Sage Journals: Discover world-class research

Abstract

Over the past decade, Indonesia has witnessed a surge in data breaches, raising questions about its data-protection approach. Notable breaches include those in the health, energy, utility, e-commerce, and financial sectors. Recognising this precarious situation, the government passed Law No. 27 of 2022 on Personal Data Protection (UU PDP) in 2022, emphasising individual data rights and promoting accountability among data controllers. This case study describes the data governance, focussing on the Indonesian insurance firm, TruMe Life (pseudonymised), which adheres to international standards and Indonesia’s UU PDP. This case underscores the criticality of robust data governance in ensuring compliance and operational efficiency and bolstering customer trust in insurance, culminating in implications for research and industry practices.

Keywords

Data governance insurance personal data protection risk management Indonesia biographical note

Introduction

Within the past five years, a significant increase in data breaches has been observed in Indonesia, highlighting concerns regarding the country’s approach to data protection (Bestari, 2023). These concerns were further accentuated in 2022, as there was a notable uptick in incidents spanning various sectors and institutions (CNN Indonesia, 2022; CN Indonesia, 2022). Several notable occurrences involve the breach of security in the electronic health alert card (e-HAC) system, an infrastructure developed by the Ministry of Health to safeguard critical health information (Nugraha and Bhwana, 2021). An additional concern occurred at PT Pertamina Training and Consulting, a prominent energy industry entity, wherein sensitive information on job candidates was compromised (Riyanto and Pertiwi, 2022). Likewise, the Social Security Administrator for Health experienced a negative impact, indicating the susceptibility of the healthcare industry (BBC Indonesia, 2021).

Indonesian enterprises have also been affected. The disclosure of sensitive information from more than 21,000 companies underscores the significant challenges in cybersecurity (BBC Indonesia, 2022). Critical utility providers are also included. The confidential information of 17 million customers serviced by the state electricity company (PLN) was potentially vulnerable (Anam, 2022). Similarly, 26 million IndiHome users have encountered imminent digital identity and security risks (Bestari, 2022). The Jasa Marga Toll-Road operator, a key player in the infrastructure industry, experienced a significant security incident, resulting in unauthorised access to a substantial amount of user data amounting to 252 GB (CNN Indonesia, 2022). Key industries such as e-commerce and finance also experienced this impact. Security loopholes on Tokopedia, a prominent online platform, and Bank Rakyat Indonesia (BRI) Life have potentially eroded confidence in digital transactions (CNBC Indonesia, 2020; Rosana and Hidayat, 2021).

Changes often unfold gradually and are complex. When Indonesia sought to introduce data protection regulations in 2022, it culminated in a 10-year journey from conception to legal implementation. This will be followed by a 2-year transition period to lay the groundwork for necessary enforcement structures (Perdana et al., 2023). Recognising the increasing incidence of data breaches, the Indonesian government has taken decisive steps to address these vulnerabilities and bolster data security. Law No. 27 of 2022 on Personal Data Protection (UU PDP) was formally introduced on 17 October 2022¹. This legislation serves as a guideline for individuals and government agencies to diligently manage and protect personal data.

According to the UU PDP, the term ‘personal data’ is defined explicitly as encompassing any information pertaining to an individual, regardless of whether it is obtained directly or indirectly via electronic or non-electronic methods (Indonesian Law on Personal Data Protection, 2022). This comprehensive perspective guarantees adherence to legal mandates across various data acquisition methods, offering robust protection. The legislation places significant importance on safeguarding the rights of individuals whose data undergo processing, referred to as ‘data subjects’. It delineates explicit entitlements, empowering individuals to exercise authority over and comprehend the utilisation of their data. Legislation aims to promote accountability and openness among data controllers.

It is crucial to acknowledge that this legislation underscores that safeguarding personal data is not merely a matter of compliance but an inherent and essential human right. This principle was firmly established under Article 28G of the 1945 Constitution, which affirms the fundamental right to data protection². Through the alignment of the UU PDP with the Constitution, the nation demonstrates its steadfast dedication to safeguarding the digital rights of its citizens. Indonesia demonstrates its firm commitment to aligning its legal framework with the evolving demands of the digital era by embarking on the UU PDP. It focuses on promoting the digital security of its citizens, enabling them to navigate the online space confidently.

In light of this context, our case study examines the implementation of personal data protection laws, and optimal approaches to data governance, emphasising the need to secure sensitive information on insurance customers. The analysis centres on the Indonesian insurance firm TruMe Life. The company prioritises data privacy as its foremost concern and adheres to internationally recognised standards such as Internationally recognised Information Security Standard (InfoSec) or Information Security Management Systems and Indonesia’s UU PDP.

There are instances of criminal violations in the cybercrime domain regarding protecting personal data in the current situation. It opens up a view on the importance of aspects of personal data protection. This protection is one of the human rights which is a part of personal self-protection. Data governance is vital to the data life cycle, particularly in data science applications (Abraham et al., 2019; Janssen et al., 2020). Primarily, it upholds integrity by guaranteeing the continuous consistency and accuracy of data throughout its entire lifecycle, from initial creation to its eventual archival and deletion. The precision of information is not solely founded on ethical grounds; it is also a legal necessity. By implementing effective data governance practices, organisations can ensure adherence to various regulatory requirements, mitigating the risk of incurring significant penalties associated with non-compliance.

