Identification of Operational Risks in Partner Data Processing at PT Bank Syariah XYZ

Abstract

Background: PT Bank Syariah XYZ has experienced a data breach incident in 2023. In response to the enactment of Law Number 27 of 2022 concerning Personal Data Protection (PDP Law), which came into effect in 2024, the bank sought to implement these provisions in its operations. The implementation of risk management is crucial for minimizing potential financial losses and ensuring business continuity during the implementation process.
Purpose: This study aimed to identify risk factors and sources, analyze their potential impacts, and propose control measures using the Failure Mode and Effect Analysis (FMEA) method. 
Design/methodology/approach: The research was conducted from March to June 2025 and involved eight respondents directly responsible for third-party data management. The approach used was descriptive, qualitative, and quantitative, with data collection through interviews, questionnaire surveys, and group discussions. A quantitative analysis was performed using the FMEA method, focusing on three main stages of data management: collection, processing, and storage. The scope of this study covered operational aspects such as internal processes, human resources, technology, external events, and governance. 
Findings/Result: Of the 18 risks identified, seven were classified as priority risks. In the data collection stage, the partner has not yet appointed a Person in Charge of Data Protection (PIC PDP) nor implemented the provisions stipulated in the PDP Law (RR07). Risks included the use of a single email account (RR05) and a low understanding of the PDP Law by third parties (RR08). In the processing stage, the main risks were related to the length of the analysis time (RR11) and the inaccuracy of the partner data (RR09). Meanwhile, in the storage stage, the dominant risks included cyberattacks on devices (RR17) and data decentralization (RR16). Most priority risks originate from technological aspects (43%), followed by external events (29%). 
Conclusion: The results of the study show that PT Bank Syariah XYZ faces significant challenges in managing the risks of implementing the PDP Law, particularly in relation to partner data processing. 
Originality/value (State of the art): This study makes an original contribution by integrating the FMEA framework in the context of the implementation of the PDP Law in the Indonesian Islamic banking industry, and provides a basis for strengthening risk management and personal data security in the financial services sector.

Keywords: FMEA, risk management, Personal Data Protection Law (PDP Law), priority risks, financial services