South Korean Companies Aiming for EU Privacy Compliance

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Elaine Ramirez

South Korean companies that do business in the European Union, including Samsung Electronics Co. and LG Electronics Inc., must prepare for the bloc’s new privacy regime to avoid becoming international noncompliance targets, privacy professionals told Bloomberg BNA.

There are mixed perceptions about South Korean companies’ level of preparedness for the EU General Data Protection Regulation (GDPR)—even though the country has one of the strictest privacy framework laws in the world. Companies should monitor official guidance on the GDPR to identify differences between it and South Korea’s Personal Information Protection Act (PIPA), the privacy pros said.

The GDPR is the first significant overhaul of European data protection laws in a generation. It dramatically raises potential fines for any single infraction to as much as 20 million euros ($22.4 million) or up to 4 percent of a company’s worldwide revenue, whichever is higher. Those fines will be immediately available to EU privacy regulators as a sanction when the GDPR takes effect May 25, 2018.

Sang Woo Kim, a partner at Ernst & Young Hanyoung Corp., who specializes in cybersecurity risk, told Bloomberg BNA that most South Korean companies doing business in Europe will be able to meet the compliance deadline. A joint task force of over 30 data protection professionals from the public, private, and academic sectors has been preparing Korea for adequate compliance while bringing the country’s existing regulations in line with the GDPR, he said.

Park Jong-hyun, chief of the Personal Information Protection Cooperation Division in South Korea’s Ministry of Interior, said the government is taking a wait-and-see approach before exploring enforcement policies to help prepare companies for the GDPR.

“Rather than unconditionally following the GDPR, we will take our time to adjust what’s right for us. It’s unnecessary to amend all the rules we already have,” Park said.

Unwittingly Prepared?

South Korea is among the least prepared countries to adopt the GDPR standards, according to a recent survey report commissioned by Veritas Technologies LLC. More than half of businesses in South Korea said they felt unprepared for the GDPR, the report said.

But many of those companies may actually be better prepared than they think because Korea’s PIPA closely aligns with the GDPR, the privacy pros said.

“Korea is rated highly for having a globally advanced personal data protection law,” Kang Hye-kyung, a researcher at the state-run Korea Internet and Security Agency (KISA), told Bloomberg BNA. She cited the country’s personal data leak reporting system, privacy impact assessment, and certification system. “I assume we are in an advantageous position compared to other countries in preparing for the GDPR,” she said.

Ted Taeeon Koo, managing partner at Tek & Law LLP in Seoul, told Bloomberg BNA that South Korean companies are accustomed to strong privacy laws, “so they are most likely to be well prepared for the GDPR.”

Internet of Things

Oh Byoung-il, a researcher at the independent Institute for Digital Rights, told Bloomberg BNA that internet and information technology companies that handle European citizens’ data, especially those relying on big data analysis, should be the most concerned about the GDPR.

Tech companies that sell consumer electronics, including smart TVs, refrigerators, washing machines, and internet-connected devices that process and transfer personally identifiable information, may also be affected, the privacy pros said.

Koo said he advises South Korean companies looking to prepare for the GDPR to expand the authority of their data protection officers and monitor guidance from EU privacy regulators.

LG spokesman Ken Hong told Bloomberg BNA that the company is carefully monitoring GDPR guidance “as we work toward compliance.”

Samsung spokeswoman Kelly Yeo told Bloomberg BNA that the company is teaming with its local offices in Europe to keep a close eye on the guidelines.

For More Information

The South Korean government's latest guidelines for GDPR preparation are available, in Korean, at http://bit.ly/2sjLiKQ.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security