Personal Data Protection Framework Ranking With Analytical Hierarchy Process (AHP)
Personal Data Protection Framework Ranking With Analytical Hierarchy Process (AHP)
Volume 8, Issue 7, July – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
Personal Data Protection Framework Ranking with
Analytical Hierarchy Process (AHP)
Aqil Athalla Reksoprodjo1, Muhammad Dachyar2, Novandra Rhezza Pratama3
Department of Industrial Engineering, Faculty of Engineering, Universitas Indonesia, Depok, 16424, Indonesia
Abstract:- There are many options for personal data II. LITERATURE REVIEW
protection framework. However, there are no rank of the
available frameworks. The ranking of the framework A. Personal Data Protection
gives a perspective on the merit and drawbacks of the Companies and organizations that collect, use, and
frameworks, and it will provide a point for consideration process personal data are exhorted to be able to abide by all
in adopting and implementing the framework. This study applicable laws and regulations, particularly those pertaining
aims to rank potential framework options for protecting to personal data protection [7].
personal data. Experts are involved for the evaluation
and scoring of the criteria. The Analytical Hierarchy Companies that effectively implement personal data
Process (AHP) technique is used to weigh the selection protection have a positive effect on company growth. [8]
criteria and rank the alternatives, respectively based on
the expert’s judgement. The findings demonstrate that With special attention to personal data protection, it has
for businesses ISO 27701 is the top framework of choice been demonstrated that businesses based on personal data
for personal data security. protection can enhance their business and offer a competitive
advantage to businesses or companies that implement it [9].
Keywords:- Framework Ranking; Personal Data Protection;
AHP. Complying with personal data protection practices is
essential for businesses and organizations not only due to the
I. INTRODUCTION regulations and benefits they provide, but also due to the
necessity of doing so.
The rapid transmission of information via internet
platforms has created chances for data hacking and This is supported by the strong influence of
unauthorized disclosure of data. digitalization on businesses in the present day. Digitalization
has been extremely beneficial to human life, particularly in
Approximately 73.7%, or approximately 202.6 million terms of integrating human life with technology [10].
Indonesians, are active internet consumers, out of a total Nevertheless, the digitalization process will typically increase
population of 274.9 million. While active social media users security risks that digitalization actors typically overlook or
in Indonesia reached 170 million, or 61.8% of the country's give less attention to [10].
total population [1]
In addition to having a positive impact on the company
In Indonesia, there are a total of 1,637,937,022 instances and ensuring compliance with personal data protection
of anomalous cyber traffic, of which approximately 55 regulations, there will be side effects in the form of increased
percent are aimed at data breaches [2] company expenses induced by company compliance with
personal data protection regulations.
As a result of this data hacking, both the owners of
personal data and the organizations that administer such data Regional standards or regulations for the preservation of
have suffered significant losses. As one piece of personal personal data exist, so each nation has its own set of
identification information may be worth up to USD 180 [3] regulations. The General Data Protection Regulation of the
One of the reasons for this is that information, primarily European Union is one of them. The GDPR is currently used
personal data, is viewed as a commodity and has significant as a guideline for data protection practices.
value for parties that can make use of it [4],[5]
Not only the owner, collector, and user of data, but also
Consequently, the security of information, particularly third parties who process data are typically governed by
personal data and within cyberspace, is essential for regulations pertaining to the preservation of personal data
businesses to have today and is of utmost importance [6] [11],[12].
This research is aimed to rank the available choices of Given the importance of implementing personal data
framework for empowering personal data protection for protection for companies or organizations, despite the fact that
Indonesian organization. its application has negative side effects, but due to market
demands in which personal data security is now a factor for
consumers when selecting products or services, companies or
IJISRT23JUL925 www.ijisrt.com 1546
Volume 8, Issue 7, July – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
organizations must implement personal data protection The ENISA is primarily viewed as beneficial for
practices. assisting organizations in complying with the GDPR.
