Adapting to Indonesia’s Data Protection Era: How Bank BTN and DSI Lead in Compliance and Innovation

data-protectionAs Indonesia accelerates its digital transformation, the country faces new challenges in ensuring data privacy and regulatory compliance. The introduction of the Personal Data Protection Law (UU PDP) has reshaped how organisations manage, secure, and utilise personal information. During the MINS event hosted by Monash University, Indonesia, leaders from Bank BTN and Data Science Indonesia (DSI) explored how institutions can remain compliant without sacrificing innovation. Their insights reveal how human judgment, technology, and collaboration form the foundation of modern governance.

Moderated by Dr. Muhamad Risqi Saputra, Associate Professor, Master of Data Science at Monash University, Indonesia, the discussion featured two prominent speakers, Indra Hidayatullah, Division Head of Data Management & Analytics Division at PT Bank Tabungan Negara (Persero) Tbk (BTN) and Nabil Muhsin Badjri, President of Data Science Indonesia (DSI). Together, they explored how organizations can balance human expertise and data-driven systems when adapting to evolving regulatory environments.

"'How to Adapt to Changing Regulations: Insights on Human- or Data-Driven Approaches' was a timely and insightful discussion, especially with the implementation of the Personal Data Protection Law (UU PDP) in October 2024. A key takeaway from the event was that while data-driven automation can greatly assist in adapting to regulatory changes, human judgment and insight remain essential. They are crucial for critically assessing the impact of new regulations on business processes and ensuring that companies respond effectively, maintaining compliance without compromising operational efficiency, " said Dr. Muhamad Risqi Saputra, Associate Professor, Master of Data Science, Monash University, Indonesia.

Navigating Complex Regulations in the Digital Era

mins-mdsSpeakers and participants during a Zoom discussion at the MINS event on data science

Unlike private companies, Bank BTN operates under multiple layers of oversight as a state-owned enterprise (BUMN). According to Indra, BTN’s representative, compliance with the Personal Data Protection Law (UU PDP) poses unique challenges.

The law, which includes strict penalties—such as fines of up to 2% of annual profits or even criminal charges—requires organisations to balance human judgment with data-driven systems. BTN addresses this through a hybrid compliance model that integrates human oversight with technological automation. Human judgement is used for interpretation and ethical decision-making, data-driven systems enable automation, monitoring, and documentation.

"We combine human-driven and data-driven approaches to ensure compliance while maintaining operational efficiency," Indra explained.

To strengthen its compliance capability, BTN established a Data Privacy Office (DPO), a dedicated team responsible for ensuring that all departments align with PDP requirements. The bank developed a three-year roadmap focused on people, processes, and technology. This structure covers employee training, workflow design, and technological investments to enhance data protection. Through this initiative, BTN ensures that data privacy is not just a legal obligation but an integral part of its operational culture. The roadmap also includes continuous monitoring and internal evaluation to ensure every department contributes to a compliant and transparent organisation.

DSI's Role in Bridging Policy, Technology, and Civic Collaboration

Nabil, representing Data Science Indonesia (DSI), described how the organisation acts as a think tank and civic foundation promoting responsible adoption of new technologies.

Since 2015, DSI has worked to connect government, industry, and academia, advocating data literacy and digital ethics.

Notably, DSI supported the Coordinating Ministry for Maritime and Investment Affairs (Menko Marves) in simplifying over 27,000 government applications into integrated systems — a major step toward public sector digitalisation.

However, as Nabil highlighted, integration across ministries remains challenging due to bureaucratic silos, differing data ownership, and unclear regulations.

In addition, one recurring issue raised by both BTN and DSI is the lack of detailed technical guidelines in many regulations. Although the PDP Law is comprehensive in its objectives, its implementation framework remains vague.

"We often find ourselves interpreting how to apply the law, benchmarking against international standards like the GDPR," said Nabil. "Without clear technical guidance, each organisation ends up creating its own version of compliance."

He added that AI governance in Indonesia also lacks regulatory clarity. Unlike in the EU or Singapore, Indonesia has yet to establish a dedicated AI authority or regulation, leaving many organisations uncertain about ethical and operational boundaries.

Human and Machine: A Balanced Compliance Strategy

The speakers emphasised that sustainable compliance cannot rely on technology alone. A hybrid model that combines human oversight with automation delivers the most effective outcome. Humans play a crucial role in interpreting ambiguous laws, managing exceptions, and ensuring ethical accountability, while machines handle repetitive processes like data collection, reporting, and auditing. For instance, DSI uses AI-driven tools to assist with compliance reporting under the PDP Law, yet these outputs are still reviewed by legal experts to ensure accuracy and context. This combination allows organisations to operate efficiently while maintaining trust and precision in legal compliance.

Measuring Compliance and Building a Data-Driven Culture

BTN has developed a structured framework to measure its compliance performance. The bank tracks quantitative and qualitative indicators such as the timeliness and accuracy of regulatory reports, the completion rate of internal and external audits, employee participation in compliance training, and the number of fraud or misconduct incidents. Beyond metrics, BTN and DSI both believe that lasting compliance must be rooted in culture. Employees are encouraged to engage with data daily, making data-driven thinking a natural part of decision-making.

At BTN, staff are expected to start their day by reviewing data dashboards and reports that reflect their performance. To support this, the bank employs a decentralised governance model in which each branch has a designated Data Ranger responsible for promoting data literacy and maintaining local data accuracy. Sandbox environments also allow experimentation with analytics tools in a controlled, compliant setting, further embedding a culture of data-driven accountability.

Strengthening Relationships with Regulators

A productive relationship with regulators is critical to sustaining compliance. BTN maintains regular communication through dedicated liaison officers, periodic progress meetings, and participation in industry forums hosted by the Ministry of State-Owned Enterprises (BUMN), OJK, and other government bodies. This ensures transparency and alignment in policy interpretation.

Meanwhile, DSI plays a complementary role by engaging as part of civil society, participating in consultations, sharing insights in public discussions, and supporting ministries through pilot projects that help turn regulations into practical solutions. Both institutions recognise that collaboration and dialogue are essential to ensure that regulations remain relevant and implementable.

The Future of Regulation: Inclusion, Consistency, and Machine Readability

Looking ahead, both experts emphasised the need for Indonesia’s regulatory system to evolve in three key areas:

  • Inclusive policymaking, where government, industry, academia, and civic groups are all involved early in the drafting process.
  • Consistency across ministries, to avoid conflicting interpretations that often create confusion for organisations.
  • Machine-readable regulations, enabling automation and digital accessibility that could streamline compliance processes.

As Indra concluded, "Regulations should be made with all stakeholders involved, so when implementation begins, we move forward together—without back and forth."

Indonesia’s journey toward strong data protection and governance is just beginning. Organisations like BTN and DSI show that compliance is not a barrier, but a foundation for innovation, transparency, and public trust. As technology evolves, so must the frameworks that protect data and empower responsible progress.