Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
South Korea: PIPC provides guide for expanded personal information safety measures
On June 20, 2024, the Personal Information Protection Commission (PIPC) announced that relevant business operators and public institutions must implement measures to ensure the safety of personal information. The PIPC mentioned that in September 2023, the Enforcement Decree of the Personal Information Protection Act (PIPA Enforcement Decree) and the Standards for Ensuring the Safety of Personal Information notice were revised. As a result, safety measure standards that previously applied differently for online and offline businesses were now placed upon all personal information processors. A preparation period for business operators to implement the safety measure standards was also considered.
The PIPC stated that as safety measure standards are expanded to apply to all personal information processors, specific items that business operators and public institutions should ensure are implemented include:
- restricting access to the personal information processing systems when authentication fails after a certain number of attempts;
- inspecting records at least once a month;
- establishing and implementing encryption key management procedures;
- preparing crisis response manuals;
- preparing safety measures including personal information processing system backup and recovery plans;
- implementing safe encryption measures when transmitting personal information; and
- safely managing printed materials containing personal information, copied external storage media, etc.
The PIPC also highlighted that the obligation to prepare backup and recovery plans is an obligation for large personal data processors. The PIPC further stated that large personal data processors are considered those which are considered large corporations, mid-sized companies, and public institutions that process the information of more than 100,000 people. The definition also applies to small or medium-sized enterprises that process the personal information of more than one million people. Additionally, the PIPC has placed obligations on public systems and operating institutions to have strengthened safety including strict access rights management, the introduction of abnormal behavior detection, and functions to block illegal access.
Finally, the PIPC stated that it will also conduct inspections on the status at major public institutions of the safety measures being implemented and continue to provide information.
You can read the press release, only available in Korean, here.