Data Protection Officer Certification Workshop

The economic and political impact of controlling personal data created the need to regulate organisations and individuals involved in collecting, storing, processing and transferring such data. Jurisdictions across the world have enacted data protection laws with extra-territorial applications. Indonesia is no exception in adapting and responding to this global phenomenon in this 4th Industrial Revolution era. The largest South East Asian economy will have its own personal data protection law (Undang-Undang Perlindungan Data Pribadi) that adopts EU GDPR approach. Under the new Indonesian personal data protection law, organisations will be required to consult with Data Protection Officer (DPO) to ensure compliance, evaluating the impact in the use of personal data, as well as handling personal data breaches. DPO is a new profession, especially in Indonesia. The legal requirement for companies to have in-house DPO or employ the services of external professional DPO has created an increasing demand for DPO in the job market. Companies are investing in building their personal data protection department and law firms are expanding their services to respond to their clients’ need in personal data protection related matters. Schinder is proud to organise the first DPO Certification Workshop in Indonesia. The Workshop will be facilitated by prominent international expert in personal data protection laws and designed to provide detailed understanding on the subject under local laws and international best practice. Upon the completion of the Workshop, participants will have the required skills and expertise to act as professional DPO.

Course Description
The proposed Personal Data Protection Act (PDPA) provides a comprehensive framework for the processing of personal data. This framework balances the legitimate needs of organisations to collect and process data against the rights of individuals. The law sets out new duties and obligations on companies and organizations in the country. Similarly, customers and employees are given certain rights in relation to their personal data. More importantly, companies and organisations can be held criminally liable for their action or inaction under the law. The PDPA is the beginning of the end of business as usual as far as data processing is concerned. A good corporate governance in an organisation will often involve the preparation towards compliance with new rules and regulation. Failure to do so will have serious implication on the top management as any breaches of the PDPA by an organization may give rise to the allegations that the management and officers are in breach of their duties. And the first step to ensuring compliance is to understand the legislation.

Learning Objectives/Outcome
At the end of the course, the participants will: • Acquire a thorough understanding of the basic concepts and components of the International Data Protection legal regime • Acquire a thorough understanding of the data protection laws of Asia Pacific Countries and their similarities /differences with the EU-GDPR (gold standard) • Acquire an in-depth knowledge of the Personal Data Protection Act • Acquire a thorough understanding of the concepts, approaches, methods and techniques for the effective protection of personal data • Interpret the data protection requirements in the specific context of an organisation • Develop the expertise to support an organisation to plan, implement, manage, monitor and maintain ongoing compliance to the Personal Data Protection Act. • Qualify to become a certified Data Protection Officer

Educational Approach
This training, which is international in nature, is based on both the legislation and best practices • Lecture sessions are illustrated with practical questions and examples • Practical exercises include real-life examples, group discussion and role play • Simulations

Who should attend?
• Project managers or consultants seeking to prepare and support an organisation in planning, implementing, and maintaining a compliance program based on the PDPA • Data Protection Officers (DPO) and Senior Managers responsible for the personal data protection matters and risk management • Members of an information security, incident management and business continuity team • Expert advisors involved in security of personal data • Technical experts and compliance experts seeking to prepare for a Data Protection Officer role • Any individual who would like to acquire new knowledge

• Introduction to Privacy and Data Protection • Definitions and Concept • Different Types of Privacy • Privacy as Human Rights • The Right to Privacy in Indonesia • Business Case for Data Protection

• International, Regional and National Data Protection Regime • OECD Guidelines and the data protection principles • Council of Europe Convention • EU GDPR • Data Protection law in Asia • EU GDPR vs. Asian Law

Module III:

• Applicability of the PDPA, Personal Data, Sensitive Data, Data Controllers and Data Processor, etc • Terms and Definitions • Applicability and non-applicability of the PDPA and Its impacts • Personal Data/Sensitive Data and the Processing • Data Users and Data Processors • Outsourcing agreements/contracts

Module IV:

• Data Protection Rules and Principles • Interpretations of the Principles • Impacts on companies • What to do to comply? • Exceptions • Things to Avoid

Module V:

• Privacy Policy/Statement • A Good Privacy Policy: Some Basics • Top Tips to Develop a Good Privacy Policy • Content of Privacy Policy • Layered Privacy Policy/Statement • Developing a Privacy Policy: Some Guidelines • Case Studies • Developing A Good Privacy Policy: Exercise

• Rights of Data Subject • The rights of data subject • Specific requirements • What companies must do? • Exceptions • Things to Avoid

• Security of Processing/Managing Data Breaches • What companies must do to comply with all the principles? • What amount to data breaches? • Data Breach Notification • Data Breach Response Plan • How to develop security policy?

