tools drive measurable outcomes.

2. Implementation, Integration, and What to Watch Out For

The panel also explored the real-world complexity of implementing privacy programs. Jefri emphasized that many implementation challenges stem from unclear core programs, undefined objectives, or lack of measurable metrics. Without clear foundations like these, integrating privacy tools becomes even more difficult and organizations often face increased friction and failure points during deployment. He stressed the importance of ensuring early alignment between legal, IT, and operations before bringing in any platform or solution.

Jefri pointed out common pitfalls in integration, such as lack of IT involvement and siloed deployment. He recommended organizations establish early alignment between legal, IT, and operations before implementing any program or platform.

Hana added that companies should measure success not only through completion of tasks but by looking at risk reduction and operational clarity. Meanwhile, Eryk highlighted the power of cross-sector collaboration, suggesting that industry, academia, and government must work together to build a resilient privacy ecosystem.

3. Looking Ahead: AI, Cloud, and Emerging Risks

As technology rapidly evolves, the panel also tackled emerging risks in AI adoption, cloud services, and third-party data sharing.

Hana warned of new failure modes in privacy, such as invisible processing pipelines in AI models. He stressed that executives must learn to translate technical risk into strategic business decisions, not just delegating it to compliance or IT.

Jefri shared how privacy engineering principles can support responsible AI, and encouraged buyers to ask vendors tough questions about data use, model transparency, and retention policies. Eryk concluded with a call for shared responsibility across sectors, emphasizing the need to balance innovation with long-term trust and accountability.

See You at Our Next #CyberTalks

The session wrapped up with a live Q&A and a door prize giveaway, but more importantly, with a shared commitment to move privacy forward. Participants were also offered the opportunity to book personalized one-on-one workshops with Perkom, OneTrust, and Cisometric to explore practical implementation paths.

If you missed this session but want to explore how your organization can comply with our PDP Law and scale data privacy sustainably, schedule a meeting consultation with our team today, click here.

For more updates on future events, digital scams, cybersecurity insights, and expert tips, follow our social media:

LinkedIn: Cisometric

Instagram: @cisometric

Youtube: @Cisometric