Home > Business > Industry

Companies to be fined up to 10% of total revenue after data leaks under revised protection law

Published: 09 Mar. 2026, 19:36

A man walks by a parked Coupang truck. [YONHAP]

Companies that fail to prevent data leaks will be fined up to 10 percent of total revenue, up from the original 3 percent, starting on Sept. 11.

The penalty will be applied when companies repeatedly fail to protect private data, either intentionally or through negligence, over the course of three years; cause damage that affects more than 10 million people; or experience a data leak after failing to comply with previous corrective orders.

The revised Personal Information Protection Act was promulgated on Monday, according to the Personal Information Protection Commission (PIPC).

The revision was passed by the National Policy Committee in December 2025 and approved during the National Assembly plenary session last month and the cabinet meeting earlier this month.

The measure aims to intensify penalties while recognizing companies that maintain strong protection systems. As a result, the revision will provide incentives for companies and institutions to invest in equipment, personnel and systems that strengthen personal data protection. For example, if violations are found not to be the product of intent or gross negligence, companies' preventive investments will be taken into consideration to reduce fines.

The rules regarding the method of notifying customers of data leaks will also change. Previously, companies only had to notify users if their personal information was confirmed to have been leaked.

Lee Jung-ryul, the vice chair of the Personal Information Protection Commission, center, speaks during a press briefing with reporters at the Government Complex Seoul in Jongno District, central Seoul, on Feb. 25. [NEWS1]

After Sept. 11, companies will have to notify customers of even the possibility of a personal information leak, allowing them to respond early by changing their passwords or reviewing their financial transactions.

The revision also expands the scope of incidents requiring notification and reporting to include incidents involving the falsification and alteration of personal information and damages caused by ransomware. Until now, the law mainly covered cases involving the loss, theft or leakage of data.

When notifying individuals of personal data leaks, companies must also provide information on follow-up options, such as how to file for compensation or request dispute mediation.

Additionally, responsibilities related to managing and maintaining personal data, previously limited to the chief privacy officer (CPO), will now extend to the CEO.

Pedestrians walk past a SK Telecom store in Seoul on Aug. 27, 2025. [YONHAP]

Meanwhile, the CPO will oversee the management of professional personnel, allocate the budget for data protection and report related matters to the organization representative and the board of directors.

Organizations of a certain size will have to obtain approval from their board of directors when appointing, changing or dismissing a CPO and report the move to the PIPC.

Companies will also be required to earn the Personal Information and Information Security Management System (ISMS-P) certification starting on July 1, 2027. Previously, only major companies and institutions with significant public impact voluntarily adopted the ISMS-P.

Park Dae-jun, then-CEO of Coupang, left, answers questions during a National Policy Committee hearing on a Coupang personal data leak at the National Assembly in Yeouido, western Seoul, on Dec. 3, 2025. [NEWS1]

The ISMS-P evaluates whether an organization has properly implemented information security and personal data protection management systems.

“Companies and institutions must be able to assess their own protection levels and establish proper systems,” said a PIPC official. “The specific range of companies subject to the obligation will be determined later during the revision of the enforcement decree.”

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
BY MOON HEE-CHUL [[email protected]]