Towards the deadline for submitting this proposal, honestly I was a bit nervous. Sometimes because of anxiety (not Doechii’s song) — feeling like, “Is my topic just like this?” But after asking here and there and getting comments from Meera on this blog, I became more convinced that my topic is not “just like that”! In fact, now my anxiety has shifted to, “CAN I FINISH IT?” Hopefully I can (I have to be able to, this is mandatory).

Anyway, this April (from start to finish) was really mixed up. Meeting Bjorn, getting input on research objectives, being chased by four courses deadlines that had many ‘sub’ deadlines, plus welcoming Mom who came all the way from Indonesia, it felt like a complete mess, but honestly… it was fun too! And finally, I just had time to write a blog again hehe.

During the break between the last post and this one, I delved deeper into the key questions of my research:

What are the things that can be clarified and improved in the cybersecurity and resilience regulation in Indonesia?
Based on my initial research, here are some key points:

1. No Explicit Obligation to ISO 27001
Currently, the regulation only mentions “referring to international standards”, but does not explicitly state that PJPs must have ISO/IEC 27001 certification. As a result, the interpretation can vary, some only refer to it without accreditation, while others implement it partially.

2. No Maturity Model Structure
Countries such as Singapore (with MAS Cyber ​​Hygiene) and the UK (with the Bank of England’s CBEST framework) have used the maturity level approach. But in Indonesia, it is not clear whether large and small PJPs have different obligations.

3. Lack of Practical Guidance
Qatar, for example, has provided implementation guidelines, even down to risk register templates and incident response playbooks. In Indonesian regulations, there is no technical attachment, even though it could be very helpful for PJP to know “where to start”. Well, this is the core of my project later.

4. [Need for Confirmation(?)] on Audit and Oversight
Our policy has not explicitly explained about periodic audits: should they be external? Who can audit? Must it be an accredited institution? It would be interesting to compare it later with the Bank of England which even requires regular cyber stress testing.

5. Not Yet Integrated with the PDP Law
This last one might be a bit subjective — I think the regulation is not yet integrated enough with the biggest policy in Indonesia, PDP Law. Although the context is related, it does not really emphasize personal data protection as a whole. Well, that’s why later in my research there will be an interview session, and this is one of the things I want to explore more deeply.

I can’t believe it, this is already my last post T.T From the beginning until now, it turns out that I can also make this many blogs. Thank you very much to my friends who have stopped by and read. Please pray that this research can run smoothly and all the reflections that I have written here can be truly realized!

See you when I see you! <3

Because one of the key aspects I will discuss in my dissertation is “Framework design by adapting international standards to local needs, including measures such as data protection impact assessments and operational security measures,” I thought—why not take you along on my mini-exploration of which countries already have practical guidelines for PSPs (Payment Service Providers)?

In this blog post, I want to share what I’ve found! This time, I looked into three central banks: the European Central Bank (ECB), Qatar Central Bank (QCB), and the Bank of Thailand (BoT), focusing on their approaches through the lens of “people, process, and technology.” And here it is..

You might be wondering: why only these three?

Well—I WAS JUST AS SURPRISED! Turns out, many central banks around the world do not have specific frameworks for data governance tailored to PSPs, especially in the context of user personal data. For example:

• Canada is only planning to start regulating PSPs in 2025.
• India hasn’t issued derivative regulations yet—it’s still relying on broader government-issued data protection laws.
• The U.S. doesn’t regulate this via its central bank, but rather through separate authorities.

Among the three I explored, Thailand doesn’t yet have a comprehensive guideline on data protection, but they’re getting there! They’re currently implementing the “Your Data” project, giving consumers the ability to control and modify their data protection preferences. They’ve also released a Consultation Paper on the draft regulation regarding mechanisms that enable customers to exercise their data-sharing rights with financial service providers (within the Your Data Project, under the Bank of Thailand). This will eventually support the development of more structured personal data regulations.

