Personal information protection is not an ‘expense’ but an ‘investment’.
Article posted in 2025-04-16 14:58:53 | VEAT
According to the 「Personal Information Protection and Utilization Survey Results」 announced by the Personal Information Protection Commission in 2024, 39.5% of public institutions and 7.4% of private companies reported difficulties in personal information protection.
However, these figures alone do not fully explain the difficulties that companies actually face. The majority of survey respondents were small organizations possessing ‘less than 1,000 personal information’ and an even 42.6% of private companies with 300 or more employees reported difficulties. Notably, the actual status of personal information safety assurance measures for these large-scale companies was only 9.2%, indicating that overall response capabilities are weak.
As the statistics show, many companies are experiencing difficulties in personal information protection, and the number of cases of fines is also increasing.
For example, recently, a domestic A easy payment service company was found to have illegally transmitted approximately 500 billion pieces of personal information to its overseas affiliate. This information included telephone numbers, email addresses, as well as sensitive consumption pattern information, and even though the proportion of actual payment service users was small, all user information was transferred abroad.
A more serious problem was that the consent procedure for users was omitted in this process. This violated the 「Personal Information Protection Act」, which stipulates that consent from the individual must be obtained when providing third parties or transferring information overseas, and the company received substantial legal sanctions, including fines exceeding 1.5 billion KRW.
Therefore, personal information protection goes beyond simple technical measures and requires the entire organization's legal response capabilities and a continuous management system. One-off checks or external outsourcing have limitations, and it is crucial to enhance the understanding of internal members and establish systematic prevention & response systems.
Risk comes not from accidents, but from lack of preparation
Article 64-2 (2) (9) of the 「Personal Information Protection Act」 stipulates that a personal information processor may be fined if it fails to take appropriate safety measures, resulting in the loss, theft, or leakage of personal information.
In other words, the availability of prior measures, rather than the occurrence of an accident, is the criterion for determining legal responsibility. A lack of understanding of relevant laws was cited as the most common reason (77.2% for public institutions, 69.3% for private companies), along with other reasons such as ‘complexity of procedures’ and ‘lack of dedicated personnel.’ Public institutions were relatively more likely to complain about ‘lack of professional expertise in personnel,’ while private companies had difficulty ‘operating education programs.’ This is increasing the demand for specialized consultants who can provide guidance on how to apply laws and regulations in practice.
However, many companies still center their response systems around post-incident actions. They report breaches late or provide inadequate notification to the information subject, which can increase the severity of the sanctions.
Therefore, it is important to identify legal risks in advance, establish preventative measures, and simultaneously prepare practical-centered education and management manuals tailored to the workflow to ensure that they are put into practice within the organization.
The Expertise and Practical Experience of Law firm Veat
Law firm Veat provides specialized personal information protection legal advice and education programs to ensure that companies accurately understand and practice their obligations under the Personal Information Protection Act. In particular, based on practical experience accumulated in various environments, including the Personal Information Protection Commission, public institutions, and private companies, we provide comprehensive legal support from preventative measures to incident response.
Partner Attorney Jo Eun-byeol is active in various public advisory bodies such as the Information Disclosure Deliberation Committee, Active Administration Committee, and Personal Information Dispute Mediation Committee, and can provide in-depth advice on personal information-related legal interpretation, policy consultation, and regulatory response.
Partner Attorney Baek Seung-cheol is a former legal advisor to the Personal Information Protection Commission, as well as a member of various personal information-related deliberation and advisory committees. He is a certified IT lawyer by the Korea Bar Association and provides optimized legal advice by comprehensively considering IT and personal information protection issues. He also actively conducts practical training for public institutions and educational institutions based on his qualifications as a PIPL certification examiner and ISMS-P personal information protection management system certification examiner.
Law firm Veat aims to establish effective response systems tailored to companies' realities and work environments, going beyond simple advice.
If you need advice on preliminary checks and preventative systems, please feel free to contact [Law firm Veat Personal Information Center].
Thank you.
Law firm Veat