Starting in the second half of this year, the government will divide personal data processing sectors into high-, medium-, and low-risk groups based on the level of risk of personal data infringement and begin managing them accordingly. It will strengthen pre-inspections focused on high-risk sectors such as platforms, financial institutions, and public institutions, and will begin in earnest a shift to a prevention-centered management system that reflects personal data protection from the service planning stage.
The Personal Information Protection Commission on the 22nd announced a "plan to shift to a prevention-centered personal data management system" at the economic ministers' meeting. As a follow-up to the plan reported to the Cabinet on the 12th, it was prepared to promote a shift to a prevention-centered protection system that identifies and manages the risks of personal data infringement and leakage in advance.
The Personal Information Protection Commission will classify personal data processing sectors into high-, medium-, and low-risk groups, considering the scale and sensitivity of personal data processing and the characteristics of each industry, and will conduct differential inspections and management. For the high-risk group, it plans to disclose inspection areas in advance and examine the operation of internal controls through regular and ad hoc inspections. This year, it will carry out fact-finding inspections focusing on sectors that handle large-scale personal data or sensitive data, such as platforms, financial institutions, public institutions, Edtech, and long-term care hospitals.
For sectors outside the high-risk group, it will encourage the conduct of personal data impact assessments and compliance with the privacy by design (PbD) principle. However, if necessary, ministries and the Personal Information Protection Commission will conduct joint inspections.
Also, with the introduction of the chief privacy officer (CPO) designation and reporting system in September, it will operate a public-private early warning system and hotline to share the latest threat information in cooperation with associations and groups. It also plans to step up preemptive inspections in new technology sectors such as Internet of Things (IoT) devices and agent AI.
The Personal Information Protection Commission will also institutionalize the PbD principle, which reflects personal data protection as the default from the service planning, design, and development stages. It has operated a PbD certification system for certain products such as IP cameras and robot vacuum cleaners, but there has been a limitation in that the scope of application was restricted to specific product groups.
To spread the PbD principle, it plans to prepare and distribute guides and best practices that can be referenced at the planning and design stages. It will also reflect the PbD principle in existing evaluation and certification standards, including ISMS-P certification. In addition, it plans to reflect the PbD principle in existing evaluation and certification standards, including ISMS-P certification.
At the same time, it will strengthen management across the supply chain, including software as a service (SaaS), cloud, and specialized contractors. It also plans to promote research and development of privacy-enhancing technologies (PET) to prevent personal data leakage and misuse, as well as the training of professionals.
Song Gyeong-hui, Chairperson of the Personal Information Protection Commission, said, "In cooperation with relevant ministries, we will continuously inspect the status of personal data processing and vulnerabilities in key sectors and establish a prevention-centered management system proportionate to the risk."