In response to a series of large-scale personal data breaches and rising public concern, the South Korean government has swiftly amended the Personal Information Protection Act. The changes aim to reinforce the accountability of companies and institutions handling personal information. By introducing stricter penalties and preventive measures, the government seeks to deter future incidents and encourage proactive investment in data protection. The amendments were announced by the Personal Information Protection Commission and are designed to ensure robust management systems and transparency.
The revised law targets organizations and their leadership, specifically CEOs and Chief Privacy Officers (CPOs), who are now held to higher standards of responsibility. Companies found to have repeatedly or severely breached personal data may face punitive fines of up to 10% of their total revenue, a significant increase from the previous maximum of 3%. The law also incentivizes preventive investments in data protection by allowing for mandatory fine reductions for organizations that invest in relevant resources, except in cases of intentional or gross negligence. Additionally, the scope of incidents requiring notification and reporting has been expanded to include not only loss, theft, and leaks, but also forgery, alteration, and damage of personal data.
Implementation of the new regulations begins on September 11, 2024. However, mandatory ISMS-P certification for major public and private entities will be enforced from July 1, 2025, allowing time for budget and resource allocation. The Personal Information Protection Commission will quickly establish delegated regulations and update enforcement ordinances to ensure smooth adoption. The Commission also plans to enhance communication with industry and public institutions to facilitate stable operation of the improved system.
Frequently asked questions include: What triggers the punitive fines? Fines up to 10% of revenue apply to repeated or major breaches, such as incidents affecting over 10 million individuals or violations due to intentional or gross negligence. Who must comply with ISMS-P certification? Major companies and institutions in both public and private sectors will be required to obtain ISMS-P certification from July 2025. What are the new notification requirements? Organizations must promptly notify affected individuals not only when a breach is confirmed, but also when there is a possibility of a breach, including cases of forgery, alteration, or damage.
The amendments to South Korea’s Personal Information Protection Act demonstrate a proactive approach to tackling large-scale data breaches. By raising punitive fines and expanding the scope of incidents requiring notification, the government aims to create a strong deterrent effect. The mandatory ISMS-P certification will help ensure that major organizations have robust systems in place. Strengthening CEO and CPO accountability is likely to foster a culture of responsibility and transparency. Overall, these changes are grounded in recent incidents and are designed to protect both individuals and the broader public interest.