In 2023, the Data Maturity measurement results obtained a value of 3.88 out of 5.00 with the measurement scope in the Enterprise Data Management Division. BRI committed to continuing to protect personal data through a series of technical, procedures and organizational policies to prevent unauthorized or unlawful access, collection, use, disclosure, copying, changes or deletion. BRI realized that personal data was a valuable asset that had to be protected. BRI strived to maintain the trust of stakeholders by securing and protecting the personal data we obtain. BRI understood the importance of privacy as a fundamental right and was committed to complying with all applicable legal provisions, including but not limited to: • Law no. 27 of 2022 concerning Personal Data Protection; • Law no. 4 of 2023 concerning Development and Strengthening of the Financial Sector; • Financial Services Authority Regulation no. 22 of 2023 concerning Consumer and Community Protection in the Financial Services Sector; • Bank Indonesia Regulation no. 3 of 2023 concerning Bank Indonesia Consumer Protection; And • Other laws and regulations related to personal data protection. Implementation of personal data protection for every personal data processing activity in the data life cycle which included collection, processing, storage and destruction of personal data. Implementation of personal data protection was carried out using the Privacy Operational Lifecycle approach: • Governance: BBRI has a team responsible for implementing personal data protection programs. We manage personal data based on statutory regulations and internally established policies and procedures related to Data Management, Personal Data Protection and Information Security. • Assess: BRI continually evaluates the organization’s current privacy management processes and builds an understanding of how these processes and procedures align with applicable best practices and compliance requirements. By implementing Gap Analysis, preparing data processing recording activities, assessing the impact of protecting personal data, and data inventory & mapping. • Protect: BRI has technical and organizational measures to protect personal data from unauthorized access or unauthorized use, including but not limited to implementing encryption, tokenization, data loss prevention, and other technologies to prevent access, collection, use, disclosure, unauthorized or unlawful copying, alteration, deletion. • Sustain: BRI is committed to maintaining compliance with personal data protection regulations and continuing to improve our personal data protection practices over time by continuing to provide training and awareness to all employee at both head office and branches. BRI continues to follow developments in personal data protection regulations to always adapt them to developing needs. • Respond: BRI has cyber incident handling procedures to handle personal data breaches immediately and effectively. In addition, as a form of transparency regarding the processing of personal data, BRI has prepared and published a privacy notice which can be accessed at the following link: https://bri.co.id/web/guest/privacy. With this statement, BRI confirms its obligation to provide the best protection for the personal data we manage, and we are committed to continuing to update and improve our policies and practices in line with technological developments and applicable regulations. Cyber Resilience and Security BRI realizes that services from BRI are important in providing added value to customers and stakeholders. So that disruptions to services as well as vulnerabilities and leaks of customer information/data from these services are unacceptable. Therefore, BRI is committed to protecting customer information/ data by supporting increased service security from cyber attacks and interference. In line with developments in digitalization and trends in the development of cyber attacks, BRI has had a business unit under the Director of Digital Information Technology & Operations which specifically handles information security since 2018. The information security business unit is led by a Chief Information Security Officer (CISO) who has related experience security and certifications include Certified Information Systems Auditor (CISA) and Certified Information Systems Security Professional (CISSP). BRI has developed an Enterprise Security Architecture that uses the NIST Cyber Security Framework which is used as a reference in developing cyber security at BRI. In line with this, BRI has also carried out a Security Maturity Assessment with a score of 3.57 out of a maximum score of 4. PT Bank Rakyat Indonesia (Persero) Tbk. 2023 Annual Report 432
RkJQdWJsaXNoZXIy NTM2MDQ5