In addition, the operational efficiency was further enhanced. An effectively managed and sanitised dataset significantly improves the analytical process, enabling more insightful and informed decision-making. This comprehensive approach to data governance reduces risks by lowering the likelihood of data breaches, which can lead to financial liability and reputational damage (Onwujekwe et al., 2019). It is also essential to note that implementing robust data governance practices can significantly enhance the reusability of data, a potential advantage that is often overlooked. When data are effectively governed, they become readily adaptable across diverse applications, enhancing their intrinsic value and utility.

Following the above background, we address critical practices in protecting insurance customer data through data governance in this case study. Our case is based on an insurance company in Indonesia, TruMe Life. The case begins by highlighting the urgent need for Personal Data Protection in Insurance, which is crucial to customer trust and compliance. It explores TruMe Life Insurance’s commitment to data security in a rapidly evolving digital world. We then present an in-depth analysis of the International Organisation for Standardisation (ISO) Principles of Implementation at TruMe Life, offering insights into how these principles fortify a company’s data-management processes. Subsequently, we detail their Legal Risk Management in Data Governance, focussing on strategies to tackle the legal challenges in data protection. The case further discusses TruMe’s comprehensive Data Governance methods to safeguard data integrity. Engaging readers, we pose Discussion Questions to address the broader challenges of data governance in insurance. We conclude by emphasising the impact of solid data governance on research and insurance practices.

The urgency of personal data protection in insurance companies

The enactment of the General Data Protection Regulation (GDPR) by the European Union on 25 May 2018, profoundly impacted the global digital ecosystem³. This groundbreaking regulatory framework aims to align individual privacy rights with the contemporary landscape of data collection practices. The GDPR imposes significant penalties for non-compliance by emphasising the importance of organisational accountability, transparency in complying with regulations, and safeguarding individual rights. While this regulation sets a high standard for global data privacy reforms, it recognises the need to accommodate sectors such as insurance, which may have distinct data processing requirements.

Insurance companies deal with vital information for underwriting and processing claims. The insurance sector’s close association with personal data makes governance critical. Talesh (2018) highlights that insurance firms must focus on data protection. Breaches, however, marred the industry (Heald, 2017; Marano, 2019). The rise of big data, which offers granular insights into individuals, intensifies these concerns (Costa-Cabral, 2016). Manko (2023) elucidates the interplay between big data and data protection within insurance firms. For instance, auto insurance providers now, harness in-vehicle monitoring systems or mobile data, sometimes infringing on personal privacy. There is a growing sentiment that consumers feel compelled to trade off their privacy for better insurance premiums, which presents an ethical dilemma for insurers. The industry may face challenges owing to the GDPR’s requirement for explicit consent in processing specific personal data. In response to this matter, the United Kingdom, in collaboration with insurance industry participants, enacted regulations authorising insurers to engage in limited data processing activities without explicit consent, provided that they aligned with legitimate insurance operations and public welfare⁴.

Turning our attention to Indonesia, despite the implementation of Law No. 27 of 2022 on Personal Data Protection, there seems to be a notable absence of robust enforcement measures. Public data security is at risk as it is vulnerable to unauthorised access and potential trading activities. The insurance industry in Indonesia, which handles confidential information such as medical records and asset information, is also vulnerable to these risks. Law No. 4 of 2023 on the Developing and Strengthening the Financial Sector incorporates specific provisions to ensure the security and confidentiality of the personal information held by insurance companies and other financial institutions⁵. Failure to comply may result in significant legal consequences.

Insurance companies in Indonesia must exhibit a high level of vigilance in protecting data, given their crucial role in the field and maintaining their customers’ trust in the industry. Failure to safeguard personal data can seriously harm reputation and integrity. In light of the growing emphasis on data protection on a global scale, exemplified by regulatory measures such as the GDPR, the Indonesian insurance industry must proactively align itself with international benchmarks to meet requisite standards. This convergence of global and local perspectives underscores the importance of adopting a sophisticated industry-tailored strategy to safeguard data privacy. It is critical to establish comprehensive security measures that effectively safeguard sensitive information while considering the unique demands of each sector.

In Indonesia, insurance entities typically function within Non-Bank Financial Service Institutions (NBFI) ecosystems (Khumaedy, 2015), which often entails sharing customer data. A notable example is Bank Negara Indonesia (BNI), which shares customer data with its affiliates, BNI Life, and Cigna Insurance⁶. When banking and insurance products converge in the same business environment, customers find themselves providing repetitive personal information. To streamline and safeguard this data interchange, The Financial Service Authority (OJK) in Indonesia mandates that NBFIs follow guidelines to oversee every facet of data management, from collection to processing and eventual disclosure, and always ensure consumer consent⁷. In addition to the UU PDP, numerous other laws and regulations have fortified personal data protection in Indonesia.

a. Law Number 8 of 1999 concerning Customer Protection focuses on customer rights and ensures that businesses treat them fairly⁸.

b. Law Number 39 of 1999 concerning Human Rights: A law that spells out the fundamental rights and freedoms everyone in the country should experience⁹.

c. Law Number 23 of 2006 and its amendment in 2013 (Law Number 24): These laws discuss how the government should manage and handle population data. The 2013 amendment updated or changed the original law of 2006¹⁰.

d. Law Number 11 of 2008 and its amendment in 2016 (Law Number 19): These laws guide the management of information and electronic transactions. The 2016 amendment updated the original laws in 2008¹¹.

e. Law Number 14 of 2008 Concerning Public Information Disclosure: This law ensures that public information is accessible and transparent to public matters¹².

f. Regulation of the Ministry of Communication and Informatics Number 20 of 2016 deals with protecting personal data when it is stored or used in electronic systems such as computers or online platforms¹³.

