Indonesia PDP Law: What AI Teams Must Do Before October 2026

Indonesia's Personal Data Protection Law (UU PDP, Law 27/2022) gives enterprises until October 17, 2026 to be fully compliant. That deadline is six months away.

Most APAC enterprise AI teams that process Indonesian personal data have not yet started compliance work. Most that have started are under-prepared for the specific AI implications.

This is a checklist, not a comprehensive guide. Work through it with your legal and technology teams.

Why AI teams specifically need to act

The PDP Law affects all personal data processing, not just AI. But AI systems have specific characteristics that create compliance complexity:

• Scale: AI models process personal data at volume and speed that manual review cannot keep up with
• Opacity: AI decisions (credit scoring, content recommendation, fraud flags) may be hard to explain — but the PDP Law requires explanations for automated decisions
• Training data: Data used to train AI models is "processed" under the law — even historical data
• Third-party models: If you use a US-based LLM provider, your Indonesian user data is crossing a border

The six-step checklist

Step 1: Inventory all AI systems that touch Indonesian personal data

List every AI system your organisation operates that processes personal data of Indonesian residents. This includes:

• Customer-facing AI (chatbots, recommendation engines, personalisation)
• Internal HR AI (performance management, recruitment screening)
• Credit and fraud AI
• Any analytics or ML model trained on customer data

For each system, document: what data it processes, where the data is stored, who has access, and what decisions the system influences.

Timeline: 2 weeks. This is foundational — everything else depends on it.

Step 2: Establish legal basis for each processing activity

Under the PDP Law, every data processing activity needs a legal basis. For enterprise AI, the relevant bases are:

• Consent: The data subject has explicitly consented to this specific processing
• Contract: Processing is necessary to perform a contract with the data subject
• Legitimate interest: Processing is necessary for a legitimate interest (requires balancing test — may not cover all AI use cases)
• Legal obligation: Processing is required by law

Many enterprise AI systems are running on assumed legal bases — informal consent buried in terms and conditions, or "legitimate interest" claimed without a documented balancing test. These need to be formalised.

Timeline: 4 weeks (can run parallel to Step 1)

Step 3: Implement data subject rights mechanisms

The PDP Law grants Indonesian data subjects the following rights that your AI systems must be able to support:

• Right of access: Data subjects can request what personal data you hold about them
• Right to erasure: Data subjects can request deletion of their personal data
• Right to correction: Data subjects can request correction of inaccurate data
• Right to object: Data subjects can object to certain processing activities
• Right to explanation for automated decisions: If an AI system makes a significant decision about a person (loan approval, insurance underwriting, account termination), the person can request an explanation

The explanation right is the hardest for AI systems. "The model produced this output" is not an explanation. You need to be able to provide: what factors influenced the decision, what data was used, and what the person can do if they disagree.

Timeline: 8–12 weeks (this is the hardest part technically)

Step 4: Review cross-border data transfer arrangements

If your AI processing involves data leaving Indonesia — for inference in US-based cloud AI services, for training on overseas infrastructure, for analytics in shared regional data warehouses — you need to ensure the transfer has a legal mechanism.

The Ministry of Communications and Digital (Kominfo) maintains an approved country list. Singapore is approved. The US, EU, and most other countries require Standard Contractual Clauses (SCCs) or binding corporate rules.

Check every AI vendor contract and cloud service for data processing location. "Data residency in Singapore" does not necessarily mean all processing occurs in Singapore — model training, logging, and support access may route through the US.

Timeline: 3–4 weeks (legal review is the bottleneck)

Step 5: Establish breach notification procedures

The PDP Law requires notification to Kominfo within 14 days of discovering a personal data breach. For AI systems, breach scenarios include:

• Unauthorised access to training data repositories
• Model inference outputs containing PII that were exposed
• API endpoints returning personal data without authorisation
• Third-party AI provider breaches affecting Indonesian data

Map your AI systems to your breach response plan. Who is notified internally? What is the technical containment procedure? Who drafts the Kominfo notification?

Timeline: 2–3 weeks (if you have a general incident response plan, adapt it)

Step 6: Document everything

The PDP Law requires that you can demonstrate compliance — not just claim it. Document:

• Your data processing inventory (Step 1)
• Legal basis for each processing activity (Step 2)
• Data subject rights procedures and any requests received (Step 3)
• Data transfer mechanisms (Step 4)
• Breach response procedures (Step 5)

This documentation is what a Kominfo audit or data subject complaint investigation would examine. If you cannot produce it, the default assumption is non-compliance.

Timeline: Ongoing — start now

What happens if you miss the deadline

Kominfo (Ministry of Communications and Digital) is the enforcement authority. The PDP Law penalties include:

• Administrative sanctions (warnings, temporary suspension of data processing activities)
• Fines of up to 2% of annual revenue for each violation
• Criminal sanctions for intentional unlawful processing (up to 6 years imprisonment, IDR 6 billion fine for individuals)

The 2% revenue penalty aligns with GDPR-style enforcement. For a company with IDR 1 trillion annual revenue (~USD 64M), that's IDR 20 billion (~USD 1.3M) per violation.

Kominfo has not yet demonstrated aggressive enforcement — but the October 2026 deadline represents the expiry of the transition period, after which non-compliance becomes an explicit regulatory position rather than a transition-period omission.

The AI-specific questions your legal team will ask

When you brief your legal team on PDP Law compliance for AI systems, expect these questions:

1. "Does the law apply to historical training data?" — Yes. If you used Indonesian personal data to train a model, that training was data processing. If you did not have a valid legal basis at the time, you may have a retroactive compliance issue.

2. "What about anonymised or pseudonymised data?" — Complicated. Anonymised data (that cannot be re-identified) is excluded. Pseudonymised data (where the link to identity can be restored) is still personal data under the PDP Law. Most enterprise AI training data is pseudonymised, not anonymised.

3. "What counts as an 'automated decision'?" — Any decision made by an algorithm that significantly affects a data subject. Credit, insurance, employment, and content moderation decisions clearly qualify. Recommendation engines that influence purchasing decisions are a grey area.

4. "Do we need a Data Protection Officer?" — Required for processing at scale or special category data. Most enterprise AI teams processing personal data at scale should assume yes.

Getting started this week

If you have not started PDP Law compliance work for your Indonesian AI systems, start with Step 1 this week: inventory every AI system that touches Indonesian personal data.

The inventory takes less time than you expect and unlocks everything else. You cannot prioritise compliance effort without knowing what you are protecting.

For AIMenta clients running AI systems in Indonesia: our Governance & Risk practice can conduct a PDP Law AI compliance assessment in 3–4 weeks. Contact us to discuss scope.