On one hand, I’m proud that Indonesia is acting quickly on this front. On the other hand, it’s a wake-up call—we have to move fast, because our country is often an easy target for cyber threats. Regardless, I believe that the project I’m working on will benefit both my organization and—more importantly—Indonesia.

Let’s keep going. 🚀

After being “killed” by assignments, pre-intensive days, and intensive days—WOW… Semester 2 feels so fast, huh!

So, last February 21, when the wind in Edinburgh was freezing cold, I had the opportunity to meet my Supervisor, Bjorn! I was so happy to finally meet him. There, I told him about my project plan. Bjorn also shared his expectations and considerations, given his strong technical background in IT.

Through this blog, I want to share my project progress! FYI, Bjorn and I agreed to report monthly so that we stay on track! In my story this time, I will focus more on the research question and scope—because when Bjorn asked about this, I realized how broad the scope was, and honestly, I was a bit confused too.

Background

Indonesia already has the Personal Data Protection Law (UU PDP) and derivative regulations from Bank Indonesia (PADG KKS). However, until now, there has been no specific regulation for the payment industry. This makes it difficult for Payment Service Providers (PJP) to implement data security standards, which can result in differences in implementation and legal uncertainty.

Threats to data security also continue to increase, such as cases of e-commerce and fintech data leaks. There’s already a data security framework in place, but does the industry truly find it clear? The digital payment industry is at risk of losing public trust and facing potential major losses if it turns out that they are not yet clear in implementing this data security law.

Existing Challenges

Globally, security standards such as PCI DSS, ISO 27001, and the NIST Cybersecurity Framework have been implemented in the payment industry. In Indonesia, regulations such as the PDP Law and PADG KKS already exist, but there are still several challenges:

• There is no specific framework governing data security for PJP, because from the latest derivative regulations issued, there is no specific international standard statement that must be adhered to.
• Minimum standards for security technology are still unclear.
• Implementation of regulations in the field still faces obstacles. (To be honest, this is still just my hypothesis—considering that the derivative regulations were only issued on December 31, 2024.)
• Audit and supervision mechanisms are not yet fully effective because the regulations have just been issued.
• Cyber ​​threats are evolving faster than existing regulations.

Research Questions

How to develop a practical data security framework for PJP so that it complies with regulations and is easy to implement? To answer this, the research will focus on:

1. Security standards that have been implemented by PJP and their comparison with global standards.
2. The main components of an effective data security framework.
3. Challenges in implementing security standards.
4. The effectiveness of audit and supervision mechanisms by Bank Indonesia.
5. Technology and best practices that can be implemented by PJP—here, I really hope to get a lot of input from Bjorn because this is his field.

Scope of Research

This research will focus on three types of PJP:

• Banks with digital services such as QRIS and debit/credit cards.
• E-wallets such as GoPay, OVO, and Dana.
• Payment gateways such as Midtrans and Xendit.

Aspects discussed include data encryption, authentication, fraud detection, and compliance with the PDP Law. Research methods include literature studies and interviews with industry practitioners (if possible). Thanks to Bjorn, I’ll try to conduct interviews. To simplify the bureaucracy, I don’t have to interview ‘officials’—instead, I can talk to technical experts who really understand this field.

Expected Impact

The results of this study are expected to:

• Develop a data security framework that can be applied by PJP.
• Provide recommendations for Bank Indonesia in formulating more specific regulations.

Next Steps

Currently, the research is still in its early stages and will continue to be developed with input from Bjorn. The main focus going forward is to get feedback and deepen the literature study related to regulations and best practices in the payment industry.

So stay tuned, guys! Wish me luck—I hope I can do this well!

After last week’s discussion on “what gaps should actually be regulated by regulators?”, this week, I’m diving into various existing technology recommendations based on research that has explored them.

