By Setyawati Fitrianggraeni and Taufik Nuariansyah 

 Introduction 

The sharp rise in data breaches shows that non-compliance with data protection laws now poses serious legal and governance risks. Indonesia’s Law No. 27 of 2022 on Personal Data Protection (PDP Law) introduces not only organizational penalties but also potential criminal liability for individual board members. This article explores how compliance failures can escalate into white-collar crime risks, outlines the penalties under the PDP Law, and highlights governance-based strategies for risk mitigation. As Indonesia strengthens its data protection regime, the PDP Law marks a shift from administrative compliance to strategic risk management, requiring board-level oversight. Future enforcement is likely to mirror global trends, making strong data governance essential for long-term business resilience. 

 Regulatory Framework: From PDP Law to Company Law 

Articles 65 to 68 of Indonesia’s Personal Data Protection (PDP) Law impose strict criminal penalties—up to six years’ imprisonment and IDR 6 billion in fines—for individuals, including corporate directors, who misuse, falsify, or unlawfully disclose personal data.1 Article 97(3) of the Company Law further reinforces personal liability by holding directors accountable for company losses due to negligence. These provisions collectively make it easier for authorities to hold individuals responsible in data breach cases. Globally, courts are moving in the same direction. In Nolan v. Dildar, directors were found personally liable for minimal GDPR violations.2 In Singapore, obstructing a data protection investigation can lead to up to 18 months’ imprisonment.3 Regulators are emphasizing board-level responsibility, and without documented privacy governance at the top, directors may struggle to claim due diligence. Under the PDP Law, company leadership—typically the board—acts as the data controller, determining the purpose and scope of personal data processing. While processors (e.g., employees) handle operational tasks, legal responsibility remains with top management. Accountability, in short, cannot be delegated. 

 Criminal Risk Matrix for Directors 

 Based on the table, data breaches exposes directors to overlapping risks: personal criminal charges, corporate penalties, and civil claims. Directors and corporations share a fiduciary relationship. As the company’s legal agents, directors must act with care, loyalty, and confidentiality. In the digital age, these duties include safeguarding personal data. The duty of confidentiality, in particular, obliges directors to protect personal data handled by the company—forming a legal foundation for compliance under both the PDP Law and Company Law (Law No. 40 of 2007). 

 White Collar Mitigation Case Study and Mapping 

Various cases highlight the growing demand for personal accountability in data breach incidents. In the Tokopedia case (2020), where 91 accounts were breached, delayed notification was considered negligence.4 The BRI Life case (2021)5 emphasized internal threats and the importance of comprehensive security management. Public and regulatory pressures now demand accountability not only at the institutional level but also on an individual basis. Mitigating white collar risks in personal data breaches can be mapped into four pillars. First, Governance & Culture by establishing a Data Privacy Committee at the board level with regular risk evaluations. Second, Risk Allocation & Contracts by strengthening vendor agreement clauses and conducting surprise audits. Third, Technical & Incident Response by implementing zero trust architecture, threat detection systems, and incident simulation drills involving executives. Fourth, Insurance & Financial Shield through cyber liability insurance that covers fines and litigation, while considering exclusions for willful negligence.. 

 Conclusion 

In conclusion, the surge in data breaches highlights that non-compliance with data protection laws poses significant risks to both corporations and executives. The Personal Data Protection (PDP) Law and similar regulations impose heavy penalties, including criminal liability for directors. Cases like Tokopedia and BRI Life show the growing demand for personal accountability. To mitigate these risks, companies must adopt a strong governance framework, ensuring clear leadership on data privacy, risk management, technical safeguards, and financial protections such as cyber insurance. Proactive compliance is essential to protect both personal and corporate interests. 

