Types of Personal Data According to the PDP Law, What Are the Implications for Companies?

Did you know that in daily business operations, companies collect and process so much data? Starting from customer names and emails in marketing databases, employee ID numbers (NIK) and bank accounts in HR, to identity documents and tax ID numbers (NPWP) of vendors.

So far, such data is often treated as ordinary digital assets, without adequate classification and protection.

In fact, Indonesia’s Law Number 27 of 2022 on Personal Data Protection (PDP Law) has firmly stipulated that every piece of information about a person belongs to that individual and must be protected.

In practice, it is not uncommon to see that company management has not fully realized that the collection of data they consider “ordinary operational” (such as customer databases or employee archives) actually falls within the scope of the PDP Law regulation.

This awareness generally only emerges when auditors or regulators begin to request explanations regarding the legal basis for processing and managing this personal data.

Personal Data According to the PDP Law

Article 1 Paragraph 1 of Law Number 27 of 2022 concerning Personal Data Protection (PDP Law) states the definition of personal data as follows:

Personal Data is data about an individual who is identified or can be identified separately or in combination with other information either directly or indirectly through electronic or non-electronic systems.

Simply put, personal data is any data that can identify a person. This means that as long as a piece of data can lead to the identification of an individual, then that data falls within the protection scope of the PDP Law.

The PDP Law divides personal data into two main categories:

• General personal data
• Specific personal data

This difference is very important because it determines the level of protection, access restrictions, and controls that must be implemented by the company.

That means, the treatment of data such as email addresses is certainly different from the treatment of data that includes someone’s bank account number or national ID number (NIK).

Types of General Personal Data

General personal data are basic identity data most frequently collected in daily business activities.

Although it is called “general,” it does not mean it can be treated carelessly. This data is protected by the PDP Law and carries risks if misused.

Several categories of general personal data according to PDP Law Article 4 paragraph 3 include:

• Full name
• Gender
• Citizenship
• Religion
• Marital status
• Personal data combined to identify an individual

1. Full Name

Full name is data that is almost always present in every company system: CRM, customer databases, employment contracts, to invoices.

Generally, data concerning a full name alone does not carry significant risk. However, if the name is combined with other data (email, phone number, address) and leaked, this data has the potential to be used for social engineering or fraud.

A common mistake companies make is considering names as “non-sensitive” data. In fact, when combined with other data, it becomes an entry point for risk.

2. Gender

Gender data is generally collected for administrative needs or marketing segmentation. For example, e-commerce companies use this data to design more targeted promotional campaigns, such as offering certain products based on customer profiles.

However, in practice, misuse can occur when the data is used to limit access to opportunities or services.

For example, recruitment systems that indirectly filter candidates based on gender for certain positions, or promotional programs shown only to certain groups without objective grounds.

Such use risks violating the principle of fairness in data processing and may trigger allegations of discrimination which have legal and reputational consequences.

3. Citizenship

Nationality is often required in the recruitment process, tax reporting, or management of foreign workers.

However, many companies still store citizenship data in shared files without access controls. If this data is leaked, the risk may result in regulatory violations as well as potential discrimination and social pressure.

4. Religion

Religious data is usually collected for certain administrative needs in HR. However, socially, religious data is considered sensitive information.

Leakage of religion data can cause internal conflict, allegations of discrimination, and serious reputational risks. Access to this data should be strictly limited and only for functions that truly require it.

5. Marital Status

This data is commonly used for credit assessment in the financial sector and family allowances. However, if combined with home address and family data, the risk increases.

What is often misunderstood by management is the assumption that administrative data is automatically safe. In fact, a combination of several simple data points can clearly identify an individual.

6. Personal Data Combined to Identify an Individual

Understanding combined data is crucial to comply with the PDP Law.

A single phone number may not yet identify someone. However, if the same file also stores transaction history and email address, then that combination becomes highly valuable personal data.

In audits, breaches often occur from “simple” files such as Excel sheets containing training participant lists with names, institutions, and emails. For cybercriminals, such files are easy targets.

Types of Specific Personal Data

Specific personal data is data with a high level of sensitivity and greater legal risk. In GRC practice, this category must receive additional controls, both in terms of technology and governance.

Several categories of specific personal data according to Article 4 paragraph 2 of the PDP Law include:

• Health data and information
• Biometric data
• Genetic data
• Criminal records
• Children’s data
• Personal financial data
• Other data in accordance with laws and regulations

1. Health Data and Information

Health data may include medical history, medical records, employee COVID-19 test results, BPJS (Social Security Administrator), to employee health insurance claims.

The classification of this data is not limited to hospitals. Companies that conduct medical check-ups, provide health insurance, or collect employee sick leave data also hold this data.

Its leakage may cause stigmatization, workplace discrimination, and potential extortion against individuals. For companies, they may face lawsuits and reputational damage as employers.

2. Biometric Data

Fingerprints, retina/facial scans, or voice patterns for building access are included in the biometric data category. This data is widely used for attendance, building access, or transaction authentication.

In many companies, they often entrust the management of biometric data entirely to vendors without ensuring adequate security standards.

In fact, the risk is permanent because biometric data cannot be replaced like a password. If leaked, this data can be misused to breach the company’s physical and digital security systems.

3. Genetic Data

Genetic data is DNA information that reveals ancestry, disease predisposition, and unique biological characteristics. Although not common in all sectors, many life/health insurance companies or DNA testing services store this data.

Management of genetic data generally requires very explicit consent and complete information.

4. Criminal Records

From a social perspective, criminal records are among the most sensitive data. This data is usually held by law enforcement institutions but may appear in recruitment processes for certain positions (e.g., in the financial sector).