First up: ISO 27001

ISO 27001 seems to be super well-known worldwide in the realm of security technology (forgive me, guys, I just found out about this ISO thanks to KIPP, hehe). But what has it actually done? Based on [this GDPR link] and [this other link], I got a better understanding of why ISO is so essential.

1. ISO 27001 and GDPR

Super relevant to my project since, in a way, it’s like Indonesia’s version of GDPR, especially in the financial sector. Interestingly, the journal I read pointed out that ISO and GDPR share similarities, meaning companies that have already implemented ISO will have an easier time complying with GDPR (yes, ISO really is that meticulous!).

ISO focuses on people, processes, and technology (which, by the way, is also embedded in Bank Indonesia’s regulations, not just GDPR). Another major similarity? The Data Protection Officer (I need to double-check this in BI’s regulations, though). And the most important part? Certification. This serves as proof of compliance with security standards.

That said, GDPR has additional requirements beyond ISO 27001, such as consent, certain rights, and data processing restrictions—which means ISO alone isn’t enough to meet GDPR standards.

2. Case study: Do employees in MSEs actually understand and apply ISO?

Since one of ISO’s three key aspects is people, the real question is: does ISO actually change how people interact with data?

One of the journals I read brought up an interesting theory—“knowledge influences attitudes, which in turn influence behavior.” So? Yep, people need to understand it first!

The research found that ISO helps employees feel more confident in implementing information security and fosters a ‘social pressure’ to comply within the workplace. And—this really clicked with my own thoughts—the journal also highlighted the importance of ongoing education. This means it’s not enough for security standards to be written in big regulatory documents. Even if I propose a framework for technical guidelines, it still won’t be effective unless each PJP (Payment Service Provider) actively promotes and socializes it to their employees.

What about NIST? Should I go deeper into this?

Honestly, I’m a bit torn on whether I should explore NIST further, considering it’s an American government standard(not trying to be political here, but shouldn’t each country have its own standards?).

That said, knowledge-wise, I skimmed some material on NIST, particularly their well-known NIST Cybersecurity Framework (CSF). Turns out, NIST is more technical compared to ISO 27001. The good news? They provide technical guidelines! Which makes it an awesome benchmark reference for my project.

Alright, since this week’s post is already pretty packed, let’s do a deeper dive next week! See you guys!

After previously discussing the Bank Indonesia Regulation (PBI) on Cyber Security and Resilience, in this blog, I want to dive deeper into its derivative regulation, the Member of the Board of Governors Regulation (PADG) on Cyber Security and Resilience (KKS), which provides more detailed guidelines. The key points covered in the PADG include:

1. Purpose & Scope

• Strengthening cyber security and resilience in the financial sector.
• Regulating Payment System Operators (PJP), money market participants, and other entities under BI’s supervision.
• Covering governance, prevention, incident handling, reporting, and sanctions.

2. Cyber Security Governance

• Organizations must develop a KKS strategy & roadmap.
• Conduct regular audits at least once a year (internal or external).
• Provide training & education on cyber security for employees and external partners.

3. Cyber Incident Prevention

• Identify risks & map threats (people, process, technology).
• Protect data & systems (restricted access, encryption, malware detection).
• Conduct real-time threat monitoring & vulnerability testing (at least once a year).

4. Cyber Incident Handling

• Establish a cyber incident response team ready to take action.
• Report incidents to BI (initial notification within 1 hour, full report within 3 days).

5. Sanctions for Violations

• Administrative fines up to IDR 5 million per report.
• Possible sanctions: warnings, temporary suspension, or even license revocation.

6. Collaboration & Information Sharing

• Organizations must share threat information with BI.
• BI has the authority to isolate systems affected by cyberattacks.
• Self-Regulatory Organizations (SROs) are appointed to assist with regulation.

Looking at this regulation, it seems quite comprehensive… but I do see some gaps. So, let’s go back to my dissertation outline.