To protect insurance customers’ data, specific regulations from the Financial Supervisory Authority (POJK) exist.

a. POJK Number 69/POJK.05/2016: This is about how insurance companies, including their Sharia versions and reinsurance firms, should conduct their businesses¹⁴.

b. POJK Number 4/POJK.05/2021: This ensures that non-bank financial institutions use technology safely and manage associated risks¹⁵.

c. POJK Number 6/POJK.07/2022: Focuses on ensuring that consumers and the general community are protected when dealing with or using financial services¹⁶.

d. POJK Number 11/POJK.03/2022: This regulation concerns about the information technology implementation by commercial banks¹⁷.

e. POJK Number 22 of 2023: This regulation ensures consumer protection and society in the financial services sector¹⁸.

Established laws and regulations safeguard individuals’ rights and data, particularly when interfacing with business entities, technological platforms, and financial institutions (Jannah, 2022). They delineated the standards and protocols that these establishments must adhere to, in their operations to ensure the well-being of their clientele. Despite the rigorous precautionary measures taken by both banking and non-banking financial service providers, breaches involving customer data leaks remain persistent. For instance, when insurance contracts reach their termination, either because of the completion of the stipulated insurance duration or the unfortunate demise of the insured, insurance firms implement specific protocols to expunge the personal data of the insured. However, the measures often fall short, as evidenced by recurring episodes of unauthorised personal data disclosure¹⁹.

The introduction of UU PDP is challenging. A prominent concern lies in how the government administers private data of its residents for communal objectives. Regrettably, public and governmental agencies display a muted awareness of the nuances of personal data protection. Such a gap in comprehension increases the risk of malevolent activities, including but not limited to bullying, fraud, and unwarranted account access threats. Moreover, lackluster oversight by governmental bodies and ineffective internal corporate safeguards occasionally culminates in the unintended release of sensitive data encompassing consumers, clients, and staff. Such lapses mirror a deficit in robust corporate governance and indicate a casual approach towards personal data security, setting various stakeholders on a collision course with potential legal repercussions.

The case – TruMe Life Insurance and its commitment to data privacy and security

TruMe Life Insurance embarked on its journey in 2011. Transformational changes have occurred over time. Notably, in 2017, a prominent U.S.-based global investment firm acquired 48% of its shares, fortifying its position in the industry, whereas the founder retained a majority stake of 52%. Since its establishment in 2011, TruMe Life has remained steady in its dedication to safeguarding data privacy. The company diligently adheres to stringent data security protocols and fully complies with the InfoSec mandated by a major U.S. shareholder. In addition, TruMe Life demonstrates rigorous adherence to the regulatory framework implemented by the UU PDP and the Ministry of Communications and Information Technology, emphasising the proper management and protection of personal data on electronic platforms.

Ensuring electronically stored customer information protection is not merely an option for companies such as TruMe Life but is essential. This entails acquiring certifications to verify the compatibility of the electronic systems. Moreover, implementing rigorous corporate governance, unwavering operating protocols, and regular audits are crucial to safeguarding personal data with the utmost integrity. Upon the expiration of an insurance contract or the occurrence of an insured event, a standard protocol is used to systematically remove customer data from the system. Nevertheless, the advent of the digital era has presented certain obstacles. Deleted data, especially information related to previous customers that contains valuable commercial data, remain vulnerable to unauthorised access, thus presenting an enticing opportunity for malicious individuals. Despite TruMe Life’s thoroughness in ensuring compliance, attaining optimal security for this data can prove challenging, given technical limitations and the necessary trade off between security and the company’s operational parameters.

Although TruMe Life has maintained a record of legal compliance regarding customer data deletion over the past decade, the company acknowledges the importance of adopting a precautionary approach to ensure optimal security. Following risk-management principles, businesses must anticipate potential challenges and devise strategies to circumvent them. Failure to comply, on the other hand, carries not only legal consequences but also the potential to damage a company’s corporate governance and, perhaps more significantly, its standing and credibility. TruMe Life is dedicated to enhancing and optimising its data management protocols, seeking a comprehensive strategy that encompasses the secure deletion and disposal of data while ensuring compliance with applicable regulations and preserving its esteemed standing in the industry.

International organisation for standardisation (ISO) principles implementation at TruMe Life

In less than a decade, the importance of understanding and managing legal risk has emerged. Only a handful truly grasped the concept at the dawn of this era, often relegating it to a generic risk category explored through age-old risk management paradigms. Deloitte, an industry leader, was among the pioneers in crafting a framework for comprehensively managing legal risks, adapting the universal Plan-Do-Check-Action management paradigm to create their Identify-Assess-Control-Monitor-Report approach²⁰. However, the momentum continues to increase. Legal risk management has become an essential training material today, with diverse organisations recognising its importance in their overall risk strategies.

