Leny Suwardi, CIOSEA News, ETCIO SEA
 Leny Suwardi, Data Protection and Privacy Officer & Senior Vice President, Tokopedia
Leny Suwardi, Data Protection and Privacy Officer & Senior Vice President, Tokopedia

In the age of data bombardment and explosion, the expanding landscape of data protection and privacy requires intrinsic policies and practices for organisations. Optimal data protection needs the cooperation of all involved parties, including the government, data firms, and expertise-driven data consultants. To support the right to privacy in countries like Indonesia, companies such as Tokopedia are building mature infrastructures and compliance structures, and investing in developing the right data practices.

In an exclusive interaction, Leny Suwardi, Data Protection and Privacy Officer & SVP, Tokopedia, gives us a corporate deep-dive into the Indonesian e-commerce giant’s data protection and privacy practices, the state of privacy laws and regulations in the country, and her key advice to data officers and tech leaders.

With over 18 years of working experience in providing IT auditing and consultancy services in state-owned enterprises, large multinational companies and the financial services industry, Leny’s key skillsets lie in IT audit, IT governance, cybersecurity, data privacy, regulatory compliance review, system implementation review, business process improvement and internal control review. She has worked in extensive leadership positions at various large IT enterprises such as Deloitte, PwC, Dekara, and JTC Corporation.

Here are some of the most interesting excerpts from the interview:

Leny, there’s an increasing need for the development of vital, data-centric technology ecosystems that are secured, governed, and well-protected. What are the biggest data protection and security challenges companies like Tokopedia are facing in the e-commerce industry?

A key priority and challenge for Tokopedia is educating the thousands of Nakama (a nickname for Tokopedia employees) on Tokopedia’s data protection and privacy rules and ethics. While we have a dedicated team that handles matters related to data protection and privacy, we believe that all Nakama are responsible for protecting the privacy of our users’ data.

One way we address this is by making it compulsory for all Nakama to participate in training sessions and learning programs on data protection and privacy through NXT, Tokopedia’s learning ecosystem for Nakama. Continuous education and awareness is key for a large organisation like us.

We have also introduced and developed a privacy-first culture for Nakama. For example, we have Privacy Day, where we highlight company policies that relate to the protection and handling of personally identifiable information (PII). In addition, we apply the Privacy by Design principle when analysing and assessing data protection readiness everytime Tokopedia launches or updates a product or feature.

Last but not least, constant engagement with our users continues to be a key part of our efforts. We aim to broaden and deepen our users’ understanding on data protection and privacy efforts that Tokopedia is facilitating as well as actions they can do individually, such as:

  • Enabling our users to access our public page on our privacy policy https://tokopedia.com/privacy, which outlines their rights on data collection on the Tokopedia platform.
  • Prompting users to regularly change their Tokopedia password.
  • Reminding users to refrain from using the same password for multiple digital platforms.
  • Educating users about protecting the secrecy of their One Time Password.
  • Reminding users to exercise caution when accessing unofficial sites, responding to messages, and opening attachments sent by parties that claim to be Tokopedia.

We move forward with our initiatives while understanding that other trials may persist, such as managing a massive volume of data, an evolving regulatory landscape, and the need for more talent. A key initiative deployed to respond to those examples is to collaborate with strategic partners whose expertise are in the fields of data protection, including the government, data firms, consultants, and Tokopedia Academy, our open-source technology education platform.

Give us an overview of how you construct your data strategies with regard to three pillars: data governance, data architecture, and data culture.

In Tokopedia, the Data Protection and Privacy Office (DPPO) drives efforts on personal protection and those that produce privacy-safe products and features, including:

  • Data governance → developing policies and procedures that govern personal data management, covering the data lifecycle (from collection to deletion/destruction); implementing personal data processing assessments that identify impact towards the individual’s data and privacy and determine mitigation controls.
  • Data architecture → understanding the types of PII we collect, process, store, and share in our system, as well as building control processes around PII to mitigate its risks. The control processes include only storing required data, ensuring that stored personal data is encrypted at rest and in transit, restricting access to it, and deleting personal data once no longer needed.
  • Data culture → developing a privacy-first culture and instilling the Privacy by Design mindset to all Nakama. We seek to address this by obligating all Nakama to participate in training sessions and certification programs on data protection and privacy through NXT, Tokopedia’s learning ecosystem for Nakama. There is also Privacy Day, where we socialise company policies that relate to the protection and handling of personally identifiable information (PII).