One key aspect I’m focusing on is the identification and mapping of security standards like ISO 27001, NIST, IEEE, and ECSS. Right now, the KKS regulation does not specify any particular technology standards. My guess? Maybe BI wants to allow PSPs (including PJPs) the flexibility to explore their own technology choices. But is that a good move?

In my opinion, cybersecurity requires clear technical details to address the complexity of modern IT environments. Mtsweni et al. (2018) describe today’s digital landscape as a web of interconnected systems, overlapping processes, and complex organizational structures, much of which operates in a black box. Without well-defined standards, PSPs could implement security measures inconsistently, leading to gaps in protection.

Many studies, including Villalón-Fonseca (2022), emphasize the importance of international standards like ISO 27001, which provides a framework for establishing, implementing, maintaining, and improving an Information Security Management System (ISMS). Mandating at least a minimum level of compliance with this standard would be a solid step forward. Interestingly, BI’s regulatory counterpart, OJK, has already taken this approach, explicitly requiring ISO 27001 for banks under SEOJK 29 – 03 – 2022.

If we look deeper into the core principles of ISO/IEC 27001, it follows a process-based approach, involving planning, implementation, monitoring, review, and continuous improvement—all centered around risk management. The KKS regulation does mention cyber risk, but it doesn’t specify a clear methodology or require a Statement of Applicability (SoA). It also doesn’t address information asset classification, which is crucial for ensuring structured data governance. Some of these aspects are mentioned in the PADG, but again, not in much detail.

This raises an important question: is the lack of detail because the PADG simply isn’t designed to regulate at that level? If that’s the case, then my research could provide recommendations on which areas need more clarity, so that PJP operators don’t have to “guess” their way through compliance. The goal is to ensure flexibility, while still aligning with international best practices for data protection.

Reference:

Mtsweni, J., Gcaza, N., & Thaba, M. (2018). A unified cybersecurity framework for complex environments. SAICSIT 2018, 26–28 September, Port Elizabeth, South Africa.

Villalón-Fonseca, R. (2022). The nature of security: A conceptual framework for integral-comprehensive modeling of IT security and cybersecurity. Computers & Security, 120, 102805. https://doi.org/10.1016/j.cose.2022.102805

Today Euwyn’s storm kept me company all day. It’s been one of those perfectly gloomy days where the rain seems endless, and the grey skies blend seamlessly with the horizon. While many would consider this the perfect excuse to curl up in bed, I decided to make the most of the cozy vibe. With a hot cup of tea in hand, I tackled the “Bank Indonesia Regulation” on “Cyber Security and Resilience.” Surprisingly, it turned out to be a pretty engaging way to spend my afternoon, especially since it ties directly into my upcoming dissertation preparation, officially starting this May.

From what I’ll focus on in my project, I carved out some key takeaways from the regulation that could form the groundwork for my research:

1. Identification of Security Standards
   The regulation emphasizes the importance of following best practices. While it doesn’t explicitly reference international standards, I think frameworks like ISO 27001 are highly applicable, as they address confidentiality, integrity, and data availability. For my dissertation, I’ll likely analyze the standards mentioned in the regulation, compare them to others like NIST or COBIT, and identify any gaps relevant to the Indonesian context.
2. Framework Design
   The regulation includes essential elements of cyber risk management, such as identifying critical assets, conducting periodic risk assessments, and mitigating threats with tech-driven strategies. This aligns well with my goal to develop a framework that integrates policy and technology, tailored specifically to the needs of PSPs (Payment Service Providers) in Indonesia.
3. Audit and Supervision Procedures
   Another point of interest is the regulation’s requirement for internal and external audits to evaluate compliance with security standards and incident reporting to Bank Indonesia. This could inspire a section in my framework detailing effective audit processes, including incident reporting, key performance indicators (KPIs), and leveraging technology for streamlined oversight.
4. Review of Best Technologies and Procedures
   The regulation encourages the adoption of advanced technologies like encryption, threat detection systems, and real-time monitoring. To deepen my analysis, I’ll explore technologies already used in Indonesia, compare them with global trends, and highlight innovations that could boost security and efficiency for PSPs.