Background check processes conducted by companies must be carried out carefully, ensuring a valid legal basis as well as clear and documented consent from the individual concerned.

If this information is leaked, the risk of stigma and legal claims is very high. Access to this data must strictly follow the need-to-know basis.

5. Children’s Data

Children are considered vulnerable data subjects. Collection of their data requires consent from parents/guardians.

Children’s apps/games, educational platforms, or even loyalty programs targeting families must have special protection mechanisms.

In practice, management of children’s data must receive extra attention due to its sensitivity and much higher public risk.

6. Personal Financial Data

Personal financial data relates to credit card numbers, bank accounts, transaction history, loans, and assets. This data is the primary target of cybercriminals and carries very high risk.

Leakage directly results in real financial losses for individuals and liability as well as reputational damage for companies.

7. Other Data According to Laws and Regulations

The PDP Law explicitly states that other data in accordance with statutory regulations is included as specific personal data. This means there is a possibility of an increase in types of sensitive data according to sectoral regulations.

This article makes data classification dynamic. For example, the Population Identification Number (NIK) based on the Population Administration Law is categorized as specific data because of its unique and permanent nature.

Prohibitions in the Use of Personal Data

The PDP Law emphasizes that every processing of personal data must follow the principles of personal data protection. These principles serve as clear boundaries for companies in collecting, using, storing, and deleting data.

In a business context, violations of these principles are not just about administrative non-compliance, but may become a serious legal and reputational risk.

1. Prohibition of Processing Without Legal Basis

Companies may not process personal data without a valid legal basis. Every data collection must have a clear and relevant purpose.

Collecting excessive data or without measurable necessity may be considered a violation. In audit practice, this often occurs in registration or onboarding forms requesting information beyond reasonable business interests.

2. Prohibition of Use Beyond Purpose

Data that has been collected may only be used according to its original purpose. If the company wishes to use the data for another purpose, an additional legal basis is required, including consent if necessary.

Deviation from processing purpose is one of the main sources of disputes with data subjects.

3. Obligation to Maintain Accuracy and Accountability

Personal data must be processed accurately and accountably. Companies must have mechanisms for data updates and adequate documentation.

Inaccurate data may harm individuals and open potential legal claims against the company.

4. Prohibition of Negligence in Security

Companies are obliged to protect personal data from unauthorized access, unlawful disclosure, or improper alteration.

Negligence in security, even without intentional misconduct, may still be considered a violation. In many cases, weak internal controls are the main cause of data breach incidents.

5. Prohibition of Storage Beyond Retention Period

Personal data may not be stored indefinitely. After the processing purpose has been fulfilled or the retention period has ended, the data must be deleted or destroyed in accordance with regulations.

Storing old data that is no longer relevant actually increases risk exposure in the event of a security incident.

Sanctions and Their Impact

Violation of these provisions may result in administrative sanctions, including warnings, suspension of processing, and orders to delete data. In certain conditions, there is also potential for criminal sanction.

• Administrative Sanctions: From written warnings, temporary suspension of data processing, to administrative fines up to a maximum of 2% of annual revenue (for corporations).
• Criminal Sanctions: Imposed on company management (Directors) who intentionally cause data breaches. The penalties include imprisonment and/or very large personal fines (billions of rupiah).
• Civil Sanctions: Individuals who suffer losses may file claims for material and immaterial damages. Class action cases from millions of affected users can financially devastate a company.

However, for companies, the most significant impact is often reputational risk and loss of customer trust.

Therefore, compliance with prohibitions in the PDP Law must be understood as part of risk management systems and corporate governance, rather than a formal legal obligation.

What Are the Implications for Companies?

The implications of the PDP Law for companies are not just legal compliance issues, but matters of data governance. This touches business processes, technology, and organizational culture.

At least, there are six things companies need to do to comply with the PDP Law:

• First, companies must clearly know what data they possess. Without clear data mapping, management cannot measure risk, determine security priorities, or convincingly answer auditor questions.
• Second, companies need to clearly classify personal data types between general and specific personal data. Without classification, applied controls tend to be uniform and not proportional to risk levels.
• Third, access control implementation must be role-based (RBAC). Not every division has the right to access all data types. Access must be based on legitimate work needs, not merely operational convenience.
• Fourth, retention policies must be implemented and consistently executed. In many cases encountered, former employee or old customer data remains stored for years without clear purpose. The longer data is stored without basis, the greater the risk exposure in case of breach.
• Fifth, vendor management is crucial. Companies remain responsible for data processed by third parties. Contracts must include data protection clauses, security standards, and incident reporting mechanisms.
• Sixth, documentation and audit trails must not be neglected. In audit practice, common questions are not only “do you have policies?” but “can you prove that the policies are implemented?”. Companies need adequate documentation regarding legal basis for processing, data subject consent, data classification, as well as records of data access and changes. Well-documented audit trails serve as proof of accountability during incidents or regulatory examinations.

Conclusion

Types of personal data under the PDP Law are divided into general personal data and specific personal data. This classification usually determines the level of protection and legal risk.

The biggest issue often found in practice is not that companies are unaware of the existence of the PDP Law, but that they do not realize the types of personal data they manage daily.

Companies that proactively understand this classification, map their data, and build strong governance will not only minimize the risk of fines and reputational damage but also build competitive advantage.

Customer trust in the digital era is the new currency, and personal data protection is its foundation. This preparedness will also make companies more resilient in facing internal audits, external audits, and examinations from the PDP Authority in the future.

FAQ: Types of Personal Data According to the PDP Law