The company must protect personal data utilized in its D. ISO 27701:2019
operations, such as consumer data, as well as the personal data The International Organization for Standardization (ISO)
of its employees, as both fall under the umbrella of personal has issued ISO 27701 as a standard. Prior to the publication of
data. ISO 27701, this standard was referred to as ISO 27752 during
the formulation process; it was renamed ISO 27701 in 2019
B. Personal Data Protection Framework [19] when it was ratified.
The development of technology, particularly in the
communication and information sector, which is now The ISO 27701 standard is an extension of the ISO
integrated into daily life [13] is accompanied by a rise in 27001 standard that emphasizes the preservation of personal
contemporary difficulties. The development of new data in greater depth. ISO 27001 is a standard for information
technologies has also spurred the issuance of new regulations, security in general; ISO 27701 is an extension or development
particularly concerning the protection of personal data. that is more specific to information security for personal data
Regulations pertaining to the preservation of personal data [20], [21].
govern the collection, handling, and use of personal data by
organizations and businesses [13]. ISO 27701 was developed in response to global
challenges in the protection of personal data. With the
Compliance with personal data protection regulations adoption of the EU General Data Protection Regulation
presents a challenge for businesses and organizations. This is (GDPR) and the Data Protection Act (DPA) by the United
due to the complexity of business operations, particularly with Kingdom, all activities in the European Union and the United
the constant flow of information [13]. Kingdom that involve personal data must comply with these
regulations. However, neither the GDPR nor the DPA specify
Due to the complexity of meeting the standards how to achieve compliance with these regulations; this is the
governed by personal data protection regulations, impetus behind the development of the ISO 27701 extension
organizations and businesses require measures or frameworks from its progenitor ISO 27001.
to make it easier for them to comply.
The Privacy Information Management System (PIMS) is
The data framework is crucial to improving personal thoroughly discussed in ISO 27701. This ISO 27701[22]
data protection systems and complying with regulations. standard addresses system design, system implementation,
There have been numerous frameworks for personal data and system supervision.
protection, but selecting the correct one for an organization
and complying with the regulation is challenging. ISO 27701 contains specific guidelines for PIMS design
and implementation. Information security policy; information
C. ENISA Guideline for Personal Data Protection security organization; human resource security; asset
management; access control management; cryptography;
The European Union Agency for Network and physical and environmental safety; security operations;
Information Security, also known as ENISA, was established communication security; acquisition, development, and
in 2004. Its mission is to increase the awareness and culture of maintenance of systems; management of supplier
information security and cybersecurity in the European relationships; information security incident management;
Union's society [14]. information security aspects on business continuity;
Compliance [20], [21].
ENISA has issued guidelines for personal data
protection to aid in GDPR compliance and reduce the risk of In addition to the design and implementation
noncompliance with the regulation. The guideline includes considerations of PIMS, ISO 27701 also provides specific
Data Protection by Design and Default, Data Protection guidelines for personal data managers and processors.
Impact Assessment, Data Protection Engineering, Privacy Moreover, ISO 27701 is said to be compatible with and
Enhancing Technologies, and Data Breach Notification [15]- integrate well with existing standards and regulations [19].
[18].
E. ASEAN Personal Data Protection Framework
EU's GDPR also requires organizations to have a data The ASEAN Organization is a collection of Southeast
breach notification system to ensure that if a data breach Asian countries. One of the objectives is to increase
occurs within the organization, the organization will be cooperation among its members in addressing diverse
notified and will attempt to mitigate the effects. The data contexts of problems, including political, economic, social,
incident notification guideline has been published by ENISA. cultural, and many others. Several member nations, including
It discusses how to manage an incident, as well as Singapore, Malaysia, Thailand, the Philippines, and now
coordination with other parties, the content of notification Indonesia, have legal regulations regarding personal data
information, and the timeline. protection [23].