After mapping these points, I realized the scope might be too broad. It’s a good reminder to stick to the plan I’ve laid out in my proposal—focus is key! I’m excited to meet with my supervisor soon to refine what specific aspects to delve into for my framework.

Alright, time to wrap up this post—thanks for sticking with me through these musings! Here’s to more gloomy days turning into productive moments. See you in the next blog post!

…and you can check the regulation here! (but i’m so sorry that it is in Bahasa Indonesia).

The first week of a new semester often brings a mix of curiosity and inspiration. With pre-intensive days for “Digital Democratic Innovation” underway, I’ve been diving into resources that feel unexpectedly connected to my project, “Practical Data Security Framework for Payment Service Providers in Indonesia.” It’s thrilling to see how concepts from seemingly different realms can inform and enrich one another. Let’s explore these connections.

1. Building Trust through Data Transparency
   Transparency lies at the heart of both Digital Democratic Innovation (DDI) and effective governance frameworks. As noted in discussions on democratic participation, transparency fosters trust between institutions and citizens​. For PJPs in Indonesia, integrating transparency—such as publishing public reports on data security practices and responses to cyber incidents—could elevate accountability and demonstrate a commitment to safeguarding user data.
2. Collaboration via Participatory Platforms
   DDIs illustrate the power of participatory platforms to broaden public engagement​. This idea aligns perfectly with the possibility of PJPs using similar platforms to involve users in shaping data security policies or even reporting cyber threats. A collaborative approach not only strengthens defenses but also empowers users as stakeholders in the digital ecosystem.
3. Security as the Foundation for Digital Participation
   A secure digital environment is essential for fostering inclusive participation​. By establishing a robust data security framework, PJPs can enable trust in emerging services like digital wallets. This not only enhances user confidence but also creates a safer space for broader digital engagement—a cornerstone of future innovation.
4. Leveraging Technology for Equity and Inclusion
   DDI emphasizes fairness and inclusion, and technology plays a vital role in leveling the playing field​. By employing advanced tools like AI-driven encryption and decentralized systems, PJPs can ensure equitable protection of personal data, regardless of users’ socio-economic status.
5. Innovative and Decentralized Solutions
   Lessons from platform governance show that decentralized systems, such as blockchain, offer enhanced accountability and efficiency​. Incorporating these into a data security framework could introduce groundbreaking ways to protect user data while maintaining operational resilience.

It’s amazing how DDI principles, designed to enhance democratic engagement, can influence the technical and governance aspects of data security. For me, this connection underscores the beauty of interdisciplinary thinking: the realization that our approaches to governance, innovation, and security can inform and support each other in unexpected ways.

Reference:

• Ansell, C., & Miura, S. (2019). Can the power of platforms be harnessed for governance? Public Administration, 98(1), 261–276.
• Whittington, O. (2022). Democratic innovation and digital participation: Harnessing collective intelligence for 21st-century decision-making. Nesta. ISBN: 978-1-913095-67-3​
• Mikhaylovskaya, A. (2024). Enhancing deliberation with digital democratic innovations. Philosophy & Technology, 37(3), 1–24.
• Escobar, O. (2017). Pluralism and democratic participation: What kind of citizen are citizens invited to be? Contemporary Pragmatism, 14(4), 416–438.

While waiting to pitch to Claire this week, I was triggered to ponder (again).
“Why is Indonesia so often attacked by Ransomware or other cyber attacks?”

I googled it for fun, and the top answer immediately made me nod:
“The region’s growing strategic relevance makes it a prime target for cyberattacks. Cyber resilience is generally low, and countries have varying levels of cyber readiness,” said the Kearney report. And sadly, “there is a lack of strategic mindset, policy preparedness and institutional oversight relating to cybersecurity.”

