Analisis Manajemen Risiko Operasional Penerapan Undang-Undang Pelindungan Data Pribadi di PT Bank Syariah XYZ

Abstract

Perkembangan teknologi informasi telah membawa banyak manfaat bagi masyarakat, seperti kemudahan akses informasi dan efisiensi layanan digital. Namun, kemajuan ini juga menimbulkan tantangan baru dalam hal keamanan siber dan perlindungan data pribadi. Berbagai kasus kebocoran data, baik di plaform e-commerce lokal maupun perusahaan global, menunjukkan tingginya risiko yang dapat menurunkan reputasi perusahaan. Bahkan sektor perbankan, meskipun telah berpedoman pada regulasi Otoritas Jasa Keuangan, pada tahun 2023 PT Bank Syariah XYZ menghadapi serangan siber yang berdampak pada aktivitas operasional dan menimbulkan dugaan kebocoran data nasabah. Insiden tersebut belum dapat dikenai sanksi berdasarkan Undang-Undang Pelindungan Data Pribadi (UU PDP) karena regulasi tersebut baru mulai berlaku efektif pada Oktober 2024. Kehadiran UU PDP menjadi langkah penting untuk memperkuat perlindungan hukum terhadap data pribadi yang belum diatur secara komprehensif. Oleh karena itu, PT Bank Syariah XYZ perlu mempersiapkan diri untuk menghadapi potensi risiko operasional dalam penerapan UU PDP No. 27 Tahun 2022 melalui pengelolaan risiko yang sistematis. Penelitian ini memiliki beberapa tujuan yakni (1) mengidentifikasi berbagai bentuk risiko operasional yang muncul dalam proses penerapan Undang-Undang Pelindungan Data Pribadi (UU PDP) di PT Bank Syariah XYZ; (2) menganalisis tingkat risiko operasional yang dihadapi selama implementasi UU PDP; dan (3) merumuskan rekomendasi langkah pengendalian yang efektif guna meminimalkan risiko operasional serta memastikan penerapan UU PDP berjalan optimal tanpa mengganggu stabilitas dan keberlanjutan operasional bank. Penelitian ini dilaksanakan di Kantor Pusat PT Bank Syariah XYZ yang berlokasi di Gedung The Tower, Jalan Gatot Subroto No. 27, Kelurahan Karet Semanggi, Kecamatan Setiabudi, Jakarta Selatan. Kegiatan penelitian berlangsung selama periode Maret hingga Agustus 2025 dengan jumah total responden sebanyak 48 orang. Beragam jenis dan sumber data digunakan dalam penelitian ini yang disesuaikan dengan setiap tahap kegiatan penelitian. Pemilihan sampel dan responden dilakukan secara purposive sampling dengan membuat kriteria tertentu guna memastikan relevansi responden yang terlibat. Pada tahap identifikasi risiko, data primer dan sekunder dikumpulkan melalui wawancara mendalam dan dianalisis secara deskriptif guna memetakan potensi risiko. Selanjutnya, tingkat risiko dianalisis menggunakan metode Failure Mode and Effect Analysis (FMEA) berbasis data kuesioner, dengan perhitungan Risk Priority Number (RPN) untuk menilai tingkat keparahan, peluang, dan kemampuan deteksi risiko. Tahap akhir dilakukan melalui Focus Group Discussion (FGD) guna merumuskan rekomendasi pengendalian risiko operasional dalam penerapan UU PDP. Penerapan Undang-Undang Pelindungan Data Pribadi (UU PDP) di PT Bank Syariah XYZ mencakup seluruh aktivitas pemrosesan data pribadi yang meliputi tahapan pengumpulan, pengolahan, hingga penyimpanan data. Dalam

implementasinya, terdapat tiga jenis aktivitas utama, yaitu pemrosesan data nasabah, data pegawai, dan data rekanan. Seluruh aktivitas tersebut telah melalui proses identifikasi risiko operasional yang berasal dari lima lingkup operasional utama, yaitu proses internal, sumber daya manusia (SDM), teknologi, kejadian eksternal, dan tata kelola. Hal ini untuk memastikan kepatuhan terhadap prinsip pelindungan data pribadi. Hasil identifikasi menunjukkan terdapat 69 potensi risiko operasional. Sebanyak 31 risiko muncul pada proses pengelolaan data nasabah, dengan sebagian besar bersumber dari lingkup SDM. Pada pengelolaan data pegawai ditemukan 20 risiko yang dominan berasal dari lingkup SDM dan teknologi. Sementara itu, pada pengelolaan data rekanan teridentifikasi 18 risiko dengan sebaran yang relatif merata di antara kelima lingkup operasional. Hasil analisis menunjukkan bahwa dari 27 risiko prioritas, terdapat tiga risiko yang memerlukan pengendalian lebih lanjut karena memiliki nilai RPN tertinggi pada setiap pemrosesan data nasabah, pegawai, dan rekanan. Berdasarkan hasil perhitungan RPN, terdapat tiga potensi risiko operasional yakni belum adanya penanggung jawab pelindungan data pribadi dan belum diterapkannya ketentuan UU PDP (RR07), data consent tidak didapatkan saat pengumpulan data nasabah (RN03), dan serangan siber pada perangkat yang digunakan (RP06). Dengan demikian, rekomendasi pengendalian risiko yaitu perusahaan perlu memperkuat sistem keamanan data guna meminimalkan potensi serangan siber serta memastikan mitra kerja atau rekanan mematuhi ketentuan UU PDP. Selain itu, perlu dilakukan pelatihan dan sosialisasi berkelanjutan mengenai prinsip pelindungan data pribadi serta memastikan kelengkapan data consent saat proses pengumpulan data.

