The European Union’s General Data Protection Regulation 2016/679, popularly known as GDPR, was adopted in 2016 and took effect May 25, 2018. GDPR differs in many ways from Korean statutes such as the Personal Information Protection Act and tends to be vague about the tasks required of those who handle personal data (called “data processors”).
GDPR also contains stronger penalties for noncompliance, which can include fines of as much as 20 million euros ($23 million) or 4 percent of annual worldwide revenue, whichever is higher. Considering these severe consequences, Korean companies need to prepare appropriately. Below is a brief GDPR compliance checklist outlining the main points you need to know.
|Lee Keun-woo (left) and Kim Yoon-sun|
Companies must then determine whether their role falls under the category of “controller” (Article 24) or “processor” (Article 28) of data. If the company can determine the method and purpose of personal data processing, it may be deemed a controller.
Also, companies need to have a firm understanding of the legal basis and principles of personal data processing. As GDPR interprets “consent” in a narrow sense, companies should arrange a separate bases for data processing, such as contract implementation.
Most of all, companies should guarantee the rights of all “personal data subjects,” or people who may be identified by a particular set of data.
For example, various types of information should be promptly provided to all data subjects (Articles 13 and 14). Companies are obligated to implement appropriate measures to protect personal data right from the stage when they design their services (Article 25); to take appropriate measures to ensure that only those personal data that are necessary for each specific purpose of the processing are processed; to faithfully maintain records on their personal data-processing activities (Article 30); and to take proper measures to ensure the security of personal data processing (Article 32).
For the security of personal data, companies are advised to refer to the technical and managerial security measures under Korean statutes as well as ISO 27002 and 29151. The data protection officer designation requirement in GDPR also requires attention.
Meanwhile, since many Korean companies need to transfer the personal data of EU data subjects to Korea, they need to find viable methods for making such “overseas transfers.”
In our view, the most effective method is to transfer data on the basis of an adequacy decision (Article 45). Unfortunately, the EU Commission has not yet adopted an adequacy decision for Korea and talks are still ongoing, in contrast with the situation in Japan.
Transfers may be made subject to appropriate safeguards (Article 46), in which case companies would use standard personal data-protection clauses approved by the EU Commission and binding corporate rules approved by supervisory authorities (Article 47), among others.
For companies not subject to GDPR, views diverge on whether to comply right away or watch to see how GDPR is implemented while maintaining the status quo.
However, considering the global trend toward stronger personal-data protection and control in the age of the “fourth industrial revolution,” GDPR compliance may soon become an unavoidable necessity.
It would thus be advisable for Korean companies to understand personal data-processing methods and determine their level of compliance with Korean statutes and GDPR, paying particular attention to requirements within GDPR not found in Korean statutes.
Lee Keun-woo is an attorney and partner at the law firm Yoon & Yang LLC, with a special interest in intellectual property and data protection.
Kim Yoon-sun is a US-licensed attorney (foreign attorney) at the law firm Yoon & Yang LLC, with a special interest in intellectual property and data protection.