In today’s digital economy, personal data is no longer merely an operational concern—it is a strategic asset. For corporations in Indonesia and beyond, the implementation of the Personal Data Protection Law (PDPL) marks a decisive shift: data governance is no longer the sole domain of compliance officers or IT departments—it has become a matter of boardroom oversight.

During the APPDI Webinar held on 7 August 2025, Professor Abu Bakar Munir, a leading authority in Cyber Law and Data Protection, made a compelling case that data protection is, at its core, a corporate governance imperative.

From Compliance to Corporate Duty
According to Professor Munir, embedding data protection into corporate governance frameworks is not a matter of formality—it is central to safeguarding legal standing, managing institutional risk, preserving reputation, and fulfilling the fiduciary duties of company directors.

Quoting international regulators, he highlighted a growing global consensus:

“The board, or highest senior management level, has overall
responsibility fordata protection and information governance.”
– UK Information Commissioner’s Office

“A key step … is to embed personal data protection into corporate governance.”
– Singapore Personal Data Protection Commission

Data protection, in short, must be led from the top. It is incumbent upon directors and senior executives to appreciate the strategic significance of personal data, recognise evolving regulatory expectations, and understand the risks—legal and reputational—of failing to act.

Why the Boardroom Matters
Professor Munir identified several reasons why data protection must be treated as a board-level concern:

• Oversight of Risk and Compliance – Boards are ultimately responsible for ensuring that legal and regulatory obligations are met.
• Strategic Value of Data – Information assets are now integral to digital transformation, innovation, and competitive differentiation.
• Governance and ESG – Ethical data stewardship enhances public trust and contributes to ESG (Environmental, Social, and Governance) credibility.
• Regulatory Scrutiny – Authorities now demand visible, top-down accountability.
• Prevention Rather Than Cure – Robust governance mitigates the likelihood and severity of data breaches.

As Elizabeth Denham, former UK Information Commissioner, noted:

“Data protection and cybersecurity must be elevated to boardroom visibility and strategic oversight.”

Criminal Liability under the PDPL
Indonesia’s PDPL introduces serious criminal sanctions for the unlawful acquisition, disclosure, or misuse of personal data. These include custodial sentences of up to six years and fines of up to IDR 6 billion.

Significantly, Article 70 of the PDPL extends criminal liability beyond corporate entities to directors, controlling shareholders, beneficial owners, and other members of management. While a corporation may face financial penalties, its directors may be held personally liable for offences committed under their supervision.

Global Precedents for Director Accountability
Professor Munir referenced several international cases where courts have confirmed director-level responsibility for data protection failures:

• Ireland – A director was held personally liable for breaches under the Data Protection Acts 1988 and 2003.
• Germany – The Higher Regional Court in Dresden ruled that managing directors act as data controllers under GDPR and are therefore individually accountable.
• Hong Kong – A director was convicted for failing to comply with a summons from the Privacy Commissioner.

United States (Delaware) – In Caremark International Inc. Derivative Litigation, the court held that directors may be sued for failing to monitor compliance appropriately.

These cases reflect an unmistakable trend: where data governance fails, the board may answer.

From Risk to Strategic Advantage
While the legal implications are serious, Professor Munir urged businesses not to view data protection solely as a regulatory burden. On the contrary, those who lead in transparency, accountability, and ethical data use will gain competitive advantage.

Firms that embed data protection at the highest levels build stakeholder trust, reinforce their brand reputation, and strengthen their long-term market positioning in an increasingly data-driven environment.

“Data protection starts and ends in the boardroom,” Professor Munir concluded.
“Compliance with data protection laws is the ultimate responsibility of the board of directors.”

In the era of the PDPL, the Indonesian boardroom is no longer just a place for financial oversight—it is the first line of defence, and leadership, in the stewardship of personal data.