Legal risk, nestled under the umbrella of operational risk, often emerges from a company’s operational endeavours. This could encompass various facets of agreements with third parties, jurisdictional issues, legal ambiguities, and potential hindrances to settling legal claims or disputes. The financial sector is particularly vulnerable to such risks. The ripple effects of legal risks, however, extend beyond country-to-country interactions and also affect individual businesses. Pritchard (2018) emphasises that these risks can dramatically reshape micro-level business operations beyond macro-level international disputes. Recognising the burgeoning importance of legal risk, ISO, the globally acclaimed standardisation body, released ISO 31000:2018²¹, which is dedicated to Risk Management. Further homing in on the subject, they unveiled ISO 31022:2020²², which is dedicated explicitly to legal risk management. This standard offers organisations a robust guideline for navigating treacherous waters of legal risk tailored to individual and organisational needs (Barafort et al., 2017).

These eight principles (refer to Table 1) represent the core values and guidelines introduced in ISO 31000, centering around the pivotal concept of ‘value creation and protection’. This concept is the driving force behind the principles listed in the Table 1. For a company such as TruMe Life, where the inherent business model involves absorbing customer risks, it is imperative to uphold impeccable risk-management standards. With the approval from the OJK as the regulator, TruMe Life embraced the ISO framework, blending it seamlessly with the risk management protocols of its global parent company.

As articulated in ISO 31022:2020, the essence of legal risk management pivots around three cornerstones: principles, processes, and implementations. The objective of risk management is to create and protect value. To achieve this goal, principles are needed to guide risk management and the impact of uncertainty in achieving goals or objectives. ISO 31022:2020 refers to the principles introduced in ISO 31000:2018 and is listed in Table 1. TruMe Life’s data governance approach exemplifies solid adherence to the principles outlined in ISO 31022:2020, serving as a fundamental driver for consistent success. This alignment is evident across multiple facets of a company’s operational landscape and strategic perspectives.

Table 1.

ISO 31022:2020 supporting risk principles.

Aspect	Description
1. Integrated	Legal risk management is an integrated part of all organisational activities
2. Structured and comprehensive	A structured and comprehensive approach to legal risk management delivers consistent and comparable results
3. Customised	Legal risk management frameworks and processes should be tailored to their users and proportionate to the internal and external context and the associated objectives
4. Inclusive	Adequate and timely stakeholder engagement will enable them to share their knowledge, views, and perceptions for consideration. This can increase awareness regarding the implementation of legal risk management
5. Dynamic	Legal risks can arise, change, or disappear due to external and internal changes. Legal risk management should anticipate, understand, and address changes and events as they occur
6. Best available information	Inputs refer to historical, current information and future predictions. Information should be timely, transparent, and available to relevant stakeholders despite limitations and uncertainties
7. Human and cultural factors	Implementing legal risk management at every level is greatly influenced by culture and human behaviour
8. Continual improvement	Making continuous improvements based on experience and lessons learned is an integral part of the legal risk management process

TruMe Life demonstrates a comprehensive dedication to data governance by incorporating legal risk management into all operations. Instead of treating data governance as a distinct entity, the company seamlessly incorporates it into its core operations. This deep integration, combined with a methodical approach, guarantees that the importance of data protection and compliance is consistently prioritised across all levels of the organisation, spanning from high-level business strategies to the most granular daily operations. The deliberate integration of operational activities within a well-defined framework for data governance establishes a reliable ecosystem characterised by systematic data management, processing, and safeguarding, cultivating an environment rooted in trust.

TruMe Life implemented a customised risk-management framework to understand the limitations of standardised solutions in the intricate field of data analysis. This tailored approach guarantees flexibility and pertinence in data governance, mainly when dealing with distinctive issues such as potential data vulnerability after deletion. Additionally, TruMe Life ensures a comprehensive and well-informed data governance strategy by involving a wide range of stakeholders, including major shareholders and regulatory entities in its decision-making processes. Implementing an all-encompassing strategy guarantees adherence and establishes a resilient governance framework that proactively addresses a wide range of potential concerns.

Static governance strategies have become obsolete in today’s rapidly evolving digital environment. TruMe Life displays a solid commitment to flexibility, allowing its governance to adjust quickly and thrive in response to evolving technological challenges and advancements. In addition to the company’s dynamism, it strongly emphasises leveraging the most up-to-date and high-quality information available. TruMe Life maintains a careful commitment to standards like InfoSec and relevant regulatory frameworks, allowing us to make prompt, well-informed, and forward-looking data governance decisions.

At the core of TruMe Life’s governing principles lies the recognition that the proficiency of individuals is pivotal in determining the efficacy of technology and processes. Organisations can establish a compliance system that is intuitive and effective by placing a strong emphasis on human behaviour and cultural values. This approach fosters an organisational culture demonstrating innate respect for and commitment to maintaining data integrity and security. At the organisation’s core is an enduring dedication to pursuing ongoing enhancements. Continuously improving and strengthening its governance strategies, TruMe Life not only ensures current compliance but also solidifies its position as an industry leader in data governance best practices.

The approach to legal risk management concerning data governance at TruMe Life

TruMe Life prioritises the satisfaction and well-being of its customers and stakeholders, going above and beyond the expectations of traditional service delivery. Fundamentally, this involves comprehending an extensive range of legal liabilities and adeptly managing through them. This diligent approach to mitigating legal risks is not an occasional undertaking but an ongoing endeavour permeating every aspect of our organisational operations.

