Indonesia Data Breach Notification: 72‑hour PDP Law Rule, Who to Notify, Penalties & Sample Notice

Indonesia data breach notification obligations are now fully enforceable under the Personal Data Protection Law (Law No. 27/2022, known as the PDP Law), which requires data controllers to issue written notice to the regulator and affected data subjects within 3 × 24 hours (72 hours) of becoming aware of a breach. This practical 2026 compliance playbook gives in‑house counsel, DPOs and incident‑response teams the exact timing rules, recipient checklists, required notice content, penalty thresholds and ready‑to‑use sample notices in both English and Bahasa Indonesia. Whether you are managing a technology platform, a financial services operation or any organisation processing personal data in Indonesia, the step‑by‑step workflows below will help you move from detection to compliant notification within the statutory window.

Legal Basis, PDP Law (Law No. 27/2022) and the Current Enforcement Environment

The personal data protection law Indonesia relies on for breach notification is Undang‑Undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi (Law No. 27 of 2022 on Personal Data Protection). Enacted on 17 October 2022, the law provided a two‑year transitional period for organisations to achieve compliance. Since October 2024, all substantive obligations, including data breach notification, are fully enforceable against both public‑ and private‑sector controllers and processors operating in or targeting data subjects in Indonesia.

The PDP Law is Indonesia’s first comprehensive, sector‑agnostic data‑protection statute. It consolidates obligations previously scattered across ministerial regulations issued by the Ministry of Communication and Digital (Kominfo, now Komdigi) and sector‑specific rules. The law empowers the establishment of an independent Indonesia data protection authority, the Lembaga Pelindungan Data Pribadi (PDP Authority), which is tasked with receiving breach reports, conducting investigations and imposing administrative sanctions. Early indications suggest that the authority’s operational framework continues to be formalised through implementing regulations.

Where the Notification Requirement Sits in the Law

The core breach‑notification obligation is set out in Article 46 of the PDP Law. Article 46(1) requires a data controller to deliver a written notification in the event of a failure to protect personal data (referred to as kegagalan pelindungan data pribadi). The notification must be sent to both the data subjects concerned and the PDP Authority within 3 × 24 hours of the controller becoming aware of the failure. Article 46(2) specifies the minimum content of such a notice, nature of the breach, the personal data disclosed, the time and manner of disclosure, and the remedial steps taken.

The 72‑Hour Rule, Start Point, What “Awareness” Means and Practical Timeline

The 72‑hour rule for Indonesia data breach notification is straightforward in statute: the controller must issue written notice no later than 3 × 24 hours from the moment it becomes aware that a failure to protect personal data has occurred. In practical terms, “awareness” is generally interpreted as the point at which the controller has confirmed that a breach has taken place, not merely when it receives a preliminary alert or an automated security log entry. Industry observers expect regulators to scrutinise the gap between first detection and formal confirmation as part of any enforcement review.

Understanding the difference between an initial report and a detailed follow‑up is critical. The statute requires the written notification to contain specified minimum fields (see the notice‑content section below). Where a controller cannot provide all details within the 72‑hour window, the likely practical effect will be that controllers file an initial notice covering the known facts and supplement it with a detailed follow‑up report once the forensic investigation is complete.

When the 72‑Hour Clock Does Not Apply

The PDP Law does not expressly carve out a de minimis threshold below which no notification is required. If a failure to protect personal data has occurred, the statute triggers the notification obligation. However, the data breach notification requirements Indonesia controllers must follow are linked to a “failure”, meaning an actual compromise or loss of protection. A contained vulnerability with no evidence of data exposure may not meet this threshold, but this determination must be documented carefully. Counsel should record the analysis in the compliance log to demonstrate good faith if the assessment is later questioned.

Indonesia Data Breach Notification: Who Must Notify, Recipients and Routing

Under Article 46, the data controller bears the primary obligation to report a data breach in Indonesia. The controller must notify two categories of recipients: (1) the affected data subjects and (2) the PDP Authority (or, pending full establishment of that body, the responsible government supervisory mechanism). Processors do not have a direct statutory reporting duty to the regulator, but they must inform the controller without undue delay so that the controller can meet the 72‑hour window.

