Information Technology Risk Management Analysis in the Implementation of Law Number 27 of 2022 Concerning Personal Data Protection at PT XYZ

Authors

  • Ervin Hermawan Universitas Bina Nusantara
  • Nilo Legowo Universitas Bina Nusantara

DOI:

https://doi.org/10.59261/jequi.v8i2.313

Keywords:

Risk Management, Personal Data Protection, ISO 31000:2018, Mitigation Strategies, IT Security, Compliance

Abstract

Background: Along with the rapid development of information technology and digitalization, organizations increasingly rely on personal data to support business operations. This reliance also increases the potential risk of data leakage, misuse, and complex cyber-attacks, prompting the Indonesian government to enact Law No. 27 of 2022 on Personal Data Protection (PDP Law). PT XYZ, as a consulting company, faces serious challenges in implementing this regulation, ranging from the vulnerability of information technology infrastructure, the absence of appropriate internal policies, to the low understanding of human resources on data protection practices.

Objective: This research aims to develop internal policies related to personal data management in accordance with the data protection principles of the PDP Law, as well as identify and analyze information technology security risks to formulate mitigation strategies using the ISO 31000:2018 approach

Methods: The methodology used is descriptive qualitative, with data collection techniques through document studies, surveys of employees from various divisions, and direct observation of the current information technology security infrastructure and procedures

Results: The results showed that the company did not have a systematic risk management, the security system still had many gaps such as not using layered authentication or a comprehensive encryption system, and more than half of the employees did not understand the basic principles of the PDP Law

Conclusion: Based on these findings, a mitigation strategy was developed in the form of internal policies governing personal data governance, strengthening IT security systems through encryption technology and role-based access control, and regular training to increase employee awareness. The implementation of this strategy is expected to improve compliance with the PDP Law, avoid administrative sanctions up to a fine of 2% of revenue, and build public trust through safe and reliable personal data management.

Downloads

Download data is not yet available.

References

Alrusaini, O. A. (2026). A Hybrid Structural Equation Modeling–Artificial Intelligence Model for Enhancing Cybersecurity of Personal Information in Mobile Applications. International Journal of Human–Computer Interaction, 42(1), 525–540. https://doi.org/10.1080/10447318.2025.2508314

Ayundyahrini, M., Widianti, T., Firdaus, H., Azzumar, M., Ega, A. V., Rakhmawati, T., Damayanti, S., Sumaedi, S., Dinaseviani, A., & Syahlani, N. (2026). A novel risk assessment framework: integrating fuzzy failure mode and effect analysis with ISO 31000 and ISO 9001 standards. International Journal of Quality & Reliability Management, 43(4), 1217–1247.

Barafort, B., Mesquida, A., & Mas, A. (2019). ISO 31000‐based integrated risk management process assessment model for IT organizations. Journal of Software: Evolution and Process, 31(1), e1984.

Bronk, C. (2026). Things Get Cybernetic: How Artificial Intelligence May Impact Cybersecurity. In Cyber Security: Policy and Technology (pp. 155–169). Springer.

Febriansyah, J. P. E., & Kurnia, I. (2026). The Construction of the Consent Principle in the Protection of Medical Personnel’s Personal Data and Its Legal Consequences in Healthcare Practice. JIHK, 7(2), 1181–1196.

Ho, F. N., Ho-Dac, N., & Huang, J. S. (2023). The Effects of Privacy and Data Breaches on Consumers’ Online Self-Disclosure, Protection Behavior, and Message Valence. Sage Open, 13(3). https://doi.org/10.1177/21582440231181395

IBM Security, M. (2023). Cost of a data breach report 2023. Ibm. Com.

Janakiraman, R., Lim, J. H., & Rishika, R. (2018). The effect of a data breach announcement on customer behavior: Evidence from a multichannel retailer. Journal of Marketing, 82(2), 85–105.

Leszkiewicz, A., Sunder, S., Kumar, V., & Dev, C. S. (2026). Customer Acquisition Through Intermediaries (vs. Brand) Shapes Lifetime Value: Evidence From the Hotel Industry. Production and Operations Management, 10591478261437884.

Lund-Tønnesen, J. (2026). Digital surveillance governance: understanding developments in the use of personal data in public sector reform. Public Management Review, 1–28.

Luo, Y., Chen, S., & Zhang, P. (2026). A Review of Research on Data Security Risk: Consequences, Mechanisms, and Response. Journal of Economic Surveys.

Mamuaja, H. B. M., & Cahyono, A. D. (2024). SIOLGA information technology risk management analysis using ISO 31000. Journal of Information Systems and Informatics, 6(1), 57–67.

Mandru, S. kanth. (2024). Privileged Access Management and Regulatory Compliance. Journal of Artificial Intelligence, Machine Learning and Data Science, 2(2), 727–732. https://doi.org/10.51219/JAIMLD/Srikanth-mandru/182

Nasution, E. R., & Harmika, Z. (2025). Perlindungan Hukum Terhadap Nasabah Bank Yang Mengalami Kebocoran Data Pribadi Ditinjau Dari Undang-Undang Nomor 27 Tahun 2022. Innovative: Journal Of Social Science Research, 5(4), 11373–11384.

Schneier, B. (2015). Secrets and lies: digital security in a networked world. John Wiley & Sons.

Songa, A., Rajagukguk, W., & Tewu, D. (2026). An Analysis of Operational Risk Management in the Appointment Process of School Principals at Foundation X Based on ISO 31000: 2018. Indonesian Interdisciplinary Journal of Sharia Economics (IIJSE), 9(1), 8036–8046.

Syrmoudis, E., Luzsa, R., Ehrlich, Y., Agidigbi, D., Kirsch, K., Rudolf, D., Schlaeger, D., Weber, J., & Grossklags, J. (2026). Unlocking personal data from online services: user studies on data export experiences and data transfer scenarios. Human–Computer Interaction, 41(2), 101–125.

Tirrell, Z., Lybrand, S., Soderlund, N., & Parkinson, B. (2026). Accessing the risks: A mixed methods study of risk management in Australian pharmaceutical market access. Health Policy, 105608.

Weinstein, S. (2026). An evaluation of the utility of ISO 31022: 2020 [risk management–guidelines for the management of legal risk] for use by micro-entities. International Review of Law, Computers & Technology, 40(1), 98–119.

Zwilling, M., Klien, G., Lesjak, D., Wiechetek, Ł., Cetin, F., & Basim, H. N. (2022). Cyber Security Awareness, Knowledge and Behavior: A Comparative Study. Journal of Computer Information Systems, 62(1), 82–97. https://doi.org/10.1080/08874417.2020.1712269

Downloads

Published

2026-07-07