Blog Post
BY Brett Gribble | 11 February 2022
The main privacy law in South Korea is the Personal Information Protection Act (PIPA), enacted on September 30, 2011. It applies to most organizations within South Korea, including government entities, who collect and process personal information of South Korean citizens. This act is known for being one of the strictest data compliance laws around the world.
In addition to South Korea’s PIPA, there are also sector-specific laws, which we outline below:
PIPA applies to any data handler — defined by South Korea as an individual, organization or third-party that handles personal data during the course of business activity. Unlike the GDPR, PIPA does not demand explicit consent. Some types of personal information require consent and others do not.
PIPA’s territorial scope is not defined. However, like the GDPR, it typically affects any foreign country that targets South Korean users and it almost always applies to businesses operating out of South Korea.
The government takes a no-nonsense approach when it comes to PIPA. Penalties include high fines and possibly even imprisonment for breaching the act. To avoid the negative consequences, organizations must abide by the following obligation throughout the data lifecycle:
PIPA also centralizes concern to data subjects, so much so that if a breach occurs, the act requires companies to notify data subjects ahead of authorities, which is opposite to the GDPR.
South Korea’s National Assembly passed three major amendments to PIPA in 2020.
First, the Assembly introduced the concept of “pseudonymised data.” This amendment clarifies distinguishers between personal data and pseudonymized data. With the purpose of research, statistics and public records in mind, pseudonymized data can typically be processed without obtaining consent.
The National Assembly also amended PIPA so entities can reasonably use personal data without consent. This is permitted if data is being used “within a scope that is reasonably related to the original purpose of collection.”
The third amendment allows data to be merged under special conditions. Data sets by two different processors may be amalgamated if it’s performed by specialized agencies that commit to meeting regulations in compliance with PIPA requirements.
Attempting to meet PIPA data compliance alone is risky business. Your business could be subject to thousands of dollars of fines and upward if you do not effectively meet all requirements of this act. Partnering with Ground Labs can reinforce your organization’s data privacy and compliance plan by showing you where all business data resides. Our data discovery platforms, like Enterprise Recon, have the ability to scan all of your organization’s surfaces and locate and categorize over 300 data types.
Make a commitment to meet PIPA requirements today and schedule a meeting with a data compliance expert.
Share this article!
Want to keep up with all our blog posts? Subscribe to our newsletter!
As companies all around the world continue have large portions of their workforce remote, the need to keep their data safe and protected is even more critical. To help companies navigate this new reality and mitigate security risks, we are providing a 90-day complimentary version of our flagship solution—Enterprise Recon. Learn more about it here.
Please submit the form below and we’ll contact you to schedule a discovery call. Want to skip the email? Go here to schedule a meeting directly on our calendar.