To gain a comprehensive perspective on risk management, TruMe Life thoroughly investigated both external and internal operational environments. The external environment is extensive, involving local and international legislative changes, intricate dealings with labour unions, and collaborations with employer associations. It is essential to consider international agreements, the ever-evolving market dynamics pertaining to the insurance industry, any third-party activities or claims, and various regulations of the countries in which they operate. In addition to addressing operational aspects, TruMe actively considers the feedback and perspectives of external stakeholders and incorporates them into its comprehensive risk-assessment framework.

Internally, the process begins with a comprehensive understanding of the distinctive organisational attributes inherent to TruMe Life. This encompasses various aspects, such as progressive business frameworks, solid financial health, streamlined operational procedures, adherence to governance protocols, and nuanced aspects of current risk mitigation measures. The company conducted a thorough assessment of its contractual agreements and labour-related intricacies to ensure that a comprehensive analysis was conducted. TruMe Life then proceeds to delineate the parameters for carefully assessing legal risks. These benchmarks are neither random nor arbitrary; they are indicative of the company’s larger risk management objectives, which have been aligned with its comprehensive legal risk policy.

Building on a solid framework, TruMe Life thoroughly evaluates and addresses legal risks. This involves identifying potential risks that may impact organisational objectives. In addition to identification, there is a focus on comprehending the interdependent connection between legal risks and various operational difficulties. Mitigating these identified risks constitutes the sequential critical phase. TruMe Life acknowledges the significance of this procedure. They explored a spectrum of treatment options, from comprehensive risk avoidance to strategic risk retention, consistently prioritising the prevention of unanticipated legal consequences. TruMe Life draws on its internal expertise and external professionals’ knowledge and insight to gain a well-rounded perspective in this phase.

In TruMe Life, effective communication is vital as the cornerstone of the risk management process rather than being viewed as a mere function. They have fostered effective lines of communication, ensuring that every subtle risk observation is promptly shared and communicated to the appropriate departments within the organisation. In addition to communication, implementing legal risk management is also complex. It involves the development of a comprehensive risk management policy, delegating responsibilities to individuals, integrating a risk framework into various business functions, prudent allocation of resources, and fostering a corporate culture that consistently prioritises legal risk awareness. Table 2 provides an overview of the continuous legal risk-management process associated with Data Governance at TruMe Life.

Table 2.

The facets of legal risk management in the context of data governance at TruMe life.

Aspect	Subsection	Key points
Management of legal risk		Ongoing process; integrated into all organisational activities
	Context and criteria	• External context: Laws, trade unions, international agreements, market conditions, third-party actions, country-specific laws, and external stakeholders
		• Internal context: Legal entity characteristics, business model, structure, governance, legal affairs state, contractual matters, and labour
		• Risk criteria: Align with overall objectives, legal policies, application of law, and contractual obligations
	Assessment	• Identification: Locate, recognise, and describe legal risks
		• Analysis: Correlation between legal risks and other risks
		• Evaluation: Compare risk analysis with criteria; prioritise risks
	Treatment	• Options: Reject, take/increase, eliminate, change likelihood, change impact, share, retain
		• Evaluation of current practices: Allocate resources, counsel, experts’ views
		• Dynamic process: Adjust techniques based on internal and external legal environment changes
	Communication	• Establish internal communication and reporting mechanisms
	Communication	• Ensure linkage with other communication sources and risk information
Implementation of management		Determine policy, roles, functions, integration, resource allocation, and awareness for legal risk management

TruMe Life’s approach to data governance

TruMe Life’s exploration of the complexity of data governance showcases the notable interconnections between legal risk, corporate accountability, and the ever-evolving nature of digital transformation. ISO 31022, which serves as a reference point for comprehending legal risk, classifies it as a risk associated with legal, regulatory, and contractual issues and non-contractual rights and responsibilities. Upon careful consideration of this definition, it is apparent that TruMe Life’s operations sufficiently address these challenges, specifically regarding regulatory compliance and the management of potential risks associated with contractual and non-contractual rights.

Since its inception, TruMe Life has acknowledged the significance of managing personal customer data, which comes with inherent possibilities and complexities. Due to the complex network of legal statutes and regulatory frameworks that govern this domain, the designation of a Business Information Security Officer (BISO) was deemed necessary in 2021. Responsible for aligning cybersecurity initiatives with the strategic goals of TruMe Life, BISO works closely in collaboration with critical departments, including Risk Management, Information Technology, and Human Resources. The consolidation of data management policies under the purview of BISO, coupled with the advanced big data analysis capabilities of the Digital Unit, facilitates a comprehensive approach to data governance.

TruMe Life adopted a notable stance towards risk management. While benefiting from strong support from a global investment group with a significant stake in the company and employing robust risk management protocols, TruMe Life effectively addressed its distinctive challenges. They demonstrated a strong commitment to complying with relevant OJK regulations and displayed readiness to incorporate global standards. In light of these circumstances, the selection of ISO 31022 as a strategic framework is warranted, considering its widespread adoption in diverse sectors worldwide.

Additionally, TruMe Life also confronts the complexities associated with data storage, computation, and interpretation. The importance to protect digital assets against internal inconsistencies and external threats is accentuated by the potential risks associated with breaches and unauthorised access. Simultaneously, effectively managing the complex legal aspects associated with data processing necessitates adhering to rigorous regulatory requirements, acquiring data from ethical sources, and preserving individual rights. Data analysis requires extracting valuable insights while upholding privacy protocols and mitigating unintended biases.

