Skip to menu Skip to content

Korean e-government homepage mark This site is the official e-Government website of the Republic of Korea.


Privacy Impact Assessment


It is a system for preliminary investigation, analysis and assessment to analyze and improve the risk factors before adopting anew or changing personal information files

Legal Ground and Objects

  • (Legal ground)Article 33(privacy impact assessment) of the Personal Information Protection Act
  • (Object institutions)Public institutions that will establish or operate personal information files prescribled in Article 35 of the Enforcement Decree of the Act, or change or connect the existing system

Objects of mandatory privacy impact assessment

When establishing or operating personal information files
  • - In the case of establishing, operating or changing personal information files of at least 1 million data subjects
  • - In the case of establishing, operating or changing personal information files of at least 500,000 data subjects upon connecting internal and external system
  • - In the case of establishing, operating or changing personal information files of at least 500,000 data subjects if the data contains sensitive information, such as medical information, or personally identifiable information, such as resident registration number, etc.

When changing personal information files
  • - In the case of changing the operating system of personal information files, such as personal information searching system, after the privacy impact assessment


See below See below
  1. Personal Information Protection Commission KISA
  2. Public Institution (Object institutions)
  3. Conducting assessment (Privacy impact assessment institution)
  4. Requesting assessment
  5. Submitting the result
  6. Providing opinions (if necessary)
  7. Designating the privacy impact assessment institution

Assessment Procedures

  • (When is the assessment conducted) The assessment is conducted in the stage of analyzing or designing the personal information processing system before establishing the system
  • (Who conducts the assessment)The assessment is conducted by privacy impact assessment team which is comprised of the person in charge in the department of the assessment, the privacy officer, the person in charge of personal information protection, etc.

* Public institutions request the assessment to the privacy impact institution designated by the Personal Information Protection Commission

See below See below Enlarge image
  1. Privacy impact assessment
  2. Preparing in advance
  3. Conducting the assessment
  4. Implementing
  5. Preparing project plan (Securing budget)
  6. Selecting proejct contractor
  7. Establishing assessment carry-out plan
  8. Collecting assessment materials
  9. Analyzing the flow of personal information
  10. Analyzing infringing factors
  11. Establishing improvement plan
  12. Preparing assessment report
  13. Reflecting and checking improvement plan
  14. Checking implementation status
  15. Assessment Process
  16. Examining the necessity of the impact assessment
  17. Preparing a project plan (Securing budget)
  18. Preparing a written request for proposal
  19. Project ordering
  20. Selecting the evaluation institution
  21. Establishing assessment carry-out plan
  22. Organizing the evaluation team
  23. Analyzing inside materials
  24. Analyzing outside materials
  25. Analyzing materials related to the target system
  26. Analyzing the actual status of personal information processing
  27. Preparing a flow statement of personal information
  28. Preparing a flow chart of personal information
  29. Preparing a system structure map
  30. Preparing a system structure map
  31. Preparing assessment item list
  32. Understanding the actual status of personal information protection
  33. Deducing infringing factors
  34. Calculating the risk level
  35. Deducing things to improve
  36. Establishing improvement plan
  37. Preparing assessment report
  38. Submitting the report
  39. Reflecting improvement plan (developing stage)
  40. Checking the reflecting of improvement plan (testing stage)
  41. Confirming the implement of improvement (within 1 year)
  42. Submitting a written confirmation (Protection Commission)
  43. Year of Performance
  44. A year immediately before
  45. Current year of the assessment
  46. A year immediately after the assessment
  47. Evaluating Body
  48. Object (Public Institution)
  49. Impact assessment evaluating institution (carrying out the assessment and preparing a written evaluation report)
  50. Object Institution (Cooperation, submitting the report, and implementing the improvement plan)
  51. Object Institution
  52. Supervising entity
  53. Object Institution

Expected Effects

Minimizing the risk of privacy infringement at the stag of establishing and operating the system to prepare effective responses by reviewing and improving the risks from the stage of designing the system.