From the second half of this year, key public systems and about 1,700 high-risk systems that handle large volumes of personal information will undergo regular inspections. Companies and institutions that make proactive investments in personal data protection will also be given meaningful incentives.

The Personal Information Protection Commission on Monday reported to a Cabinet meeting chaired by the president a plan to shift to a prevention-focused personal data management system.

The commission first aims to increase the effectiveness of economic sanctions by imposing fines of up to 10 percent of sales for repeated or serious violations of the Personal Information Protection Act.

It will also change the 기준 for calculating fines from the current "three-year average sales" to whichever is higher between the previous year's sales and the three-year average. It will introduce a system to impose coercive fines to enable swift investigations and dispositions. It plans to strengthen sanctions for evidence concealment and to introduce a whistleblower reward scheme. Minor violations of the law by very small businesses will be given a chance to make corrections to prevent recurrence, but repeated violations will be dealt with strictly. It will also focus on expanding voluntary protection investment and building a risk-based management system. It will encourage companies to go beyond formal compliance and increase investment to improve actual levels of personal data protection, while strengthening accountable management. It will comprehensively assess whether companies take proactive measures that exceed statutory standards, make active security investments, and operate effective safety management systems, and will provide incentives such as fine reductions. To ensure that executives' legal responsibility for personal data protection, which takes effect in September, is faithfully implemented, it plans to encourage disclosure of corporate privacy protection activities so companies can strengthen their own capabilities.

The commission will also build a risk-based management system that conducts differentiated inspections depending on risk level. It will directly provide intensive management of key public systems, numbering 387, and high-risk areas such as education and welfare.

To strengthen personal data protection competitiveness across companies and the broader industry, it will expand inspections across the supply chain, including cloud service providers, specialised contractors and system suppliers. The commission is currently inspecting prepaid funeral plan companies and customer service centres, and plans to wrap up the work quickly and recommend corrections for shortcomings found.

As the personal data processing environment becomes increasingly complex, it is not easy to detect or prevent breaches after a service is launched, so it aims to reflect personal data protection from the system design stage.

The commission will institutionalise steps to ensure that the principles of Privacy by Design are reflected from the service planning and design stage. It plans to reflect Privacy by Design principles in the criteria for personal information impact assessments and ISMS-P certification standards.

The commission said it confirmed a shortage of personnel and budget for personal data protection in the public sector through a status survey in February. It plans to work with relevant ministries to expand dedicated staff and budgets, and to raise overall protection levels through public-private cooperation. It will also pursue improved treatment for dedicated personal data protection staff.

The commission will activate the statutory damages system by making companies bear the overall burden of proof. It will intensively inspect practices, such as dark patterns, that deceive or mislead users and make it difficult to correct personal information, withdraw consent or cancel membership. It will also strengthen the functions of the personal data breach reporting centre, including specialised counselling, consulting and support for victim relief measures.

In the event of leaks of sensitive information, it plans to respond strictly by monitoring illegal distribution on social media to detect and delete content, and by working with investigative authorities to track down and punish illegal distributors and users to the end.

Song Kyung-hee (송경희), the commission's chair, said, "As with any accident, once personal information is leaked, it is difficult to fully reverse the damage, and recovery also takes a long time." She added, "The commission will build a system in which prevention works well in addition to accountability after the fact, to protect people's information more safely and create an environment for using personal information that people can trust."