The insurance industry holds abundant data encompassing various forms of personal identification and comprehensive policy details. This surplus calls for rigorous management and adherence measures, particularly considering the varied regulatory frameworks across different geographical areas. This difficulty is compounded when considering InfoSec guidelines and the shift to cloud-based storage, which requires focused governance, particularly with external service providers. Furthermore, the company demonstrates a solid dedication to safeguarding data integrity through its policies of storing customer data for the entire duration of active policies and enforcing rigorous deletion protocols following a 10-year timeframe.

The emphasis on data integrity is further highlighted by establishing the BISO position, which underscores the alignment between cybersecurity measures and vital organisational objectives. An integrated strategy encompassing key organisational departments, such as Risk Management and Human Resources, ensures adequate data governance coherence. TruMe Life actively navigates the ever-evolving regulatory environment and diverse jurisdictional needs by adopting a forward-thinking approach. To enhance its long-term adaptability and robustness, the company has consistently upheld stringent standards, sometimes surpassing regulatory mandates. This dedication is also evident in its cloud storage procedures, guided with InfoSec and BISO is indispensable for bolstering IT security protocols. This recognition of the intricacies of managing dispersed data underscores an organisation’s commitment to heightened levels of cybersecurity.

Insurance companies face significant legal risks in the complex landscape of data governance. Failure to comply with rigorous data protection regulations, such as the UU PDP, can result in significant consequences, particularly in terms of financial penalties. In some geographical regions, discrepancies may result in penalties equivalent to up to 4% of a company’s annual worldwide revenue²³. Nevertheless, financial ramifications represent only a fraction of the overall situation. The Equifax data breach that occurred in 2017 serves as a poignant illustration of potential damage to a company’s reputation (Hedley and Jacobs, 2017; Moore, 2017). The breach notably impacted Equifax’s market position upon exposure to private information from 143 million individuals²⁴. In addition to these immediate effects, a discreet yet significant outcome of mishandling data is the erosion of customer confidence, which can have lasting implications for customer loyalty and future business prospects. Furthermore, insurance companies may encounter legal complications, such as lawsuits and litigation, which can adversely impact their financial stability and reputation.

TruMe Life has implemented a proactive and comprehensive approach to managing technical systems that may not comply with the data governance requirements. Conducting routine technical audits is a key component of this strategy. TruMe Life maintains an ongoing evaluation of system adherence to regulations and actively addresses any identified discrepancies, thus ensuring continual compliance with regulatory requirements. A company’s forward-thinking approach is also evident through its strategic investment in adaptable technologies, which can be easily adjusted to align with the development of regulatory requirements. This proactive measure effectively safeguards operations against potential risks that may arise in the future. Gaining an external viewpoint is highly beneficial in such situations. Through the guidelines from InfoSec, for rigorous evaluation and certification of their systems, TruMe Life obtains an objective assessment of the strength and resilience of their infrastructure. Furthermore, the company prioritises the human elements of data governance. Consistent training sessions and developmental programs are implemented to maintain staff knowledge of current protocols and technologies, thus minimising errors resulting from human actions. Table 3 presents the summary of strategies and practices in data governance at TruMe Life

Table 3.

Overview of TruMe life’s data governance strategies and practices.

Data governance aspect	Key points
Compliance and legal risk	• Aligns with ISO 31022 for legal risk understanding
Compliance and legal risk	• Emphasis on regulatory compliance, managing contractual and non-contractual risks
Data security leadership	• BISO role for aligning cybersecurity with strategic goals, collaborating across departments for coherent data management
Expertise collaboration	• InfoSec internationally recognised guidelines enhances jurisdiction-specific data governance capabilities
Risk management approach	• Strong backing by a global investment group
Risk management approach	• Adheres to OJK regulations, global standards, and uses ISO 31022 framework
Data protection and privacy	• Prioritises digital asset protection, legal data processing adherence, privacy, and ethical data sourcing
Regulatory challenges in insurance	• Manages extensive personal data, requiring rigorous adherence to diverse geographical regulations
Regulatory challenges in insurance	• Focus on cloud-based storage governance and partnerships with external providers
Data integrity strategies	• Data storage protocols for the duration of policies and post-tenure deletion
Data integrity strategies	• Cybersecurity alignment through roles like BISO and partnerships with specialists
Legal risk consequences	• Highlights financial, reputational risks from non-compliance (e.g. Equifax breach)
Legal risk consequences	• Focuses on the importance of customer trust and potential legal complications
Proactive system management	• Regular audits, adaptable technologies for regulatory alignment
	• External assessments for infrastructure resilience
	• Staff training to minimize human error in data handling

Conclusion

TruMe Life embraces risk management and elevates it to the standard of exemplary corporate governance. Data governance is integral to a company’s daily operations and is entrenched in every facet of its activities. The company’s comprehensive corporate governance framework has been designed to meet the demands of its business while maintaining steadfast adherence to legal and regulatory requirements and ensuring the seamless continuity of its operations. The company must address any technical issues that threaten privacy because the legal implications of handling customer data necessitate a complete and comprehensive corporate focus. TruMe Life’s steady commitment extends beyond mere compliance with the UU PDP; it exemplifies the company’s deep dedication to upholding utmost integrity in protecting customers’ data.

