Privacy Control for Personally Identifiable Information on the Information System (Case Study:XYZ Organization)

Based on Indonesian regulations, organizations that manage personal data must implement internal policies in protecting and securing personal data. In providing personal data protection can be done by identifying the impact level of information to be mapped to Security and Privacy Control of NIST SP800-53. XYZ Organization is one of the organizations that manage personal data in Indonesia. The result of impact level identification indicates that the confidentiality aspect has a high impact, the integrity aspect has a moderate impact, and the availability aspect has a high impact. So as a whole, the system implemented by the XYZ Organization has a high category. Based on the Security and Privacy Control mapping of the Draft NIST SP800-53 revision 5, 57 controls are related to privacy. Privacy Control results can be made a recommendation in the process of formulating a policy of personal data protection on XYZ Organization. The result of Privacy Control is still baseline. In the future, it can be done in detail for the overall Privacy Control so it is more comprehensive.