Module VIII:

• International Data Transfers • The Rules in other jurisdictions • APEC Cross-Border Privacy Rules (CBPR) • How Indonesia will assess “adequacy”? • Assessing “adequacy” in other Jurisdictions: EU GDPR, Singapore, etc • Developing Data Transfer Contract: Exercise • Transfer of data within group of companies: Binding Corporate Rules • Developing Binding Corporate Rules: Exercise

Module IX:

• Supervisions and Enforcement • Duties, Functions and Powers of the Supervisory Authority • Redress for non-compliance • Steps to Implement the Law • Things to Avoid • A quick “How to Comply” checklist

• Data Protection Officer (DPO) • Designation of a DPO • Position of the DPO • Tasks of the DPO • What Companies must do to support the DPO? • Other matters concerning the DPO

Professor Abu Bakar Munir is an internationally renowned scholar, expert and consultant on Cyber Law and Data Protection Law. He was a Professor of Law at the Faculty of Law, University of Malaya. He is currently a Visiting Professor at the Atmajaya University, Jakarta.

He is also the Legal Adviser and Data Protection Consultant to the Straits Interactive Pte. Ltd., Singapore, Senior Adviser to the Schinder Law Firm, Jakarta, a member of the Academic Advisory Council of the Asia Pacific Institute for Digital Economy, (APIDE) Tokyo, and a member of the Asian Privacy Scholars Network (APSN), Australia.

He is the co-founder and director of the Bali International Arbitration and Mediation Center and the founder and Principal Consultant of the Data Protection Sdn. Bhd.

Professor Abu Bakar is the author of several books; Privatization (1992), Cyberlaw: Policies and Challenges (1999), Privacy and Data Protection (2002), Internet Banking: Law and Practice (2004), and Information and Communication Technology Law: State, Internet and Information (2010), Personal Data Protection in Malaysia: Law and Practice (2010), Data Protection Law in Asia (2014) and Data Protection Law in Asia (second edition 2018).

He also widely publishes numerous articles on several aspects of ICT law and data protection law. He speaks extensively at seminars, workshop and conferences around the world including those organised/hosted by universities such as the NUS, Oxford, Cambridge, MIT, etc. Google, Facebook, Microsoft, Yahoo are amongst the participants of his talks and presentations. He represented Asia in the Europe – Asia Dialogue on the Digital Economy at the Johns Hopkins University in Washington D.C. Professor Abu Bakar Munir has been far and wide consulted by the governments and private entities in Malaysia and around the globe. Amongst the companies are TM, Chartis Insurance, POS Malaysia, PKNS, CIMB, Bank Negara, ELM of Saudi Arabia and many more.

He was appointed the Adviser to the Government of Malaysia and was instrumental in the crafting and passing of the Malaysian Personal Data Protection Act 2010. He was seconded as the IT Law Adviser and Principal Consultant to the Government of Dubai, UAE where he led an international team of consultants in developing and drafting several IT legislations to facilitate the Dubai Internet City, a multi-billion-dollar IT project.

He is currently assisting the Government of Indonesia in developing the personal data protection law for the country. He was a Council Member of the Asia Pacific Privacy Charter Council (APPCC) and the recipient ofthe Malaysia Cyber Security Awards (Minister’s Award) 2010 and the Malaysia Cyber Security, (Information Security Visionary of the Year) Award 2010.

His other areas of specialization include the Air and Space Law, Child law, Evidence Law, Nanotechnology Law and Policy, and Renewable Energy Law and Policy. He has published numerous articles on these subjects. His work, “Renewables: Solar Energy Needs Focus” was published in Nature in January 2016.