When must a Privacy Impact Assessment be conducted?

What the Law Says

South Korean law mandates Privacy Impact Assessments for certain personal data processing activities to prevent privacy violations before they occur.

Under the Personal Information Protection Act (PIPA), operators of information systems that process personal information must conduct a Privacy Impact Assessment (PIA) prior to launching or substantially modifying such systems.

The PIA requirement applies specifically when the system processes personal information in ways that pose elevated privacy risks — for example, when it involves large-scale processing, sensitive data, automated decision-making, cross-border transfers, or integration across multiple public agencies.

Once completed, the PIA report must be submitted to the Ministry of Science and ICT (MSIT) within 30 days of completion. MSIT may request revisions or additional analysis if the assessment is found insufficient.

Statutory Text

Where an information and communications service provider or other person who processes personal information intends to introduce or substantially modify an information system that processes personal information, such person shall conduct a privacy impact assessment prior to such introduction or modification.

— Personal Information Protection Act, s. 34 — Privacy Impact Assessment

Statutory Text

The privacy impact assessment referred to in paragraph (1) shall be conducted in accordance with standards prescribed by the Ministry of Science and ICT.

— Personal Information Protection Act, s. 34 — Privacy Impact Assessment

Statutory Text

The results of the privacy impact assessment shall be reported to the Ministry of Science and ICT within thirty days from the date of completion thereof.

— Enforcement Decree of the Personal Information Protection Act, s. 29 — Reporting of Privacy Impact Assessment

What to Do

Sources