South Korea’s
Personal Information Protection Act
Incident Response Guidelines
How to prepare your organization for compliance with one of the strictest global privacy laws
South Korea’s Personal Information Protection Act (PIPA) has been around since 2011, but a slate of amendments in 2020 made it one of the world’s strictest privacy laws.
The latest version of PIPA gives South Korean citizens personal data rights, imposes requirements on personal information controllers, and includes a variety of penalties for non-compliance (e.g., fines and imprisonment).
Here’s what every company needs to know to comply with PIPA.
Automate South Korea regulatory and contractual obligations with the BreachRx platform
Tailor your incident response plan in minutes so you know exactly what to do by when and take the legal crisis out of your incident response
Who Must Comply with PIPA
Any “personal information controller” within South Korea must comply with PIPA.
What is a personal information controller? | Any business, individual, or other body that engages in activities such as processing, storing, retaining, searching, outputting, restoring, rectifying, using, collecting, generating, recording, provisioning, disclosing, or destroying personal information about South Korean citizens. |
What is personal information? | Data that:
|
What is sensitive personal information? | Controllers must obtain separate consent from individuals to collect and process sensitive information, which includes:
|
The only exceptions to compliance with PIPA are instances in which:
- Special provisions exist in another South Korean law, or it is impossible to meet the requirements of both PIPA and another South Korean law.
- Public institutions (i.e. government bodies) need certain information to conduct affairs.
- Certain information is required to perform a contract.
- Information is deemed obviously necessary to protect the physical safety and property interests of the data subject when they can not give consent.
- Collecting or using information is necessary for the personal information controller to realize their legitimate interests (however, this only applies in limited cases and must have a reasonable scope).
- Information is needed to settle a payment for online services provided (this applies only to Online Service Providers).
Note on Territorial Scope: PIPA does not specify how the law applies to personal information controllers when they are not physically located in the country. Currently, this has been decided for individual cases using factors like whether or not the controller generates revenue from doing business in South Korea or targets South Korean citizens in the products/services it provides.
How South Korea Enforces PIPA
The Personal Information Protection Commission (PIPC) is responsible for enforcing PIPA. PIPC responsibilities include:
- Interpreting PIPA.
- Shaping data protection policies.
- Assessing potential amendments to PIPA.
- Investigating instances of non-compliance.
- Issuing corrective orders, penalties, and other administrative sanctions.
- Recommending improvements to controllers not in full compliance with PIPA.
Penalties for non-compliance vary based on the situation, but can include:
- Fines up to KRW 30 million for not following a corrective order or failing to notify data subjects about a breach.
- Fines up to KRW 50 million or five years imprisonment for transferring personal information to a third party without consent (this can apply to both the party that transferred the data and the one that received it if they knew there was no consent).
- Fines up to KRW 10 million for failing to appoint a chief privacy officer.
- Punitive damages up to three times the damages suffered if a breach results from an organization’s intentional actions or negligence.
South Korea’s Network Act, which protects personal information on communication services, includes a special provision for Online Service Providers that violate PIPA. This provision carries a penalty of up to 3% of sales resulting from the violation, or up to KRW 400 million if it’s too difficult to calculate the relevant sales.
What Proactive Data Protection Measures PIPA Requires
PIPA requires personal information controllers to proactively prevent the loss, theft, alteration, or destruction of personal information by:
- Implementing a plan to handle personal information in a safe way.
- Introducing security measures (e.g. encryption) to protect data storage and transmission.
- Installing security measures to prevent unauthorized access to data.
- Appointing a chief privacy officer (CPO) that is an employee or executive of the company.
It’s important to understand the scope of the CPO role, as CPOs can be held personally, criminally liable in certain instances of non-compliance (in the first such case, the court fined the CPO and the company KRW 10 million each but declined to issue a prison sentence for the CPO). Additionally, PIPA requires CPOs to take on certain responsibilities, including:
- Introducing a policy to protect, manage, and monitor personal information.
- Regularly reviewing how personal information gets processed and recommending improvements.
- Fielding complaints and requests from individuals.
- Establishing controls to prevent the loss or abuse of personal information and training employees on protection measures.
- Destroying personal information after the purpose for processing it is complete or the retention period has expired.
Incident Response Measures Required Under PIPA
Any personal information collector that experiences a data breach must follow certain incident response measures under PIPA.
What is a data breach? | Any instance of loss, theft, alteration, or destruction of personal information. |
What do controllers need to do following a data breach? | Take countermeasures to reduce the risk of harm to data subjects and notify those data subjects within 24 hours of discovering the breach. |
What should controllers include in the notification to data subjects? |
|
Are there any special circumstances that require additional notification? | If the number of affected data subjects is 1,000 or more, the personal information controller must also:
Online Service Providers must also take additional steps per South Korea’s Network Act, regardless of the number of people affected. They must:
|
What Can Trigger Incident Response Under PIPA
Common examples of data breaches that can trigger a notification under PIPA include:
Watering Hole Attack
A social engineering attack targeting individual behavior rather than corporate security protocols. In a watering hole attack, hackers monitor victims to identify websites they visit regularly, then infect those websites to access their computers and network.
Improperly Processed or Sold Data
Any company that processes or sells personal information without the data subject’s consent or after the data subject has revoked their consent goes against PIPA and requires a notification.
Mistakenly Exposed Data
Sharing personal information with the wrong person or improperly exposing data (e.g. sharing information that should be encrypted over an insecure channel) can qualify as a data breach under PIPA, even if it was an accident.
How Should Organizations Prepare for PIPA?
South Korea’s 2020 amendments to PIPA put the burden on organizations to proactively protect the personal information they handle. Achieving this proactive posture requires all personal information controllers to establish visibility into data practices, assign responsibility for security protocols, and develop an actionable incident response plan. Specifically, organizations should prepare for three phases of incident response:
Readiness
- What: Have an actionable incident response plan ready when a data breach occurs.
- Why: Privacy incidents are now inevitable, even with strict security measures in place.
- How: Determine what relevant data privacy laws, like South Korea’s PIPA, and any customer or partner contracts require in terms of incident response, then develop plans to meet those needs.
Response
- What: Put incident response plans into motion immediately after discovering a breach.
- Why: South Korea requires a notification within 24 hours of discovering a breach. Plus, a quick and complete response can also help avoid or reduce penalties, lessen the potential risk for consumers, and maintain public trust.
- How: Investigate the incident, notify individuals and any agencies as required by laws like PIPA, remediate any damage if possible, and tighten security to avoid recurrences.
Ongoing Management
- What: Regularly revisit and update incident response plans.
- Why: Global privacy regulations now change often, as do the nature of security threats.
- How: Introduce a dashboard as a single source of truth for all monitoring, reporting, and incident response plans, then maintain alignment on those plans and responsibilities by giving all stakeholders access.
Why It’s Time to Prioritize Proactive Incident Response
Security threats continue to evolve. Every company must prioritize proactive incident response to help reduce penalties from countries like South Korea, maintain trust with consumers, and return to business as usual faster after a breach occurs.
Getting proactive requires keeping tabs on new and evolving regulations, updating incident response plans, assigning responsibility for each step along the way, and maintaining a dynamic incident response program.
Minimize your regulatory and contractual risk surface with the BreachRx platform
Stop using spreadsheets and documents to keep track of the legal tasks you need to accomplish during an incident response.