IJISRT23JUL925 www.ijisrt.com 1547
Volume 8, Issue 7, July – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
Brunei Darussalam issued the ASEAN Framework on International Organization for Standardization, and it was
Personal Data Protection in 2016 through the ASEAN intended to be extensively implemented without regard to
Telecommunications Ministers meeting in Bandar Seri regional or regulatory restrictions. As a result of Indonesia's
Begawan [23], [24]. membership in ASEAN and 2016 ratification of the
framework, the ASEAN PDP Framework is selected.
The ASEAN Framework on Personal Data Protection
does not essentially require ASEAN member states to adopt The criteria are derived from a review and analysis of
this framework; this is to demonstrate the commitment of literature review to data protection in general. There are a total
ASEAN member states to prioritize personal data protection of four criteria that could be considered for this study. In
[23]-[25]. addition to criteria for literature analysis, the expert's opinion
also includes additional criteria. The criteria consist of
This ASEAN framework contains seven main principles business & economy, legal, technical, and security.
to strengthen the protection of personal data: (i) consent,
notification, and purpose, (ii) accuracy of personal data, (iii) The weight assigned to each ranking criterion is depicted
security, (iv) access and correction, (v) transfer between in fig. 1 results.
countries or territories, (vi) storage, and (vii) accountability
[23]. Legal criteria are ranked as the highest priority criterion
with a score of 0.61, followed by Business & Economy with
III. RESEARCH METHODOLOGY 0.19, Security with 0.15, and Technical with 0.05.
In Regarding data collection and processing, this study
involves three main steps. These stages include determining
the selection criteria, applying the Analytical Hierarchy
Process (AHP) to weight the selection criteria, and ranking the
alternatives.
For determining the selection criteria, the council of
experts will evaluate which criteria can be considered in this
Fig 1. Criteria Weights
study for the selection of a personal data protection
framework based on a review of the relevant literature. In
This indicates that compliance with the rules and
addition, the specialists suggested the inclusion of certain
regulations plays a significant role in determining which
criteria in the selection procedure. The involved specialists
framework will be chosen. As a result of the fact that
have diverse backgrounds, with a focus on information
administrative sanctions, penalties, and criminal sanctions will
security, cyber security, and risk management. be implemented if a company fails to comply with Indonesian
law, noncompliance may result in company dissolution.
After the selection criteria have been determined, the
AHP is used to calculate the relative importance of each Based on the results, business & economy is more
criterion. The purpose of balancing the criteria is to determine important than security. Complying with the requirements of
which criteria should be given the most weight and the regulation may necessitate that businesses also plan their
consideration. [26],[27]. financial expenditures for adoption, operation, and
Expert Choice software is used to perform the AHP
technology, while the security will improve automatically.
calculation.
Therefore, the security factor is still regarded as significant,
but it can be covered by legal factors. This is demonstrated by
IV. RESULTS AND DISCUSSION the comparatively low sum of the business & economy weight
score of 0.19 and the security weight score of 0.15.
This study aims to aid in the selection and ranking of
three data framework alternatives for the preservation of Technical is deemed less essential than the other three
personal data, considering the four most important criteria for criteria, given that the objective is to comply with the rules
selecting the data framework to be used by Indonesian
and regulations by enhancing personal data protection. The
businesses.
company will have to adapt to the technical challenges that it
may encounter. As a result, the objective is to comply with
The framework alternatives are chosen according to how regulations and strengthen the system for protecting personal
closely they adhere to Indonesia's characteristics. Due to the information.
fact that every expert involved is Indonesian and conversant
with the Indonesian environment. If the European Union After calculating the relative importance of each
General Data Protection (GDPR) is regarded as the most criterion, the next stage is to select the best alternative for the
sophisticated rule for personal data protection, then the framework for protecting personal data. Fig 2 results represent
ENISA Personal Data Protection framework is involved, as it
the ranking of the framework alternatives considered in this
is widely used for complying with EU's GDPR. Other options study.
include ISO 27701 and ASEAN Personal Data Protection
Framework. ISO 27701 is a standard published by the
IJISRT23JUL925 www.ijisrt.com 1548
Volume 8, Issue 7, July – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
In comparison to ENISA and ASEAN, the score [6]. A. A. Loishyn, S. Hohoniants, M. Y. Tkach, M. H.
indicates that ISO 27701 is the best option. Since ISO 27701 Tyshchenko, N. M. Tarasenko, and V. S. Kyvliuk,
is a part of the ISO standard series and an extension of ISO “Development of the Concept of Cybersecurity of the
27001, it is considered to be the most compatible with the Organization,” vol. 10, no. 3, pp. 1447–1453, 2021, doi:
environment of Indonesian organization and the easiest to 10.18421/TEM103.Y. Yorozu, M. Hirano, K. Oka, and
integrate with existing systems. As a result, the framework Y. Tagawa, “Electron spectroscopy studies on magneto-
will be easier to implement for many organizations in optical media and plastic substrate interface,” IEEE
Indonesia that are already familiar with it. While the ENISA Transl. J. Magn. Japan, vol. 2, pp. 740-741, August
is believed to be more difficult to implement due to its 1987 [Digests 9th Annual Conf. Magnetics Japan, p.
emphasis on Privacy by Design, which must be incorporated 301, 1982].
into every system, it is simpler to implement in a new system. [7]. O. Olukoya, “Assessing frameworks for eliciting
While ASEAN lacks specific details on how to implement the privacy & security requirements from laws and
guidelines and the guidelines themselves, the ASEAN has regulations,” Comput Secur, vol. 117, p. 102697, 2022,
adopted the guidelines. doi: 10.1016/j.cose.2022.102697.
[8]. O. Y. Guseva, I. O. Kazarova, I. Y. Dumanska, M. A.
Gorodetskyy, L. V Melnichuk, and V. H. Saienko,
“Personal Data Protection Policy Impact on the
Company Development,” WSEAS Transactions on
Environment and Development, vol. 18, pp. 232–246,
2022, doi: 10.37394/232015.2022.18.25.
[9]. A. Cavoukian, “Understanding How to Implement
Fig 2. Framework Ranking Privacy by Design, One Step at a Time,” IEEE
Consumer Electronics Magazine, vol. 9, no. 2, pp. 78–
V. CONCLUSION 82, 2020, doi: 10.1109/MCE.2019.2953739.
[10]. A. Shahim, “Security of the digital transformation,”
Based on the findings, it can be concluded that ISO Comput Secur, vol. 108, p. 102345, 2021, doi:
27001 is the highest-ranking personal data protection 10.1016/j.cose.2021.102345.
framework that Indonesian organizations can use to [11]. N. K. S. Dharmawan, D. P. D. Kasih, and D. Stiawan,
strengthen their personal data protection. “Personal data protection and liability of internet
service provider: A comparative approach,”
Legal criteria were the most essential criterion, so International Journal of Electrical and Computer
compliance with the rules and regulations is considered to be Engineering, vol. 9, no. 4, pp. 3175–3184, 2019, doi:
of the utmost importance. Followed by the business & 10.11591/ijece.v9i4.pp3175-3184.
economy criterion, which was the adoption and operation [12]. Z. S. Li, C. Werner, N. Ernst, and D. Damian, “Towards
costs of the framework. The security criteria are adhered to, privacy compliance: A design science study in a small
and if the regulations are met, the security will automatically organization,” Inf Softw Technol, vol. 146, no. April
follow and strengthen itself. Due to the need for compliance, 2021, p. 106868, 2022, doi:
which necessitates that businesses adapt to the technical 10.1016/j.infsof.2022.106868.
difficulties encountered, the technical criteria were deemed to [13]. V. Diamantopoulou, A. Tsohou, and M. Karyda, “From
be of less important. ISO / IEC27001 : 2013 and ISO / IEC27002 : 2013 to
GDPR compliance controls,” Information & Computer
REFERENCES Security, 2020, doi: 10.1108/ICS-01-2020-0004.