Bibliography 

 A&L Goodbody, ‘Director Held Personally Liable for Data Breach’ (2025) <https://www.algoodbody.com/insights-publications/director-held-personally-liable-for-data-breach-tuesday-26th-march-2024> 

Agustini P, ‘Kominfo Gandeng BSSN Dan Polri Selidiki Dugaan Kebocoran Data BRI Life’ (KOMINFO, 2021) <https://aptika.kominfo.go.id/2021/07/kominfo-gandeng-bssn-dan-polri-selidiki-dugaan-kebocoran-data-bri-life/#:~:text=Kebocoran data kali ini terkait dugaan pembobolan,USD atau di kisaran Rp 101 juta.> 

Chik WB, ‘The Singapore Personal Data Protection Act and an Assessment of Future Trends in Data Privacy Reform’ (2013) 29 Computer Law and Security Review 554 

Fathur M, ‘Tanggung Jawab Tokopedia Terhadap Kebocoran Data Pribadi Konsumen (Tokopedia’s Responsibility for the Leakage of Consumers Personal Data)’, Call for Paper 2nd National Conference on Law Studies: Legal Development Towards A Digital Society Era (2020) <http://jurnal.unissula.ac.id/index.php/PH/article/view/1476> 

Kurniawan KD, Hehanussa DJA and Setiawan R, ‘Criminal Sanctions and Personal Data Protection in Indonesia’ (2024) 11 Lex Publica 221 

DISCLAIMER :

This disclaimer applies to the publication of articles by Anggraeni and Partners. By accessing or reading any articles published by Anggraeni and Partners, you acknowledge and agree to the terms of this disclaimer:

• During the preparation of this work, the author(s) may use AI-assisted technologies for readability. After using this tool/service, the author(s) reviewed and edited the content as needed for the purposes of the publication.

• No Legal Advice: The articles published by Anggraeni and Partners are for informational purposes only and do not constitute legal advice. The information provided in the articles is not intended to create an attorney-client relationship between Anggraeni and Partners and the reader. The articles should not be relied upon as a substitute for seeking professional legal advice. For specific legal advice tailored to your individual circumstances, please consult a qualified attorney.

• Accuracy and Completeness: Anggraeni and Partners strive to ensure the accuracy and completeness of the information presented in the articles. However, we do not warrant or guarantee the accuracy, currency, or completeness of the information. Laws and legal interpretations may vary, and the information in the articles may not be applicable to your jurisdiction or specific situation. Therefore, Anggraeni and Partners disclaim any liability for any errors or omissions in the articles.

• No Endorsement: Any references or mentions of third-party organizations, products, services, or websites in the articles are for informational purposes only and do not constitute an endorsement or recommendation by Anggraeni and Partners. We do not assume responsibility for the accuracy, quality, or reliability of any third-party information or services mentioned in the articles.

• No Liability: Anggraeni and Partners, its partners, attorneys, employees, or affiliates shall not be liable for any direct, indirect, incidental, consequential, or special damages arising out of or in connection with the use of the articles or reliance on any information contained therein. This includes but is not limited to, loss of data, loss of profits, or damages resulting from the use or inability to use the articles.

• No Attorney-Client Relationship: Reading or accessing the articles does not establish an attorney-client relationship between Anggraeni and Partners and the reader. The information provided in the articles is general in nature and may not be applicable to your specific legal situation. Any communication with Anggraeni and Partners through the articles or any contact form on the website does not create an attorney-client relationship or establish confidentiality.

• By accessing or reading the articles, you acknowledge that you have read, understood, and agreed to this disclaimer. If you do not agree with any part of this disclaimer, please refrain from accessing or reading the articles published by Anggraeni and Partners.

Setyawati Fitrianggraeni serves as Managing Partner at Anggraeni and Partners in Indonesia and Assistant Professor at the Faculty of Law, University of Indonesia, while pursuing her PhD at the World Maritime University in Malmö, Sweden and Taufik Nuariansyah Tanjung is an Associate in the Practice Group Advisory and Commercial Transaction at Anggraeni and Partners.

For further information, please contact:

WWW.AP-LAWSOLUTION.COM

P: 6221. 7278 7678, 72795001

H: +62 811 8800 427

Anggraeni and Partners, an Indonesian law practice with a worldwide vision, provides comprehensive legal solutions using forward-thinking strategies. We help clients manage legal risk and resolve disputes on admiralty and maritime law, complicated energy and commercial issues, arbitration and litigation, tortious claims handling, and cyber tech law.

S.F. Anggraeni

Managing Partner

fitri@ap-lawsolution.net

Taufik Nuariansyah

Associate

taufik.nu@ap-lawsolution.net