Governance of Personal Data Security Based on The Kami Index to Support Compliance with Law No. 27 Of 2022 in Professional Certification Institutions

Abstract

The rapid advancement of information technology has driven digital transformation across various sectors, including the certification of professional competencies. As an authorized institution responsible for administering such certifications, Professional Certification Bodies (LSPs) play a crucial role in managing participants’ personal data, such as National Identity Numbers (NIK), educational history, work experience, and other administrative documents. However, the increasing complexity of data management poses significant challenges to the protection of personal data. It is therefore essential for LSPs to implement information security governance that is not only administrative and procedural but also aligned with regulatory principles, particularly those outlined in Law No. 27 of 2022 on Personal Data Protection (PDP Law).

This study aims to evaluate the readiness level of LSPs in implementing personal data security governance through an assessment approach based on the KAMI Index (Information Security Index) version 5.0. Additionally, this research maps the alignment between indicators in the KAMI Index and key articles of the PDP Law, and formulates standard operating procedures (SOPs) as practical recommendations to improve LSP compliance. The research employs a descriptive qualitative method using a case study approach on an officially registered LSP under the National Professional Certification Agency (BNSP). Data were collected through KAMI Index-based questionnaires, organizational documentation, and in-depth interviews with key personnel responsible for information security.

The evaluation results indicate that the current state of personal data governance within the observed LSP has not yet reached an optimal maturity level. Of the six domains in the KAMI Index version 5.0, three key domains—Governance, Risk Management, and Personal Data Protection—were analyzed in depth. The assessment shows that the completeness and maturity scores remain at a “Fair” level. Key weaknesses include the lack of documented security policies, absence of formally appointed Data Protection Officers (DPOs), and the unavailability of formal procedures for handling data subject rights and risk mitigation. Among these, the Risk and PDP domains scored the lowest in both documentation and implementation, while the Governance domain scored the highest, yet still requires procedural and structural improvements.

The study also identifies 27 KAMI Index indicators that directly align with several key articles of the PDP Law, particularly Articles 16, 17, 20, 33, 35, and 46. The mapping results are structured into a matrix that illustrates the alignment between the indicators and the applicable legal provisions, while also identifying gaps in the internal policies of the LSP. These findings suggest that although the KAMI Index was not explicitly designed to measure legal compliance, it can serve as an effective preliminary tool for identifying gaps and weaknesses in data governance at the organizational level.

As a follow-up to the analysis and identified gaps, this research proposes nine SOPs to be implemented by LSPs in enhancing their readiness and compliance with personal data protection principles. These SOPs include:
(1) Planning and Establishment of Personal Data Security Policy, (2) Designation and Appointment of Data Protection Officers (DPO), (3) Collection and Consent for Personal Data, (4) Storage and Security of Personal Data, (5) Management of Data Subject Rights, (6) Management of Personal Data Security Risks, (7) Handling of Personal Data Security Incidents, (8) Enhancement of Competence and Awareness on Data Security, and ss(9) Audit and Evaluation of Personal Data Security Governance.

These SOPs are formulated based on best practices in IT governance, KAMI Index indicators, and the provisions of the PDP Law, and are expected to serve as practical and implementable references for LSPs and similar institutions.

Overall, this study provides both theoretical and practical contributions. Theoretically, it expands the discourse on mapping information security assessment instruments to national regulations. Practically, it offers a reference framework for developing and implementing measurable and sustainable personal data protection policies at the institutional level.