How to Decide Whether to Notify Data Subjects

Because Article 46 does not include an explicit risk‑based threshold for data‑subject notification (unlike, for example, the GDPR’s “high risk” test), the safe approach is to notify affected individuals whenever a failure to protect personal data has been confirmed. Where the personal data was encrypted and the encryption key was not compromised, a controller may document the determination that no meaningful exposure occurred, but this assessment should be recorded in a compliance log to support any regulator inquiry.

Organisations should also consider whether law enforcement notification (to the Indonesian National Police or BSSN, Badan Siber dan Sandi Negara) is warranted, particularly where the breach involves criminal activity such as hacking, identity theft or ransomware.

What to Include in a Data Breach Notification Form, Required Fields and Sample Wording

Article 46(2) of the PDP Law prescribes the minimum content that a written notification must include. The data breach notification form Indonesia controllers prepare should address each of these elements explicitly, even if certain details remain under investigation at the time of the initial 72‑hour report.

Minimum Required Fields

• Description of the breach. What happened, the nature and circumstances of the failure to protect personal data.
• Types of personal data disclosed. Identify specific categories (e.g., national identity numbers, financial account data, health records, biometric data).
• Date and time of the breach. When the incident occurred or was discovered, with timestamps.
• Manner of disclosure. How the data was exposed, e.g., unauthorised access, system misconfiguration, phishing, physical theft.
• Remedial steps taken. Immediate containment measures, forensic investigation status, and ongoing remediation actions.
• Contact details. Name, title, telephone number and email address of the controller’s designated contact for data‑subject inquiries.

Example Initial Notice, English Version

[Controller Letterhead / Official Communication]

NOTIFICATION OF PERSONAL DATA PROTECTION FAILURE
Date: [DD/MM/YYYY]
Reference: [Internal Reference Number]

To: [PDP Authority / Affected Data Subject Name]

We write to notify you of a failure to protect personal data as required under Article 46 of Law No. 27 of 2022 on Personal Data Protection.

1. Description of the incident: On [date], we identified [brief description, e.g., unauthorised access to our customer database through a compromised administrator credential].

2. Personal data affected: [Full names, national identity numbers (NIK), email addresses, telephone numbers, specify categories].

3. Date and time: The incident occurred on or about [date/time]. We became aware of the incident on [date/time].

4. Manner of disclosure: [e.g., Unauthorised external access via credential exploitation].

5. Remedial steps: We have [isolated affected systems / reset credentials / engaged forensic investigators / notified law enforcement]. We continue to investigate and will provide a supplemental report.

6. Contact: [Name], [Title], [Phone], [Email].

Contoh Pemberitahuan Awal, Versi Bahasa Indonesia

[Kop Surat Pengendali Data]

PEMBERITAHUAN KEGAGALAN PELINDUNGAN DATA PRIBADI
Tanggal: [DD/MM/YYYY]
Nomor Referensi: [Nomor Referensi Internal]

Kepada: [Lembaga Pelindungan Data Pribadi / Nama Subjek Data]

Dengan ini kami memberitahukan adanya kegagalan pelindungan data pribadi sebagaimana diatur dalam Pasal 46 Undang‑Undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi.

1. Uraian peristiwa: Pada tanggal [tanggal], kami mengidentifikasi [uraian singkat insiden].

2. Jenis data pribadi yang terpengaruh: [Nama lengkap, NIK, alamat email, nomor telepon, sebutkan kategori].

3. Waktu kejadian: Insiden terjadi pada atau sekitar [tanggal/waktu]. Kami mengetahui insiden pada [tanggal/waktu].

4. Cara pengungkapan: [Misalnya: akses tidak sah dari pihak eksternal melalui eksploitasi kredensial].

5. Langkah perbaikan: Kami telah [mengisolasi sistem yang terdampak / mereset kredensial / melibatkan penyelidik forensik / melaporkan kepada pihak berwenang]. Investigasi masih berlangsung dan laporan lanjutan akan disampaikan.

