The adoption of the EU’s Data Protection and Privacy Regulation (GDPR) have intensified the discussions around data privacy and protection. Businesses are working to put policies in place to comply with the new GDPR regulations.
A recent panel at Google’s Campus in Seoul (June 25) put together experts from a diverse array of fields to analyze the GDPR regulatory landscape in South Korea.
Some insights to consider after the panel discussion.
1) GDPR compliance has been slow, because top management and decision makers have had a limited view about these convergent matters. Around two years ago Brian Chun, our panelist from Hanwha Techwin, noticed several initiatives in European subsidiaries and affiliates about a new regulation of the European Commission. After investigating and finding out the scope of the GDPR, he spent more than one year to convince the top management of his company to start a task force team for GDPR compliance. At the time Brian was one of the few, if not the only one, in his company grasping the problem: an engineer from SNU with an IPR LLM in US, he has the rare converging knowledge and skills to understand the impact of GDPR on Hanwha Techwin group and ecosystem. The early adoption also gives his company an edge above the competition, especially in Korea.
2) On Jun 1, European Justice Commissioner Vera Jourová gave a key note speech at PIS Fair 2018, during her official visit to Asia.
The EU is negotiating an adequacy agreement with Korea and Japan, aiming to add the two countries to the current list of eleven, which have a data protection agreement with the EU in place (including Argentina, Canada, Israel, New Zealand, Switzerland, and Uruguay).
‘An adequacy decision means that the EU finds data protection laws in third countries to be essentially equivalent to those in the EU, so personal data can flow between the two without any further safeguard being necessary. Officially: “In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data.” If no adequacy is found, more focused arrangements, like the EU-US Privacy Shield, may still be created. The adoption of the EU’s Data Protection and Privacy Regulations (GDPR) have intensified the discussions around data privacy and protection. Businesses are working to put policies in place to comply with the new GDPR regulations.
As explained by Chansik Ahn during his intervention, Korean companies complying with PIPA, are for the vast majority of the principles already in compliance with GDPR. With Japan the EU is finalizing also a trade agreement, negotiated for the last three years, and is trying to incorporate data protection into the trade deal. Coincidentally Japan’s new data protection law came into effect last June 1.
3) DPOs will need better legal protection from PIPA/GDPR responsibility and liability. Insurance companies offer protection for Directors’ and professional liabilities, but premia are quite high (depending on conditions/limits). Below two AIG products:
Policy makers may consider to find a way to nudge (as in Thaler’s book) companies to insure their DPOs or protect them with waivers from liability claims at this early stage. AIG also has a digital insurance policy called Cyber Edge, but too many type of companies are excluded from coverage (financial firms, including any crypto currencies start ups and exchanges, hospitals, schools, etc.).
Hyundai and Samsung insurances have policies similar to AIG policies, but mostly for their group companies it seem. The rest of insurance firms think it is too early to insure those risks. There are adverse selection and moral hazard problems for sure, but insurers are refusing to perform their institutional role in this digital domain.
4) Korean policy makers should try to nudge big chaebols to act as role models for their supply chain and ecosystem. First, they have to make comply their networks of subsidiaries around the world, which could be similar in size and organization to their suppliers/vendors. Second, Korean companies are fast in accepting new trends: when compliance will reach a tipping point there will be unanimous consensus to follow suit. During the panel discussion a Samsung SDS strategist asked about the penalties and how to cope with non compliance. They should be in the front line to start compliance in their business area. Ralf Sauer from the EU Commission mentioned clearly at the PIS Fair 2018, that GDPR compliance should not be considered only as an obligation, because it is basically good and fair operational practice.
5) KISA and other agencies have done an extensive work to prepare for the GDPR adoption in Korea, releasing many pubblications with translation and interpreattions of the GDPR clauses. We could not find, but we hope they have also released easy visualizations and infographics too. Besides the GDPR itself promote the use of infographics whenever possible. In UK governmental agencies and NGOa are publishing infographics as the one below:
This article is an excerpt from the following (all permissions granted): https://medium.com/@parallel38/gdpr-impact-on-korea-9eadbcecb54d