This study examines the organizational and technical readiness of a systemically important Indonesian bank (KBMI Group IV) in responding to the enactment of the Personal Data Protection (PDP) Law, which necessitates robust privacy engineering and system architecture adaptation. This maturity assessment is conducted as a single-case study based on empirical data collected from two primary respondents: a Business Branch Manager and a Department Head Application Developer. To comprehensively evaluate the system, this study integrates a multi-model framework. First, the Context, Input, Process and Product (CIPP) model qualitatively measures the organization's governance, resources, workflows and policy impacts. These qualitative findings are then translated into CMMI-based process maturity scores. The observed empirical findings reveal an overall maturity score of 3.69, positioning the organization at Level 3 (Defined) as an institutional baseline rather than a sector-wide indicator. The observed findings also expose a regulatory conflict between the PDP Law's 'Right to be Forgotten' and mandatory financial data retention regulations. To address these observed gaps, the study proposes two framework outputs: a comprehensive mapping matrix that aligns regulatory requirements with ISO 27001 and ISO 27701 standards and a conceptual PDCA-based system architecture utilizing data masking and pseudonymization. Although the proposed framework is developed within the context of a single institution, it offers a valuable preliminary foundation for evaluating technical privacy compliance in the banking sector, subject to further validation across a broader range of financial institutions.
Copyrights © 2026