The development of information technology had brought many benefits to society, such as easier access to information and greater efficiency in digital services. However, this progress had also created new challenges in terms of cybersecurity and personal data protection. Various data breach cases, both on local e-commerce platforms and in global companies, had demonstrated the high level of risk that could damage corporate reputation. Even the banking sector, although it had referred to regulations issued by the Financial Services Authority, faced cybersecurity attacks in 2023, when PT Bank Syariah XYZ experienced a cyberattack that affected operational activities and was suspected to have caused customer data leakage. The incident could not be subject to sanctions under the Personal Data Protection Law because the regulation only came into effect in October 2024. The enactment of the Personal Data Protection Law had become an important step in strengthening legal protection for personal data that had not previously been comprehensively regulated. Therefore, PT Bank Syariah XYZ needed to prepare itself to face potential operational risks in the implementation of Law No. 27 of 2022 on Personal Data Protection through systematic risk management. This study had several objectives, namely (1) to identify various forms of operational risks that arise in the process of implementing the Personal Data Protection Law (PDP Law) at PT Bank Syariah XYZ; (2) to analyze the level of operational risk faced during the implementation of the PDP Law; and (3) to formulate recommendations for effective control measures to minimize operational risk and ensure the optimal implementation of the PDP Law without disrupting the stability and sustainability of the bank's operations. This research was conducted at the Head Office of PT Bank Syariah XYZ, located at The Tower Building, Jalan Gatot Subroto No. 27, Kelurahan Karet Semanggi, Kecamatan Setiabudi, South Jakarta. The research was conducted from March to August 2025 with a total of 48 respondents. Various types and sources of data were used in this study and were adjusted to each stage of the research activities. Sample and respondent selection was conducted using purposive sampling, with specific criteria established to ensure the relevance of the respondents involved. At the risk identification stage, primary and secondary data were collected through in-depth interviews and analyzed descriptively to map potential risks. Next, the risk level was analyzed using the Failure Mode and Effect Analysis (FMEA) method based on questionnaire data, with Risk Priority Number (RPN) calculations to assess the severity, probability, and detectability of risks. The final stage was conducted through Focus Group Discussions (FGD) to formulate recommendations for operational risk control in the implementation of the PDP Law. The implementation of the Personal Data Protection Law (UU PDP) at PT Bank Syariah XYZ had covered all personal data processing activities, including

the stages of data collection, processing, and storage. In its implementation, there were three main types of activities, namely the processing of customer data, employee data, and partner data. All of these activities had undergone an operational risk identification process derived from five main operational domains: internal processes, human resources, technology, external events, and governance. This was conducted to ensure compliance with personal data protection principles. The identification results showed that there were 69 potential operational risks. A total of 31 risks had emerged in the management of customer data, most of which originated from the human resources domain. In the management of employee data, 20 risks were found, predominantly originating from the human resources and technology domains. Meanwhile, in the management of partner data, 18 risks were identified with a relatively even distribution across the five operational domains. The analysis results showed that, out of 27 priority risks, there were three risks that required further control because they had the highest Risk Priority Number (RPN) values in the processing of customer, employee, and partner data. Based on the RPN calculations, three potential operational risks were identified, namely the absence of a designated personal data protection officer and the non- implementation of the provisions of the Personal Data Protection Law (RR07), the failure to obtain data consent during the collection of customer data (RN03), and cyberattacks on the devices used (RP06). Therefore, the risk control recommendation is that companies need to strengthen their data security systems to minimize the potential for cyber attacks and ensure that partners or associates comply with the provisions of the PDP Law. In addition, it is necessary to conduct ongoing training and socialization regarding the principles of personal data protection and ensure the completeness of data consent during the data collection process.