Discussion questions

1. What legal risks have TruMe Life identified that will be addressed as part of the company’s risk management process?

2. Has legal risk management been integrated into the company’s risk management process?

3. How does the company deal with data governance challenges?

4. What legal risks do insurance companies face due to the complexity of data governance?

5. How engaged is the company in addressing data governance when dealing with technical systems that are not accommodating?

6. How can the ISO 31022 framework be used to manage the legal risks related to data privacy and security?

7. What areas does TruMe Life need to enhance in their Data Governance journey

8. What role do culture and human behaviour play in implementing effective legal risk management practices?

Footnotes

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) received no financial support for the research, authorship, and/or publication of this article.

ORCID iD

Arif Perdana

Notes

Author biographies

Ratna Januarita is an Associate Professor at the Faculty of Law of Universitas Islam Bandung. She currently holds the position of Vice Rector for Cooperation, Internationalization, and Public Relations at the University. She graduated with a Bachelor of Laws from the Faculty of Law at Padjadjaran University in 1991. She furthered her education by obtaining a Master of Laws from Monash University in 2003, followed by a second Master of Laws from Padjadjaran University in January 2004. She achieved her Doctoral Degree in Law from Padjadjaran University in May 2011, which encompassed a sandwich program at the Van Vollenhoven Institute, Leiden University. Since 2004, she has been applying her expertise as a corporate law consultant. She served on the Indonesia National Committee for Governance Policy from 2004 to 2019. Her experience includes roles as an Independent Commissioner at PT Tugu Reinsurance (2005–2008) and at PT PFI Mega Life Insurance, a position she has held since 2011. Her commitment to professional development is evident in her role as a trainer in corporate governance, legal risk management, and compliance at the Center for Risk Management & Sustainability (CRMS), which she has been doing since 2004. Since 2017, she is a certified assessor in four areas of expertise: corporate governance, risk management, internal audit, and compliance, and holds nine certifications in these fields. Additionally, she actively participates in the OECD-Asia Network for Corporate Governance of State-Owned Enterprises, and collaborates with the World Bank, Financial Service Authorities, Indonesian State-Owned Enterprises, Bank Indonesia, Indonesian Competition Commision, among other institutions and private companies. Contact Address: Email: ratna.januarita@unisba.ac.id. Universitas Islam Bandung, Indonesia.

Indra Fajar Alamsyah is a highly motivated Assistant Professor with a strong commitment to teaching and educational excellence at Faculty of Economics and Business, Universitas Islam Bandung, with a passion for teaching and research. He has been working in the areas of social entrepreneurship, creative industry, and business laws. He is an excellent communicator and team player, and has earned several study opportunities and awards throughout his career. He completed his Ph.D in Business Administration at Kulliyyah of Economics and Management Sciences, International Islamic University Malaysia. He completed all levels of study from bachelor to Ph.D sequentially at a young age. In his first year of teaching at the university, he received an award as the lecturer with the best teaching methods according to students. His current job outside of teaching is as sub-division head of research, Institution of Research and Community Services (LPPM) Universitas Islam Bandung. Contact Address: Email: indra.fajar@unisba.ac.id. Universitas Islam Bandung, Indonesia.

Arif Perdana’s work history includes his current position as an Associate Professor at Monash University, specialising in digital strategy and sustainability, data science and analytics, and information systems management. His academic work spans over a decade at various prestigious universities such as Singapore Institute of Technology, Aarhus University, and University of Queensland. Prior to his academic career, Arif worked in the IT services and finance industries and has extensive experience in these sectors. Arif has secured significant funding for his work, including research grants from Singapore institutions, Australian funding agencies, and the Indonesian government and corporations. Some notable research grants and projects include Monash Data Future Institute (MDFI),Whyte Fund, Research Grant Bank Indonesia, and Singapore Institute of Technology Ignition Grants. Contact Address: Email: arif.perdana@monash.edu. Monash University, Indonesia.

References

Abraham

Schneider

Vom Brocke

(2019) Data governance: a conceptual framework, structured review, and research agenda. International Journal of Information Management 49: 424–438. DOI: 10.1016/j.ijinfomgt.2019.07.008.

Anam

(2022, August 20). Jenis Data Pelanggan PLN Yang Diduga Bocor & Dijual Hacker. CNBC Indonesia. https://www.cnbcindonesia.com/tech/20220820165321-37-365289/jenis-data-pelanggan-pln-yang-diduga-bocor-dijual-hacker

Barafort

Mesquida

A-L

Mas

(2017) Integrating risk management in IT settings from ISO standards and management systems perspectives. Computer Standards & Interfaces 54: 176–185. DOI: 10.1016/j.csi.2016.11.010.