The excessiveness of data bombardment in an age where all information can be stored in different formats, is plaguing executives with data management conundrums. Is such incessant data collection necessary? How can organisations finetune their data collection strategies to ensure they only collect the data they will actually use?

As part of the process of educating our Nakama, we consistently highlight the importance of PII minimisation. This principle reminds all parties to minimise their data collection and ensures that data collected addresses a specific objective. Organisations can apply this principle while performing their privacy impact assessment on their data collection and processing.

Organisations should also create an inventory of their current data collection practices, allowing them to review the application of PII minimisation principle. It is important to note that by minimising PII collection, we respect the data subjects’ privacy and limit risks of data exposure.

Having a dedicated data protection team like Tokopedia’s DPPO further allows organisations to mitigate excessive PII collection; it helps by educating Nakama on the PII minimisation principle, reviewing the privacy-safe product feature during its development, and conducting an annual review to ensure consistent PII minimisation.

At every step of the way, customers and users are entrusting big tech companies with their personal data. What are some necessary data privacy practices all executives should instil in their organisations?

We are not in a position to speak on behalf of all executives. We can, however, share our approach to create a safe and reliable digital ecosystem:

  • People → We are collaborating with, as well as strengthening the capacity and developing the capabilities of our digital talents. For example, we have made it mandatory for all Nakama to participate in training sessions and certification programs on the topics of IT security as well as data protection and privacy through NXT. In addition, we actively invest in people and build dedicated teams to look after data and security-related matters – for instance, our DPPO team works closely with our IT security team to ensure the security of our users’ data.
  • Process → We are continuously improving the quality of our IT security and data protection efforts by regularly optimising the process of implementation, measurement, and evaluation.
  • Technology → We continue to develop and enhance our technology, including ones that advance our data protection efforts (restricting access and protecting data in layers). At the same time, we are strengthening our platforms (cloud, endpoint, and application) consistently and sustainably, as well as implementing industry-wide IT security best practices.

What’s your view of the data protection laws in Indonesia? Are corporate organisations conferring with them at large?

Tokopedia is committed to abiding by data protection and privacy laws and regulations, especially as part of our efforts to protect our users’ rights. We also collaborate with strategic partners with expertise in the field of data protection, including the government, data firms, and consultants to improve our data protection management, procedures, and risk mitigation system. Our hope is to see a mature infrastructure, including laws and regulations, that support the right to privacy for individuals in Indonesia.

Before we bid adieu, Leny, share your top advice for data officers and information officers with regard to data protection in the region.

A few insights from us would be:

  • Start your data protection efforts early: Addressing and managing data protection and privacy risks become more challenging as the complexity of our data and its supporting processes increase. Start building initiatives as soon as you can and build on them gradually as the data grows.
  • Educate your organisation: This is particularly crucial for a technology company such as Tokopedia, because all our employees and team members are eventually responsible for protecting the privacy of our users’ data. It is crucial that our organisation is made aware of the importance of data protection.
  • Collaborate: Internally, we work closely with the IT Security team to strengthen our digital ecosystem. We also work alongside other divisions, especially when it comes to educational initiatives. Externally, we collaborate with strategic partners with expertise in the fields of cyber security and data protection–including global security experts, consultants, and other industry players–to improve our IT security and data protection management, procedures, and risk mitigation system.
  • Educate our users: Our users must also be educated on the ways our platform facilitates data protection, their data collection rights while using our platform, and actions they can do individually to protect their own data. It is important that our users also understand the risks and opportunities of data protection and privacy in order to take better care of their data.

Leave a Reply

Your email address will not be published.