Security + privacy regulations in South Korea

PIPA (Personal Information Protection Act 2011, amended several times, most recently 2023) is Korea's primary privacy law and one of the most stringent globally. Consent requirements are strict (granular, freely given, withdrawable), unique-identifier processing requires additional safeguards, and cross-border transfer requires either consent or specific conditions met. Penalties can include criminal liability for severe violations. PIPC (Personal Information Protection Commission) became the consolidated regulator in 2020, replacing the previously-fragmented sectoral regulators. PIPC has been actively enforcing, with multiple seven-figure fines issued in 2023-2024 to major foreign companies including Meta and TikTok. ISMS-P (Information Security Management System - Personal Information) is Korea's combined security + privacy certification regime, required for certain categories of online services (primarily large-scale consumer-facing services). K-ISMS is the security-only predecessor, still common in government procurement. Korean-language requirements are strict: Privacy Policy must be in Korean (not just English), consent dialogs must be in Korean, data-subject requests must be handled in Korean. Localization is a material investment for Korea-facing SaaS.

Key laws + frameworks

PIPA

Personal Information Protection Act. Korea's strict general privacy law.

ISMS-P

Korea's combined security + privacy certification.

K-ISMS

Information Security Management System certification — often required for Korean gov contracts.

Cloud Security Assurance Program (CSAP)

Required certification for cloud services used by Korean public sector.

Network Act

Act on Promotion of Information and Communications Network Utilization + Data Protection — applies to information + communication service providers.

Regulators
  • Personal Information Protection Commission (PIPC)
  • Korea Internet & Security Agency (KISA)
Breach notification

To PIPC and affected individuals within prescribed timelines — shorter for large-scale breaches (within 24 hours for certain categories). Specific content requirements apply.

Cross-border transfer

Consent required with specific disclosure of the destination country and purpose. Additional safeguards for sensitive data and unique identifiers. PIPC has issued guidance but the regime remains more restrictive than most peers.

Startup priority

Priority stack for Korea-facing SaaS: (1) PIPA-compliant Privacy Policy in Korean (non-negotiable); (2) Consent flow meeting PIPA's granularity requirements; (3) Localized support for data-subject requests in Korean; (4) ISMS-P or K-ISMS certification only if scale / sector requires (not for typical early-stage). Korea is one of the heaviest compliance lifts in APAC; consider whether the Korean market is core before investing.