In this blog post, we will look at the technical and administrative measures companies need to take to comply with personal information protection laws and the importance of doing so.
With the rapid advancement of information technology, new forms of personal information infringement have skyrocketed. As a result, a number of special laws have been enacted, but because these laws were enacted in response to specific cases of infringement, it has become inevitable that there will be overlaps and loopholes between them. Ultimately, the need for comprehensive legislation to protect personal information arose in South Korea, and the Personal Information Protection Act was enacted in 2011.
Even after the enactment of the Personal Information Protection Act, the development of information technology did not stop. In particular, the development of artificial intelligence and big data technology has provided opportunities to analyze and utilize personal information in a more sophisticated manner, but at the same time, it has increased the risk of personal information infringement. Personal information collected through artificial intelligence is often combined with various databases to identify individuals’ lifestyle patterns, preferences, and even psychological states. As a result, the protection of personal information has become even more important, and the need for legal regulation has been further emphasized.
In order for personal information to be properly protected by law, it is first necessary to understand exactly what personal information is defined by law. It is often thought that personal information is “information that can identify an individual,” and that if an individual cannot be accurately identified, then it is not personal information, but this is incorrect. For example, if there are two employees named Kim Young-soo and Park Young-soo in the Human Resources Department Team 1, the information “Team 1, Human Resources Department, Young-soo” cannot be used to accurately identify which employee is being referred to, so it may be considered non-personal information. However, according to the Personal Information Protection Act, information that makes it difficult to identify a specific individual is also considered personal information.
The Personal Information Protection Act defines personal information as “information about living individuals that can be used to identify them, such as their names, resident registration numbers, and images,” adding that “this includes information that cannot identify a specific individual on its own but can be easily combined with other information to identify them.” In other words, not only information that is specific, but also information that has the potential to be specific is considered personal information. Fingerprints, iris patterns, signatures, resident registration numbers, and mobile phone numbers are specific personal information, while age, occupation, and home address are personal information that has the potential to be specific. Therefore, although it is not clear who “Mr. Young-soo from the Human Resources Department Team 1” refers to, this information must be considered personal information.
As such, the Personal Information Protection Act legally protects not only specific information but also information that has the potential to be specific. This is because information that has the potential to be specific can become specific at any time when combined with other information. In modern society, based on the premise that an individual can suffer tremendous damage due to the leakage or misuse of personal information, the law protects even information that is not actually specific but has the potential to become specific.
The act of leaking personal information is naturally subject to legal sanctions. In addition, the Personal Information Protection Act stipulates that personal information processors must take necessary measures to ensure the security of personal information. Accordingly, if a person in charge of information processing obtains another person’s personal information and stores it on a computer without any encryption, they will be subject to a fine. This is because, even if the personal information has not actually been leaked, there is a possibility that it could be leaked. These legal regulations related to personal information protection reflect the social awareness of the importance of personal information.
Therefore, in addition to complying with personal information protection laws, companies and organizations must strengthen technical measures and internal training for information protection. This goes beyond simply fulfilling legal obligations and is essential for securing and maintaining the trust of customers and users. Customer trust is directly linked to a company’s reputation, which plays an important role in enhancing its competitiveness in the long term. With the advancement of technology, the need for personal information protection continues to grow, and ongoing attention and efforts are required.
