The Personal Information Protection Commission will put a draft partial amendment to the enforcement decree of the Personal Information Protection Act up for public comment from June 2 to July 13, as part of efforts to strengthen prevention of and response to personal data leaks.

The revised Personal Information Protection Act, which takes effect on Sept. 11, requires personal information processors above a certain size to obtain a board resolution and report to the commission when appointing, changing or dismissing a chief privacy officer (CPO), to strengthen the CPO's authority and independence.

It also mandates personal information protection certification (ISMS-P certification) for major personal information processors with broad impact in the public and private sectors. It requires them to notify data subjects without delay from the stage where a leak is possible so they can respond quickly. The enforcement decree revision is being pursued as a follow-up measure.

The decree revision sets out criteria for determining which entities are required to obtain a board resolution and report to the commission when appointing a CPO or changing or dismissing the appointee. To strengthen the CPO's independence and status protections, it defines those subject to the board resolution and reporting obligation as the same as those currently required by law to appoint a dedicated CPO.

It also spells out reporting methods and procedures. Personal information processors subject to the reporting obligation must submit a report to the commission within 1 month of the date the obligation arises, with a 1-month extension possible if unavoidable reasons apply. The draft enforcement decree also specifies the scope of entities required to obtain SMS-P certification and the requirements, timing and items for notifications of possible leaks. It also improves and streamlines standards for imposing administrative fines to raise the effectiveness of sanctions.

Any institution, organisation or individual with an opinion on the draft enforcement decree revision can submit comments by July 13 through the National Participation Legislation Center, the commission's email or regular mail.