Most recent

Global Data Protection Laws: South Korea

By Eitan Bremler
Data ProtectionOver the last few months, we’ve talked extensively about the GDPR – but the GDPR isn’t the only data protection regime on the planet. We’ve just covered the Philippines, and now we’re going to move on to South Korea.


South Korea is a country at war. The Korean War of the 1950s was never halted by armistice, only paused via truce. Kinetic hostilities could technically break out at any minute, but cyber-hostilities have already been going on for at least ten years. Under the constant threat of cyberattacks from North Korean and Chinese hackers, the South Korean government has developed a robust set of data protection laws aimed at keeping its citizens safe. Here’s what you need to know.

Protecting a country at war

South Korea’s flagship data privacy law is known as the Personal Information Protection Act (PIPA). The law was originally passed in 2011 and amended in 2014 after a massive credit card breach. This breach involved the loss of over 100 million records, and once it was found that it was due to inadequate regulations and lax security procedures, the PIPA was reformed to become one of the strictest data privacy regimes in the Asia-Pacific region.

As with the Philippines, the South Korean government can imprison those found guilty of negligence. In addition, its membership is in a cross-border enforcement collective known as APEC, which means that PIPA rules can be enforced in the US, Japan, Canada, and Mexico.

What does PIPA involve?

Under PIPA, any information that can be used to describe a living person becomes personal data – including cookies and IP addresses. Users must always be provided with a way to opt out of these and other forms of data collection. In addition, data processors must obtain explicit consent before sharing collected information with a third party – and they must inform customers as to how any third party may use their data.

Once stored, the PIPA requires that data processors encrypt all data at rest or in motion and take both physical and digital measures to prevent personal information from loss or theft. Every company must appoint an internal privacy officer in order to enforce these rules and protections – they’ll also be the ones subject to investigation if a breach occurs.

While prison is a possibility for negligent institutions, the fines are also nothing to sneeze at. The 2016 PIPA update enables the government to fine violators an amount up to three times the financial damage undergone by their customers. They also forfeit any money that’s been made through PIPA violations and give up 3% of any revenue related to any unauthorized overseas data transfers. Additionally, the 2016 PIPA update now allows CEOs of infringing companies to be referred for prosecution.

Profiting under PIPA

While these laws certainly seem harsh, there is a softer side. South Korea needs companies to work together with the government to keep its citizenry safe. As such, there’s a distinct benefit for companies who are willing to comply with PIPA directives. There are now tax incentives for companies who are willing to implement internal control plans and upgrade their security measures, letting them defray the cost of upgrading their security posture to comply with PIPA.

Safe-T makes it easy and fast to upgrade your information security defenses. Our Software-Defined Access technology makes it possible to literally hide your company’s presence from the web. Apart from your website itself, your data center, SaaS applications, and file transfers can all be made invisible to hackers’ reconnaissance, drastically diminishing your attack surface. In a threat environment that regularly includes hostile state actors, Safe-T offers the best ways to stay compliant. For more information, contact Safe-T today!

GDPR Guidelines

All posts

Get Email Updates

Sign up for our monthly newsletter and latest blog posts....keep up to date on the latest security data news!