What is South Korea’s PIPA Compliance?
One of the strictest data protection regimes in the world, South Korea’s Personal Information Protection Act is supported by sector-specific legislation related to IT and communications networks (the IT Network Act) and the use of credit information (the Use and Protection of Credit Information Act).
Breach Notification: PIPA places many obligations on organizations in both the public and private sectors, including mandatory data breach notification to data subjects and other authorities including the Korean Communications Commission (KCC).
Data Security: PIPA imposes a duty on information managers (i.e. data controllers) to take the "technical, administrative and physical measures necessary for security safety ... to prevent personal information from loss, theft leakage, alteration or damage."
Official Policy Statement: Organizations are required to establish an official statement of those security measures.
Internal Privacy Officer: An internal privacy officer must be appointed (regardless of the size or nature of the organization) to oversee data processing activities. The internal privacy officer will be held accountable, and be subject to any criminal investigations following a breach.
Encryption for PII
Article 24(3) of PIPA places express restrictions on the management of unique identifying information, and requires information managers to take "necessary measures, ... including encryption," in order to prevent loss, theft, leakage, alteration or damage. Similarly, Articles 25(6) and 29 require "necessary measures" to be implemented to ensure that personal information may not be lost, stolen, altered or damaged.
South Korea also has a track record of enforcement of data protection laws. Chapter 9 of PIPA contains severe sanctions for data security breaches including substantial fines and imprisonment – up to 50 million won in fines and imprisonment of up to five years are potential consequences.