[14]. D. Markopoulou, V. Papakonstantinou, and P. de Hert,
[1]. Kementerian Komunikasi dan Informatika (Kominfo), “The new EU cybersecurity framework: The NIS
“Laporan Kinerja Kementerian Komunikasi dan Directive, ENISA’s role and the General Data
Informatika 2021, Protection Regulation,” Computer Law and Security
[2]. D. O. K. S. Badan Sandi dan Siber Negara, “Laporan Review, vol. 35, no. 6, p. 105336, 2019, doi:
Tahunan 2021 Monitoring Keamanan Siber,” Badan 10.1016/j.clsr.2019.06.007.
Sandi dan Siber Negara Republik Indonesia, 2022. [15]. European Network and Information Security Agency,
[3]. IBM Security, “Cost of a Data Breach Report,” 2021. Privacy and Data Protection by Design – from policy to
[4]. N. N. Neto, S. Madnick, A. M. G. D. Paula, and N. M. engineering, no. December. 2014. doi: 10.2824/38623.
Borges, “Developing a Global Data Breach Database [16]. European Network and Information Security Agency,
and the Challenges Encountered,” Journal of Data and “ONLINE PLATFORM FOR SECURITY OF
Information Quality, vol. 13, no. 1, pp. 1–33, 2021, doi: PERSONAL,” 2019. doi: 10.2824/3000.
10.1145/3439873. [17]. European Network and Information Security Agency,
[5]. P. Petrov, I. Kuyumdzhiev, R. Malkawi, G. Dimitrov, DATA PROTECTION ENGINEERING, no. January.
and J. Jordanov, “Digitalization of Educational Services 2022.
with Regard to Policy for Information Security,” vol. [18]. European Network and Information Security Agency,
11, no. 3, pp. 1093–1102, 2022, doi: 10.18421/TEM113 “A tool on Privacy Enhancing Technologies ( PETs )
knowledge management and maturity assessment,” no.
December, 2017.
IJISRT23JUL925 www.ijisrt.com 1549
Volume 8, Issue 7, July – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
[19]. International Standard Organization, INTERNATIONAL
STANDARD ISO / IEC Security techniques — Extension
to, vol. 2019. 2019.
[20]. O. M. Fal’, “Documentation in the ISO/IEC 27701
Standard,” Cybern Syst Anal, vol. 57, no. 5, pp. 796–
802, 2021, doi: 10.1007/s10559-021-00404-3
[21]. M. I. Fadhil, “Control Design of Information Security
Related to Privacy in The Smart SIM Business
Process,” pp. 66–72, 2021.
[22]. S. A. Grishaeva, “Development and Implementation of
Privacy Information Management for Compliance with
International Standard ISO 27701 : 2019,” pp. 2021–
2023, 2021.
[23]. T. Tampubolon and R. Ramadhan, “ASEAN Personal
Data Protection (PDP): Mewujudkan Keamanan Data
Personal Digital pada Asia Tenggara,” Padjadjaran
Journal of International Relations, vol. 1, no. 3, p. 270,
2020, doi: 10.24198/padjir.v1i3.26197.
[24]. ASEAN, “Framework on Personal Data Protection,” pp.
1–6, 2016.
[25]. S. S. Surtiwa, C. J. Gultom, F. Law, U. Indonesia, and J.
Barat, “Remarks On 2016 ASEAN Framework on
Personal Data Protection and The Impact Towards
Regional Peer to Peer Lending ASEAN for Data
Protection :,” vol. 558, no. Aprish 2019, pp. 720–726,
2021.
[26]. G. Giovanni, R. Gita, M. Dachyar, and N. R. Pratama,
“Ideal Location Selection for Global Excavator
Manufacturing Facilities in North America,” no. July
2021, pp. 310–319, 2022.
[27]. M. Dachyar, M. Salman, and R. Nurcahyo, “Strategies
to Improve the Education and Research Scholarship
Program at the Universities,” vol. 12, no. 1, pp. 389–
395, 2023, doi: 10.18421/TEM121.