Ouch, that last part is really true. Even though I’m not from the ministry of communication and information, as a central banker (er, or ex-central banker yes, because now I’m a student again 😅), I still find this sad. I’m still part of the public officials who are responsible, at least morally. That’s why I became curious and tried to explore what’s behind this situation.

The Kearney report also said that the cybersecurity industry in ASEAN still lacks local competence and a comprehensive framework. As a result, the value of risk is often underestimated, and the budget allocated is far from sufficient. Data shows that Indonesia’s spending on cybersecurity is only 0.02% of GDP-the lowest in Southeast Asia.

From there, it’s clear why ASEAN, especially Indonesia, is an easy target for cyber attacks. 😬

Uh, suddenly the pitching time came!

I was nervous too… I was given 3 minutes to pitch about what I’ve learned this semester, and what topic I’m going to raise as a project. But, honestly, I wasn’t too scared. The pitch actually felt like a retelling of what I’ve written on this blog. So, the decision to consistently write every week was never wrong!

And thank God, my proposed project was accepted!

If God permits, I will move forward with the topic of Data Management x Data Governance, which I narrowed down to Data Privacy. After much discussion, I decided to focus on “Practical Data Security Framework for Payment Service Providers (PJPs) in Indonesia.” I’ve been discussing this topic for the past few weeks, so it feels more solid to be the main project.

Yesterday’s pitch also gave me a lot of feedback from Cristian and Claire. Some important notes:

• Cristian: Will probably pair me with a supervisor who understands the technical side. I’ve clarified that I’m not from an IT background, so I don’t understand tech details. But Cristian said it’s really important to have a “broader view.” Technology is a global solution, but in Indonesia there are definitely bias factors-whether it’s political, cultural, or otherwise-that need to be considered.
• Claire: He emphasized the importance of knowing whether the relevant regulations are in place. “The ministry only regulates the amount, so there needs to be derivative regulations.” Claire also asked if I had imagined what the research would be like. Well, to be honest, I haven’t, because I want it to be compact and not complicated (understandably, time is short). But I think a discussion with my supervisor will help me strategize more clearly.
  After that, I immediately told my mentor at the office, and as usual, no-rest-no-rest club! He immediately pointed out the Board of Governors Regulation on Cybersecurity. Of course, this became my mandatory reading material for further study.

Stay tuned for the rest of the story in the next post! ✨

Reference:

https://www.researchgate.net/publication/328848243_A_unified_cybersecurity_framework_for_complex_environments

Hi there! It’s been a while since we caught up!
No one asked, but just so you know—I’m doing well! Although I’m feeling a bit under the weather today, probably because I just finished an intense 10-day study week. But hey, no time to rest; it’s time to start making progress again!

After doing some initial benchmarking to see how other central banks draft regulations on data management—specifically data security—it’s time to dive deeper into the key subtopics I plan to research:

1. Identifying Security Standards — this post will focus on this one
2. Designing a Framework
3. Audit and Monitoring Procedures
4. Reviewing the Best Technologies and Practices

Identifying Security Standards

What exactly are security standards for state organizations?
Simply put, they’re a set of guidelines and best practices designed to protect sensitive and confidential information. These standards help organizations:

• Mitigate risks,
• Reduce vulnerabilities,
• Ensure regulatory compliance,
• Maintain public trust, and
• Avoid legal consequences.

The key phrase here is “set of guidelines and best practices”—and that’s why I’m confident this topic is a great fit for my project. It aligns perfectly with this definition, which I found through my trusted friend: the internet search box.

Diving Into Initial Findings

While exploring security standards for state organizations, I came across a paper that outlines some valuable frameworks applicable to state-level operations (not just for my institution). Here are a few that stood out:

1. ECSS (European Cooperation for Space Standardization):
   Initially created for space systems, ECSS standards are helpful for early-phase security requirements. They emphasize defining security measures like access control, data integrity, and redundancy from the start.
2. IEEE (Institute of Electrical and Electronics Engineers):
   IEEE focuses on security as a non-functional requirement, addressing attributes like protection against unauthorized access, modification, or destruction of data. This includes encryption, integrity checks, and communication restrictions.
3. ISO (International Organization for Standardization):
   ISO offers a broader take on security, especially through standards like:
   • ISO 25010, which highlights information protection, system availability, and secure communication over public networks.
   • ISO 27034, which focuses on application security, advocating risk assessments and security controls tailored to the application’s required trust level.

