Keywords:
Accountability, Compliance, Data Controller, Information Security, Personal Data ProtectionAbstract
This article examines data controller responsibilities under Indonesia’s Law Number 27 of 2022 concerning Personal Data Protection within the broader context of cyber law and information security governance. The discussion is guided by two questions: how effective is the PDP Law in regulating data controller responsibilities in Indonesia, and why is controller compliance urgent for Indonesia’s digital legal framework? This study plays a role in clarifying the legal position of data controllers as the main actors responsible for determining the purposes and control of personal data processing. Using a normative legal approach, the article analyzes statutory provisions, legal principles, scholarly literature, and selected data breach cases as contextual support. The results show that the PDP Law has strengthened Indonesia’s personal data protection framework by establishing clearer controller obligations, including lawful processing, transparency, security, breach notification, and respect for data subject rights. However, its effectiveness remains limited by challenges in technical implementation, institutional supervision, enforcement consistency, and organizational compliance readiness. The article finds that controller accountability must be transformed from statutory duty into measurable compliance practice.