Compliance for Indonesian SMEs: PDP, BPJS, and Tax Software

Indonesian compliance is one of those topics SMEs avoid until they can’t. The penalties are real, the requirements are clearer than they used to be, and the cost of doing it badly compounds over time. Worth understanding the basics even if you outsource the implementation.

This is a practical guide to the three biggest compliance areas Indonesian SMEs need to handle: PDP (data protection), BPJS reporting, and tax e-invoicing.

PDP — Personal Data Protection

The Personal Data Protection Law (UU PDP, in force since 2024) created real obligations for any business handling Indonesian personal data. Most SMEs are technically subject and most aren’t fully compliant.

What you actually need

For an SME storing customer or employee personal data:

• Lawful basis for processing. You need a defensible reason for collecting each piece of data. Consent for marketing, legitimate interest for order fulfilment, legal requirement for tax records.
• Privacy notice. A document explaining what data you collect and why, accessible to data subjects.
• Data security measures. Reasonable technical safeguards. Encryption at rest, access controls, periodic backups.
• Breach notification process. If you have a data breach, you have 72 hours to notify the regulator and affected individuals. Plan this before you need it.
• Data subject rights handling. People can request their data, request deletion, etc. You need a process to handle these requests.

What it costs to get compliant

For a typical SME: Rp 25–80 juta initial work (privacy notice drafting, security assessment, process documentation), then Rp 5–15 juta/year ongoing (audits, updates, occasional legal advice).

Outsourced PDP compliance specialists exist; they’re usually cheaper than DIY when you factor in the time cost of getting it wrong.

BPJS — Social Security Reporting

BPJS Kesehatan (health) and BPJS Ketenagakerjaan (employment) require monthly reporting and contributions for all employees. Most SMEs handle this via their payroll software, but the integration quality varies.

Common pain points

• Manual reconciliation between payroll and BPJS portal. Many SMEs export from payroll, manually upload to BPJS. Tedious and error-prone.
• New employee registration delays. Joiners who aren’t registered within the first month create back-payment issues.
• Salary changes not flowing through. A salary increase in payroll doesn’t automatically update BPJS contribution rates.
• Termination not promptly reflected. Continuing to pay BPJS for ex-employees costs real money.

What good integration looks like

Modern Indonesian payroll software (Talenta, Gajihub, Mekari) handles most of this directly with BPJS APIs. If yours doesn’t, that’s an upgrade worth making.

For more complex setups (multiple legal entities, joint ventures, varied employment classifications), a small custom integration on top of payroll is usually worth Rp 20–50 juta to build.

Tax E-Invoicing (e-Faktur)

Indonesian VAT (PPN) requires e-invoicing for most B2B transactions. The DJP’s e-Faktur system is mandatory for VAT-registered businesses.

What you need

• Certificate from DJP to issue e-invoices.
• e-Faktur application installed and configured. (DJP provides one; many SMEs use third-party software that interfaces with it.)
• Process for monthly VAT filing. SPT Masa PPN, due each 30th.
• Reconciliation between sales records and e-invoices issued. Mismatches trigger audit attention.

Common pain points

• Manual entry of e-invoices. Many SMEs still type each invoice into the e-Faktur app. Tedious for high-volume sellers.
• Sales records and e-Faktur records out of sync. Missing invoices, duplicate invoices, wrong amounts.
• Last-minute monthly filing scrambles. Doing the work at the end of each month when it could be automated daily.

What good automation looks like

The pattern that works: your sales/invoicing software automatically pushes each B2B sale to e-Faktur via API or a structured upload. Reconciliation runs daily, not monthly. Filing the monthly SPT becomes a 30-minute review rather than a 4-hour scramble.

Cost: Rp 30–80 juta to integrate properly with most existing accounting systems. Pays back fast in saved monthly hours.

What we recommend in practice

Three patterns for Indonesian SMEs:

1. If you’re under 30 employees and B2C

Outsource to an accountant who handles BPJS and tax. Get a basic privacy notice up. The compliance overhead doesn’t yet justify in-house systems.

2. If you’re 30–100 employees or B2B at scale

Invest in proper integration. Modern payroll software for BPJS, e-Faktur API integration with your sales system, written privacy and breach notification processes for PDP. Total upfront: Rp 50–150 juta. Ongoing: Rp 10–25 juta/year.

3. If you’re regulated (financial, health-adjacent, government contracts)

Get a dedicated compliance lead, internal or fractional. The compliance burden grows non-linearly in regulated sectors and the cost of getting it wrong is much higher.

What to avoid

Three patterns that consistently bite:

• DIY compliance with no review. The penalty for getting PDP or tax wrong is much bigger than the cost of having someone competent check the work.
• Treating each compliance area separately. They overlap. Your data security for PDP affects how you handle employee data for BPJS. Plan holistically.
• Putting compliance off “until we’re bigger.” The cost of catching up later is dramatically higher than the cost of getting it right early.

If you’re trying to figure out which compliance gaps to prioritise for your specific business, an hour of conversation usually clarifies it. We do those at no cost.