To narrow down which standards are most relevant for state organizations, it’s crucial to consider the unique context, regulatory requirements, and security needs. Other resources like NIST (National Institute of Standards and Technology) publications could also come in handy for further exploration.

Next Steps?

While I’ve started looking at these standards, I’m holding off on diving too deep into specifics just yet. My next immediate task is to reflect on what I’ve learned during this first semester and decide if I can shape my dissertation topic around Data Governance—specifically focusing on consumer data protection by Payment Service Providers (PJP).

So stay tuned! I’ll share more updates next week.

Reference list:

The Complete List of Data Security , What are information security standards?, Cyber Security Standards

I’m a big believer in small steps. Making progress every day, even just a bit, keeps me going.

Right now, that means immersing myself in my future project for KIPP: ‘Data Security for State Institutions in Indonesia.’ Still, I’m grappling with exactly which aspect of data management I should focus on.

The backbone of my research is the Personal Data Protection Law (UU No. 27 Tahun 2022), which outlines several key security standards for managing personal data. Among these are:

1. Data Protection Impact Assessments – Requires data controllers to conduct risk assessments for large-scale data processing, automated decision-making, new technology, and any processing that restricts data subjects’ rights.
2. Operational Security Measures – Data controllers must ensure data protection through suitable technical measures and security levels aligned with the data’s risk level.
3. Monitoring and Unauthorized Access Prevention – Data controllers should safeguard data confidentiality, oversee third-party involvement, and maintain a robust security system.
4. Purpose-Limited Processing – Ensures data is processed accurately and responsibly to protect the rights of data subjects.
5. Transparency and Accountability – Guarantees open processing practices, provides data access to subjects, and clearly communicates processes in an accessible manner.

For my project, I’m zeroing in on points 2 and 3. I think my ‘future expertise’ could help organizations create a framework for data management practices by Payment Service Providers (we called is as PJP) in Indonesia. Plus, it would establish protocols for monitoring and preventing unauthorized access to meet PDP Law requirements.

Explaining the benchmarking research on BoE: To deepen my understanding, I’ve done some initial benchmarking on data privacy and security management with central banks, specifically the Bank of England, which has been my host during my time here. In the UK, the Information Commissioner’s Office (ICO) oversees Payment Service Providers, similar to how data privacy is regulated by Indonesia’s Ministry of Communication. However, considering recent data breaches back home, it’s clear we have some catching up to do.

Back to the topic! When it comes to PSP oversight and data security standards, BoE has laid out several significant steps:

1. Outsourcing and Third-Party Risk Management [link]:
   • Data Protection in Outsourcing Agreements: Banks and PSPs must define, document, and understand their responsibilities related to data transfers.
   • Rights to Access, Audit, and Information: Banks have the right to access and audit third-party service providers, ensuring their adherence to data security standards.
   • Sub-outsourcing: Banks must ensure that any subcontractors also meet data protection standards.
2. Operational Resilience [link]: BoE emphasizes that PSPs should have resilient systems capable of withstanding disruptions, including personal data breaches.
3. Privacy Policy Commitments [link]: BoE is committed to protecting individual privacy, ensuring personal data processing aligns with established principles.

This benchmarking exercise will be instrumental in shaping my project. I’m likely to cover the following aspects:

• Security Standards Identification
• Framework Design
• Audit and Monitoring Procedures
• Best Practices in Technology and Procedures

I think these steps could serve as practical guidelines not only for the office but also for PJP data protection practices across Indonesia.