6. Kontak: [Nama], [Jabatan], [Telepon], [Email].

Example Detailed Follow‑up Notice

The supplemental report should expand on the initial notification by including: root‑cause analysis findings, the total number of data subjects affected, a description of technical indicators of compromise, the data provenance (where the data originated and how it was processed), status of remediation measures, details of any third‑party forensic reports and an updated timeline for data‑subject support such as credit monitoring or identity‑theft protection services.

Cross‑Border Data Transfer and Data Localization Impacts During Breaches

When a breach involves personal data that has been transferred outside Indonesia, the controller faces additional compliance considerations. The PDP Law permits cross border data transfer Indonesia operations rely on, provided adequate safeguards exist in the recipient country or binding contractual protections are in place. During a breach, the controller should take the following immediate steps:

• Notify cross‑border counterparties. Alert any offshore processor or joint controller that may hold copies of the compromised data so they can implement parallel containment.
• Assess data localization requirements Indonesia imposes. Confirm whether a local copy of the breached data was maintained in Indonesia as required by any applicable sector‑specific regulation (e.g., financial services, telecommunications).
• Document transfer mechanisms. Verify that the legal basis for the international transfer remains valid and record whether the breach undermines the adequacy assessment or contractual safeguards relied upon.
• Consider regulator coordination. If the data subject population spans multiple jurisdictions, coordinate notification with overseas regulators where required under local law.

Penalties, Enforcement Trends and Practical Remediation

The PDP Law introduces significant sanctions for non‑compliance with data breach notification requirements Indonesia organisations must meet. The penalty regime includes both criminal and administrative tracks.

• Criminal penalties. Under Article 67, any person who intentionally collects, discloses or uses personal data unlawfully faces imprisonment of up to five years and/or a fine of up to IDR 5 billion. Article 68 provides for imprisonment of up to four years and/or a fine of up to IDR 4 billion for deliberately creating false or misleading personal data. While these provisions are primarily aimed at unlawful data use, a failure to report a breach, particularly one involving deliberate concealment, could attract prosecutorial attention.
• Administrative sanctions. Article 57 empowers the PDP Authority to impose administrative sanctions including written warnings, temporary suspension of data‑processing activities, deletion of personal data, and fines of up to two percent of annual revenue for corporate violators.

Industry observers expect enforcement to intensify through 2026 and beyond as the PDP Authority’s operational capacity matures. Practically, the best mitigation strategy involves: meticulous documentation of discovery timelines; immediate containment evidence; written legal assessments justifying any decision not to notify; and proactive cooperation with the regulator.

Practical Incident Response Checklist, Step by Step

The following incident response workflow is designed to help compliance teams move from detection to notification within the statutory 72‑hour window.

1. Detection and triage (Hour 0–4). SOC or IT security team flags the incident. Engage the incident‑response lead and legal counsel. Issue a legal hold on all relevant logs, emails and system images.
2. Confirmation and scoping (Hour 4–24). Forensic team confirms whether a failure to protect personal data has occurred. Identify the types and volume of data affected, the attack vector and whether the breach is ongoing.
3. Internal escalation (Hour 12–24). Notify the DPO, CISO, General Counsel and senior management. Convene the breach‑response committee. Prepare the initial notification draft.
4. Notification drafting and approval (Hour 24–48). Complete the initial notice using the template above. Obtain sign‑off from General Counsel and the DPO. Prepare bilingual versions (English and Bahasa Indonesia).
5. Regulator and data‑subject notification (Hour 48–72). Submit written notice to the PDP Authority through the designated channel. Issue data‑subject notifications via verified contact details (email, registered mail or secure portal). Log submission timestamps.
6. Post‑notification actions (Hour 72+). Continue forensic investigation. Prepare the detailed follow‑up report. Implement long‑term remediation. Monitor for secondary incidents.

