Assessing Indonesian MSMEs' Awareness of Personal Data Protection by PDP Law and ISO/IEC 27001:2013

Digital technology, while streamlining business operations, also poses significant risks by recording vast amounts of data. This study evaluates the awareness and compliance of Indonesian MSMEs with the Personal Data Protection (PDP) Law and ISO/IEC 27001:2013 standards, highlighting areas needing improvement. Using a quantitative approach, an online questionnaire was distributed to 126 MSMEs across Indonesia to assess legal awareness, consent management, data processing, and governance structures. The analysis, employing descriptive statistics and a Likert scale, reveals a low awareness of the PDP Law (mean score: 3.13) and partial compliance in consent management (mean score: 3.49). While data processing shows strengths (mean score: 3.71), weaknesses in third-party agreements (mean score: 2.67) and the appointment of Data Protection Officers (mean score: 2.98) indicate governance gaps. The findings underscore the struggle of Indonesian MSMEs in implementing crucial data protection practices. The study recommends investing in legal and data protection training, formalizing data agreements, appointing Data Protection Officers, conducting regular audits, and improving data breach management. These steps are vital for fostering a data protection culture and ensuring business sustainability in the digital age.