Skip to menu Skip to content

Korean e-government homepage mark This site is the official e-Government website of the Republic of Korea.


Assessment of Data Breach Incident Factors


  • It is a system that the Personal Information Protection Commission assesses the data breach incident factors when the head of a central administrative agency adopts or changes a policy or a system which entails personal information processing by enacting or amending laws under his/her jurisdiction
  • The Personal Information Protection Commission makes recommendation for improvement to the head of the agency if data incident factors exist in the laws


  • To protect the personal information of citizens by analyzing and assessing data breach incident factors comprehensively and systematically in the stage of drafting laws or systems
  • To remove overlapping or conflicting factors by considering the mutual consistency between the laws related to the personal information

Legal Ground

Article 8-2(Assessment of Data Breach Incident Factors) of the Personal Information Protection Act


Legislative bills(laws, Presidential Decrees, Ordinances of the Prime Minister or Ordinances of the Ministries) to be enacted or amended by central administrative agencies

Assessment Contents

Assessment Contents
01.Necessity of personal information processing
  • - Necessity of processing basic information, personally identifiable information, sensitive information, visual data and other personal informationof personal
  • - Clarity of the purpose of processing
  • - Minimum information to be processed
  • - Appropriate grounds of processing
  • - Out-of-purpose use and provision to a third party
  • - Necessity of cross-border transfer, etc.
02.Appropriateness of guaranteeing rights
  • - Appropriateness of limiting data subjects’ rights to request access, correction and deletion of personal information, and suspension of processing personal information
  • - Procedures for handling personal information divulgence incidents and compensating for the damages
  • - Whether there is a standard of calculating the amount of compensation and the mutual consistency of the standard
  • - Appropriateness of outsourcing the personal information processing
03.Safety of information management
  • - Sufficiency of the measures to ensure the safety
  • - Appropriateness of the retention period of personal information
  • - Necessity of the retention after the retention period expires and the purpose of processing is fulfilled
  • - Transparency and mutual consistency of the provisions on penalty, sentencing and administrative fines

Assessment Procedures

see below Enlarge image
  1. Legislative procedure
  2. Drafting legislative bills and consulting with relevant agencies (10 days)
  3. Pre-announcement of legislation (40 days)
  4. Regulatory Review (10-45 days)
  5. Review by the Ministry of Government Legislation
  6. Promulgation and enforcement
  1. Steps and details
  2. Requesting the Personal Information Protection Commission to assess data breach incident factors * Attaching the legislative bills and the table comparing new and old provisions
  3. Reviewing the assessment request form : Reviewing whether the submitted bills entails personal information processing
  4. If there is no data breach incident factor
  5. End of the procedure : Notifying that there is no data breach incident factor if personal information processing is not entailed
  6. Continuing assessment
  7. Reviewing the request form(contined) : Reviewing data breach incident factors
  8. Notifying the assessment result : Notifying “agree to the original bill” or “recommend improvement.
  9. Agreeing to the original bill : End of the procedure , Assessment of data breach incident factors ends, and the legislative procedure continues.
  10. Recommending improvement : Reviewing the request form(continued) :Reflecting the improvement opinions and submitting the result of reflection
  11. Managing the result of reflection : Checking and managing whether the relevant agency (department) accepted the improvement opinions
  1. Central administrative agency
  2. Relevant agency (-> Personal Information Protection Commission)
  3. Personal Information Protection Commission
  4. Relevant agency (-> PPersonal Information Protection Commission)
  5. The relevant agency submits the result of data breach incident factor assessment to the Ministry of Government Legislation, and submits the result of reflection to the Personal Information Protection Commission
  6. Personal Information Protection Commission