Announcement of Measures to Strengthen Personal Information Safety Management
Incentives for Proactive Protection Measures and Investment
Clarifying the Responsibilities and Roles of CEOs and CPOs
Going forward, companies that experience repeated personal information leakage incidents will face increased fines. The responsibility of the Chief Executive Officer (CEO) will be further strengthened, and in the medium to long term, the introduction of a punitive fine system is also under consideration. However, companies that have proactively implemented and invested in personal information protection measures will be offered incentives such as reduced fines.
On September 11, the Personal Information Protection Commission announced that it will implement the “Measures to Strengthen the Personal Information Safety Management System,” which includes these policies, to prevent a series of large-scale personal information leakage incidents.
This plan, targeting public institutions and private businesses that process the personal information of more than 1 million people, incorporates both “carrots and sticks.” Incentives are included to encourage proactive efforts in personal information protection, while strict penalties are imposed to prevent repeated or serious leakage incidents.
Reviewing Punitive Fines... Strengthening CEO Responsibility
Companies that experience repeated personal information leakage incidents, such as being hacked multiple times in the same manner, will face increased fines. In the medium to long term, the commission is considering imposing punitive fines in cases where violations of protection measures result in significant damage or misuse of personal information.
The roles of the CEO and Chief Privacy Officer (CPO) will also be strengthened. It will be explicitly stated that the CEO is ultimately responsible for personal information risk management and internal controls. The CPO will be required to report the personal information protection plan to the board of directors at least once a year and to review the implementation results.
In addition, if a personal information leakage is expected to cause significant harm, the notification of the leakage will be expanded to include not only those whose information has already been leaked but also all individuals whose information may have been leaked, in order to prevent further damage. The commission will actively support the detection of whether leaked personal information is being illegally distributed on the dark web and cooperate with relevant agencies to prevent secondary damage.
The Personal Information Protection Commission is considering using fines as a fund to provide relief to actual victims of leakage incidents. Last year, the total amount of fines imposed reached 61.1 billion won.
Incentives and Reduced Fines for Proactive Protection and Investment
Plans are also underway to institutionalize proactive protection measures. This includes eliminating security vulnerabilities, detecting abnormal signs in advance, and expanding the application of encryption. Companies that have consistently implemented proactive and active protection measures will be offered incentives such as reduced fines.
In cases where companies and institutions have actively invested in personal information protection through personnel and budget allocations, the commission will consider various incentives, such as reduced fines and extra points in public institution evaluations.
For personnel, large-scale processors required to designate a professional CPO must also assign at least one dedicated personal information protection staff member or establish a dedicated team, excluding the CPO. Approximately 700 organizations, including general companies, major hospitals, universities, and public system operators, are expected to be subject to the CPO designation requirement. Currently, the number of dedicated staff is only 0.5 per large company and 0.3 per medium-sized company.
In terms of budget, the commission has proposed incentives for securing and operating a personal information protection budget of at least 10% of the total IT budget by 2028. Until 2028, incentives will be applied differentially depending on whether the personal information protection budget is less than 7-10% or at least 10% of the total IT budget.
The Personal Information Protection Commission plans to hold briefings for businesses to clearly establish standards related to protection personnel, budgets, and incentives. Afterward, a bill reflecting these measures will be prepared within this year and submitted to the National Assembly in the first half of next year. Matters requiring medium- to long-term review will be addressed by gathering stakeholder opinions and preparing amendments by next year. Follow-up measures, such as securing the necessary budget, will also be pursued.
Koh Haksoo, Chairperson of the Personal Information Protection Commission, said, “I hope that businesses processing large-scale personal information will recognize investment in personal information protection not as an ‘unnecessary expense’ but as a fundamental responsibility to gain customer trust and as a ‘strategic investment.’ Through this, I hope public trust in personal information protection will spread.”
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