BBC Indonesia . (2021, May 21). BPJS Kesehatan: Data Ratusan Juta Peserta Diduga bocor—’Otomatis Yang Dirugikan Masyarakat’, kata pakar. Indonesia: BBC News. https://www.bbc.com/indonesia/indonesia-57196905

BBC Indonesia . (2022, August 19). Dokumen rahasia dari 21.000 perusahaan di Indonesia dilaporkan bocor, “ini bisa jadi alat penipuan.”. Indonesia: BBC News Indonesia. https://www.bbc.com/indonesia/majalah-62603873

Bestari

(2022, August 22). Setelah PLN, 26 Juta Data Indihome Bocor & Disebar Hacker. CNBC Indonesia. https://www.cnbcindonesia.com/tech/20220822062837-37-365431/setelah-pln-26-juta-data-indihome-bocor-disebar-hacker

Bestari

(2023, June 12) Kasus Data Bocor di RI Makin Kencang, Kominfo Buka Suara. CNBC Indonesia. https://www.cnbcindonesia.com/tech/20230612171651-37-445224/kasus-data-bocor-di-ri-makin-kencang-kominfo-buka-suara

CN Indonesia . (2022, August 24). Data 252GB Jasa Marga Diduga Bocor. South Jakarta: CNN Indonesia. https://www.cnnindonesia.com/teknologi/20220824185042-192-838736/data-252gb-jasa-marga-diduga-bocor

CNBC Indonesia . (2020, May 4). Cerita Lengkap Bocornya 91 Juta Data Akun Tokopedia. CNBC Indonesia. https://www.cnbcindonesia.com/tech/20200504063854-37-155936/cerita-lengkap-bocornya-91-juta-data-akun-tokopedia

10.

CNN Indonesia . (2022, December 30). 10 Kasus Kebocoran Data 2022: Bjorka Dominan, Ramai-Ramai Bantah. CN Indonesia. https://www.cnnindonesia.com/teknologi/20221230125430-192-894094/10-kasus-kebocoran-data-2022-bjorka-dominan-ramai-ramai-bantah

11.

Costa-Cabral

(2016) The preliminary opinion of the European data protection supervisor and the discretion of the European commission in enforcing competition law. Maastricht Journal of European and Comparative Law 23(3): 495–513. DOI: 10.1177/1023263X1602300307.

12.

Heald

(2017) Why the insurance industry cannot protect against health care data breaches. Journal of Health Care Law and Policy 19(2): 275–298.

13.

Hedley

Jacobs

(2017) The shape of things to come: the Equifax breach, the GDPR and open-source security. Computer Fraud & Security 2017(11): 5–7. DOI: 10.1016/S1361-3723(17)30080-5.

14.

Jannah

(2022, September 21) UU Perlindungan Data Pribadi Dan Tantangan Implementasinya. Fakultas Ilmu Administrasi Universitas Indonesia. https://fia.ui.ac.id/uu-perlindungan-data-pribadi-dan-tantangan-implementasinya/

15.

Janssen

Brous

Estevez

, et al. (2020) Data governance: organizing data for trustworthy artificial intelligence. Government Information Quarterly 37(3): 101493. DOI: 10.1016/j.giq.2020.101493.

16.

Khumaedy

(2015) Peran Lembaga Keuangan Non Bank Dalam Mendukung Sektor Pertanian. Sekretariat Kabinet Republik Indonesia. https://setkab.go.id/peran-lembaga-keuangan-non-bank-dalam-mendukung-sektor-pertanian/.

17.

Manko

(2023) Erie Insurance: monitoring technology in the car insurance market and the issue of data privacy. Journal of Information Technology Teaching Cases 13(2): 193–198. DOI: 10.1177/20438869221117571.

18.

Marano

(2019) Navigating InsurTech: the digital intermediaries of insurance products and customer protection in the EU. Maastricht Journal of European and Comparative Law 26(2): 294–315. DOI: 10.1177/1023263X19830345.

19.

Moore

(2017) On the harms arising from the Equifax data breach of 2017. International Journal of Critical Infrastructure Protection 19: 47–48. DOI: 10.1016/j.ijcip.2017.10.004.

20.

Nugraha

Bhwana

(2021, August 31). eHAC App Data Breach Allegedly Exposes over 1 Million People. Indonesia: Tempo.Co. https://en.tempo.co/read/1500744/ehac-app-data-breach-allegedly-exposes-over-1-million-people

21.

Onwujekwe

Thomas

Osei-Bryson

K-M

(2019) Using robust data governance to mitigate the impact of cybercrime. Proceedings of the 2019 3rd International Conference on Information System and Data Mining, Houston TX USA, April 2019: 70–79. DOI: 10.1145/3325917.3325923.

22.

Perdana

Ernunsari

Hooker

, et al. (2023) Going Back to the Future for AI Regulation. Australia.

23.

Pritchard

(2018) Legal risk, legal evidence and the arithmetic of criminal justice. Jurisprudence 9(1): 108–119. DOI: 10.1080/20403313.2017.1352323.

24.

Riyanto

Pertiwi

(2022, January 11) Data 163.000 Pelamar Kerja Bocor di Internet, Diduga Milik Anak Perusahaan Pertamina. Kompas. https://tekno.kompas.com/read/2022/01/11/18262517/data-163000-pelamar-kerja-bocor-di-internet-diduga-milik-anak-perusahaan?page=all

25.

Rosana

Hidayat

AAN

(2021, July 29). Kebocoran Data Nasabah BRI Life Bukti Lemahnya Proteksi Dan Regulasi. Indonesia: Tempo.Co. https://fokus.tempo.co/read/1488710/kebocoran-data-nasabah-bri-life-bukti-lemahnya-proteksi-dan-regulasi

26.

Talesh

(2018) Data breach, privacy, and cyber insurance: how insurance companies act as “compliance managers” for businesses. Law & Social Inquiry 43(02): 417–440. DOI: 10.1111/lsi.12303.

27.

Undang-Undang Republik Indonesia Tentang Pelindungan Data Pribadi , 27 (2022).