GDPR impact on Korea — panel discussion
Jun 25, 2018 Google Campus Seoul
The adoption of the EU’s General Data Protection Regulation (GDPR) has intensified the discussions around data privacy and security, prompting several public and private initiatives in Europe and around the world. Businesses are working to update processes, policies and measures to comply with the new requirements. Technology developments mean data supply and demand are growing exponentially, but recent events have also shown that data can be harvested for political and commercial purposes.
The panel at Google Campus Seoul on June 25 brought together security managers, lawyers and researchers to explore the current regulatory and operational landscape in Korea. Is the country adequately protecting personal data and privacy? Could consumers’ trust and confidence be reinforced? What are the major challenges and opportunities? How ready is Korea to comply with the GDPR?
Some insights to consider after the panel discussion.
1) GDPR compliance has been slow, because top management and decision makers have had a limited view about these convergent matters. Around two years ago Brian Chun, our panelist from Hanwha Techwin, noticed several initiatives in European subsidiaries and affiliates in order to prepare for a new regulation from the European Commission. After investigating and finding out the scope of the GDPR, he spent more than one year to convince the top management of his company to start a task force team for GDPR compliance. At the time Brian was one of the few, if not the only one, in his company grasping the problem: an engineer from SNU with an LLM in US, he has the rare converging knowledge and skills to understand the impact of GDPR on Hanwha Techwin group and ecosystem. The early adoption also gives his company an edge above the competition, especially in Korea.
2) On June 1, European Justice Commissioner Vera Jourová gave a key note speech at PIS Fair 2018, during her official visit to Asia. The EU is negotiating an adequacy agreement with Korea and Japan, aiming to add the two countries to the current list of eleven, which have a data protection agreement with the EU in place (including among others Argentina, Canada, Israel, New Zealand, Switzerland, and Uruguay).
https://iapp.org/news/a/eu-approaching-adequacy-deals-with-japan-korea
‘An adequacy decision means that the EU finds data protection laws in third countries to be essentially equivalent to those in the EU, so personal data can flow between the two without any further safeguard being necessary. Officially: “In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data.” If no adequacy is found, more focused arrangements, like the EU-US Privacy Shield, may still be created.’
As explained in details by Chansik Ahn during his intervention, Korean companies, complying with the Personal Information Protection Act (PIPA) released domestically in 2011, are for the vast majority of the principles already in compliance with GDPR.
With Japan the EU is finalizing also a trade agreement and is trying to incorporate data protection into the trade deal, negotiated for the last three years. Coincidentally Japan’s new data protection law came into effect last June 1.
3) Data Protection Officers (DPO), obligatory roles in company organization under the GDPR, will need better legal protection from PIPA/GDPR responsibility and liability. Insurance companies offer protection for Directors/Officers and professional liabilities, but premia are quite high (depending on conditions/limits). In this respect AIG is probably the market leader, having in its portfolio of products a D&O insurance and several professional liability contracts specifically designed for errors and omissions, architects/engineers, reputation risks and also digital insurance. Policy makers may consider to find a way to nudge (as in Thaler’s book) companies to insure their DPOs or protect them with waivers from liability claims at this early stage. AIG also has a digital insurance policy called Cyber Edge, but too many type of companies are excluded from coverage (financial firms, including any crypto currencies start ups and exchanges, hospitals, schools, etc.). In Korea Hyundai and Samsung insurance firms have policies similar to AIG, but seemingly for their internal group companies. The rest of Korean insurance companies think it is too early to cover those risks. There are adverse selection and moral hazard problems surely, but insurers are refusing to perform their institutional role in this digital domain.
4) Korean policy makers should try to persuade big chaebols to act as role models for their supply chains and ecosystems. First, they have to make comply their networks of subsidiaries around the world, which could have similar size and organization to their suppliers/vendors. Second, Korean companies are fast in accepting new trends: when compliance will reach a tipping point, there will be unanimous consensus to follow suit. During the panel discussion a Samsung SDS strategist asked about the penalties and how to cope with non compliance, but they should be in the front line to start complying in their business area. Ralf Sauer from the EU Commission mentioned clearly at the PIS Fair 2018, that GDPR compliance should not be considered only as an obligation, because it is basically good and fair operational practice.
5) KISA and other agencies have done an extensive work to prepare for the GDPR adoption in Korea, releasing many publications with translations and interpretations of the GDPR clauses. We could not manage to find, but we hope they have also released easy visualizations and infographics too. The GDPR itself promotes the use of visualizations whenever possible. In UK governmental agencies and NGOa are publishing several one minute infographics to promote GDPR compliance in a very easy intelligible way.
Last but not least, an YouTube GDPR playlist and special thanks to the event partners:
Two Portuguese wines from Cascas Korea for the catering reception:
PhiGolf supported the lucky draw contest during the networking session:
