On May 7, 2025, Cisometric, in collaboration with ALTA Advocates, welcomed professionals from across legal, compliance, and IT security fields to our first #CyberTalks session of the year: Managing Data Privacy: Principles and Practice.With data privacy becoming a core concern for companies operating in Indonesia, the session was designed to answer one big question: What does it really take to comply with the Personal Data Protection Law (UU PDP)?Take it from us, it’s more than just ticking compliance checkboxes, it involves reshaping how organizations approach both governance and technology.

Session 1: Legal Foundations of PDP in Indonesia

The forum began with Nicholas Glenn, Associate at ALTA Advocates, who walked us through the legal foundation of Indonesia’s UU PDP No. 27 of 2022.From definitions of personal data, to lawful processing principles, to the roles of Data Controllers and Processors, he laid it all out in clear terms. He also touched on key legal responsibilities companies must fulfill, including:How long data should be retained (and when it must be deleted)

What rights data subjects are entitled to

The importance of appointing a DPO (Data Protection Officer)

How to maintain ROPA (Records of Processing Activities)For many attendees, this session served as a much-needed crash course in what the law actually requires, and how to start assessing whether their current processes measure up.

Session 2: From Law to Implementation – A Technical Perspective

Then came the “how” behind the law.Ilafi Firsta Putri, CIPP/E, Data Privacy Consultant at Cisometric, took the stage to translate the legal mandates into technical actions. Her session focused on how companies can implement data protection through ISO 27701, the global standard for privacy information management.She shared:How PDP Law in Indonesia aligns with privacy regulations across Asia-Pacific

What a compliance roadmap looks like from a technical perspective

Where tools and technologies can step in to automate, support, and document privacy efforts

The opportunities and challenges of using privacy tech in real-world settingsIlafi’s message was clear: compliance can’t just sit in the legal department. IT, compliance, and leadership all have to work together. And with the right frameworks like ISO 27701 in place, the road to PDP readiness becomes much more structured.

Q&A Highlights: Real Concerns, Real Curiosity

The Q&A session that followed was one of the most dynamic parts of the event.Questions poured in about how to meet the obligations of the PDP Law, from sanctions for non-compliance, to tools that can assist with data governance. There were lots of questions around how to get started, and what exactly companies need to implement to meet the standard.Some hot topics included:Do all companies need a DPO?

What kind of internal system is needed for compliance?

Are there tools that can help automate data subject requests or consent management?It was clear that the audience wasn’t just curious, they were looking for practical answers they could take back to their teams.

Summary 

This #CyberTalks forum gave us a front-row seat to where many organizations currently stand in their data privacy journey in Indonesia, and just how much demand there is for guidance, clarity, and collaboration.We’re incredibly grateful to our speakers and attendees who helped make this event so valuable. These conversations are just the beginning, and we’re excited to continue supporting companies as they navigate compliance and build stronger, privacy-aware systems.Stay tuned for our next #CyberTalks. We’re just getting started.Follow our social media to get the latest updates on upcoming sessions, expert insights, and cybersecurity resources tailored for your organization.Follow us on:LinkedIn: CisometricInstagram: @cisometricYoutube: Cisometric