Internal Escalation Roles and Email Routing

• First responder (SOC / IT Security): Detects and triages → escalates to Incident Response Lead.
• Incident Response Lead: Coordinates forensic investigation → notifies Legal Counsel and DPO.
• Legal Counsel / DPO: Assesses notification threshold → drafts notice → advises on regulatory engagement.
• CISO: Directs technical containment → provides forensic evidence to Legal Counsel.
• Senior Management / Board: Approves final notification → authorises external communications and remediation budget.

Sample Notice, English and Bahasa Indonesia (Ready to Copy)

The sample notices provided in the “What to Include” section above are designed as editable templates. When using them, observe the following practical guidance:

• Personalise the recipient field. For data‑subject notifications, include the individual’s name and a reference number where possible.
• Avoid over‑disclosure. Do not include technical vulnerability details (e.g., CVE numbers, exploit code) in data‑subject notices, this information belongs in the regulator report and forensic annexes only.
• Timestamp everything. Record the exact date and time the notice was dispatched, the delivery method and confirmation of receipt.
• Maintain version control. If the initial notice is updated, label subsequent versions clearly (e.g., “Supplemental Report No. 1, [Date]”).
• Common pitfall, delayed Bahasa Indonesia translation. Prepare bilingual templates in advance. Translating under time pressure during an active incident introduces errors and delays.

Template Compliance Log and Record of Processing Steps

Article 44 of the PDP Law requires controllers to maintain records of all personal data processing activities. In the context of a breach, this obligation extends to documenting the incident lifecycle. A compliance log should capture:

• Detection record: Timestamp, detection method, individuals who identified the incident.
• Confirmation assessment: Forensic findings, legal analysis of whether a “failure to protect” occurred, and the decision to notify or not (with reasons).
• Notification record: Copies of all notices sent, recipient lists, timestamps and delivery confirmations.
• Remediation log: Technical measures implemented, patches deployed, policy changes made.
• Retention period: Maintain breach records for a minimum of five years, or longer if required by sector‑specific regulations. This aligns with general record‑keeping expectations and potential limitation periods for enforcement action.

How to Interact with the Regulator, Practical Tips for Hearings, Extensions and Late‑Report Explanations

Where the PDP Authority (or its transitional equivalent) requests additional information or invites the controller to a hearing, the following approach is recommended:

• Be proactive. If you anticipate missing the 72‑hour window, communicate the delay to the regulator before the deadline expires. Explain the reason (e.g., ongoing forensic analysis, scale of the breach) and provide a firm date for the full report.
• Prepare a written timeline. Present a clear, chronological summary of detection, confirmation, containment and notification steps. Regulators value transparency over perfection.
• Bring evidence of good faith. Show your incident‑response plan, prior staff training records, and documentation of investment in security controls. This demonstrates that any delay was not the result of negligence.
• Tone and format. Use formal written correspondence in Bahasa Indonesia. Follow up with an English‑language courtesy translation if requested. Address communications to the designated officer or directorate.

Indonesia Data Breach Notification Checklist, What Counsel Must Do Within 24, 48 and 72 Hours

Further Reading and Downloadable Resources

For the full text of the PDP Law and related implementing regulations, consult the official government repository. For broader guidance on technology law practice areas, visit the Global Law Experts Practice Area Guides hub. Organisations seeking specialist counsel for Indonesia data breach notification compliance can browse the GLE Lawyer Directory or connect with a technology law specialist directly.

Sources

1. Peraturan.go.id, UU No. 27 Tahun 2022 (PDP Law)
2. Peraturan BPK, Law No. 27/2022
3. Norton Rose Fulbright, Highlights of Indonesia’s PDP Law
4. Mondaq, Law No. 27 of 2022 High‑Level Overview
5. CMS Law, PDP Bill Ratification Update
6. Netsweeper, Personal Data Protection Law Summary
7. Kementerian Komunikasi & Digital (Komdigi), Press Release on Data Breach Investigations