Information Technology Risk Management Analysis in the Implementation of Law Number 27 of 2022 Concerning Personal Data Protection at PT XYZ
DOI:
https://doi.org/10.59261/jequi.v8i2.313Keywords:
Risk Management, Personal Data Protection, ISO 31000:2018, Mitigation Strategies, IT Security, ComplianceAbstract
Background: Along with the rapid development of information technology and digitalization, organizations increasingly rely on personal data to support business operations. This reliance also increases the potential risk of data leakage, misuse, and complex cyber-attacks, prompting the Indonesian government to enact Law No. 27 of 2022 on Personal Data Protection (PDP Law). PT XYZ, as a consulting company, faces serious challenges in implementing this regulation, ranging from the vulnerability of information technology infrastructure, the absence of appropriate internal policies, to the low understanding of human resources on data protection practices.
Objective: This research aims to develop internal policies related to personal data management in accordance with the data protection principles of the PDP Law, as well as identify and analyze information technology security risks to formulate mitigation strategies using the ISO 31000:2018 approach
Methods: The methodology used is descriptive qualitative, with data collection techniques through document studies, surveys of employees from various divisions, and direct observation of the current information technology security infrastructure and procedures
Results: The results showed that the company did not have a systematic risk management, the security system still had many gaps such as not using layered authentication or a comprehensive encryption system, and more than half of the employees did not understand the basic principles of the PDP Law
Conclusion: Based on these findings, a mitigation strategy was developed in the form of internal policies governing personal data governance, strengthening IT security systems through encryption technology and role-based access control, and regular training to increase employee awareness. The implementation of this strategy is expected to improve compliance with the PDP Law, avoid administrative sanctions up to a fine of 2% of revenue, and build public trust through safe and reliable personal data management.
Downloads
References
Alrusaini, O. A. (2026). A Hybrid Structural Equation Modeling–Artificial Intelligence Model for Enhancing Cybersecurity of Personal Information in Mobile Applications. International Journal of Human–Computer Interaction, 42(1), 525–540. https://doi.org/10.1080/10447318.2025.2508314
Ayundyahrini, M., Widianti, T., Firdaus, H., Azzumar, M., Ega, A. V., Rakhmawati, T., Damayanti, S., Sumaedi, S., Dinaseviani, A., & Syahlani, N. (2026). A novel risk assessment framework: integrating fuzzy failure mode and effect analysis with ISO 31000 and ISO 9001 standards. International Journal of Quality & Reliability Management, 43(4), 1217–1247.
Barafort, B., Mesquida, A., & Mas, A. (2019). ISO 31000‐based integrated risk management process assessment model for IT organizations. Journal of Software: Evolution and Process, 31(1), e1984.
Bronk, C. (2026). Things Get Cybernetic: How Artificial Intelligence May Impact Cybersecurity. In Cyber Security: Policy and Technology (pp. 155–169). Springer.
Febriansyah, J. P. E., & Kurnia, I. (2026). The Construction of the Consent Principle in the Protection of Medical Personnel’s Personal Data and Its Legal Consequences in Healthcare Practice. JIHK, 7(2), 1181–1196.
Ho, F. N., Ho-Dac, N., & Huang, J. S. (2023). The Effects of Privacy and Data Breaches on Consumers’ Online Self-Disclosure, Protection Behavior, and Message Valence. Sage Open, 13(3). https://doi.org/10.1177/21582440231181395
IBM Security, M. (2023). Cost of a data breach report 2023. Ibm. Com.
Janakiraman, R., Lim, J. H., & Rishika, R. (2018). The effect of a data breach announcement on customer behavior: Evidence from a multichannel retailer. Journal of Marketing, 82(2), 85–105.
Leszkiewicz, A., Sunder, S., Kumar, V., & Dev, C. S. (2026). Customer Acquisition Through Intermediaries (vs. Brand) Shapes Lifetime Value: Evidence From the Hotel Industry. Production and Operations Management, 10591478261437884.
Lund-Tønnesen, J. (2026). Digital surveillance governance: understanding developments in the use of personal data in public sector reform. Public Management Review, 1–28.
Luo, Y., Chen, S., & Zhang, P. (2026). A Review of Research on Data Security Risk: Consequences, Mechanisms, and Response. Journal of Economic Surveys.
Mamuaja, H. B. M., & Cahyono, A. D. (2024). SIOLGA information technology risk management analysis using ISO 31000. Journal of Information Systems and Informatics, 6(1), 57–67.
Mandru, S. kanth. (2024). Privileged Access Management and Regulatory Compliance. Journal of Artificial Intelligence, Machine Learning and Data Science, 2(2), 727–732. https://doi.org/10.51219/JAIMLD/Srikanth-mandru/182
Nasution, E. R., & Harmika, Z. (2025). Perlindungan Hukum Terhadap Nasabah Bank Yang Mengalami Kebocoran Data Pribadi Ditinjau Dari Undang-Undang Nomor 27 Tahun 2022. Innovative: Journal Of Social Science Research, 5(4), 11373–11384.
Schneier, B. (2015). Secrets and lies: digital security in a networked world. John Wiley & Sons.
Songa, A., Rajagukguk, W., & Tewu, D. (2026). An Analysis of Operational Risk Management in the Appointment Process of School Principals at Foundation X Based on ISO 31000: 2018. Indonesian Interdisciplinary Journal of Sharia Economics (IIJSE), 9(1), 8036–8046.
Syrmoudis, E., Luzsa, R., Ehrlich, Y., Agidigbi, D., Kirsch, K., Rudolf, D., Schlaeger, D., Weber, J., & Grossklags, J. (2026). Unlocking personal data from online services: user studies on data export experiences and data transfer scenarios. Human–Computer Interaction, 41(2), 101–125.
Tirrell, Z., Lybrand, S., Soderlund, N., & Parkinson, B. (2026). Accessing the risks: A mixed methods study of risk management in Australian pharmaceutical market access. Health Policy, 105608.
Weinstein, S. (2026). An evaluation of the utility of ISO 31022: 2020 [risk management–guidelines for the management of legal risk] for use by micro-entities. International Review of Law, Computers & Technology, 40(1), 98–119.
Zwilling, M., Klien, G., Lesjak, D., Wiechetek, Ł., Cetin, F., & Basim, H. N. (2022). Cyber Security Awareness, Knowledge and Behavior: A Comparative Study. Journal of Computer Information Systems, 62(1), 82–97. https://doi.org/10.1080/08874417.2020.1712269
Downloads
Published
Issue
Section
License
Copyright (c) 2026 Ervin Hermawan, Nilo Legowo

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution-ShareAlike 4.0 International (CC-BY-SA). that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work.



