Use the Lexology Navigator tool to compare the answers in this article with those from 20+ other jurisdictions.

Data security and breach notification

Security obligations Are there specific security obligations that must be complied with? Yes. In general, organisations processing personal information must take appropriate management and technical measures to protect personal information that they have collected and stored and ensure that the personal information is not lost, stolen, disclosed, modified or destroyed without consent.

In addition, the new Law on Cyber Information Security introduces certain requirements to protect information and information systems (ie, a combination of hardware, software and databases for creating, transmitting and storing information in a network environment) as follows:

  • When a cybersecurity incident occurs or may occur, those processing personal information must implement remedy and stoppage measures as soon as possible, and coordinate with competent state agencies and other organisations and individuals to ensure that the measures have been put in place.
  • Organisations which own information must classify it based on various levels of secrecy in order to take appropriate protection measures. Further, they must formulate rules and procedures for processing information and recording authorised access to classified information.
  • Those collecting information are subject to annual inspections and examination – or extraordinary inspections and examinations when deemed necessary – by the competent state management agency.
  • Organisations that own information systems must classify their systems based on levels of security (Level 1 to 5, as set out under the Law on Cyber Information Security) in order to establish appropriate protection measures. They must also formulate policies and rules relating to cybersecurity in terms of designing, developing, managing, operating, using and updating or deactivating information systems.
  • Organisations that own information systems are responsible for protecting their systems and must:
  • determine the security level of their information systems;
  • assess and manage security risks to their information systems;
  • supervise, monitor and check the protection of their information systems;
  • take measures to protect their information systems;
  • comply with the reporting regime; and
  • disseminate information and raise awareness about cybersecurity.

Organisations and individuals that use civil cryptographic products provided by those other than enterprises licensed to trade in civil cryptographic products must declare such use to the Government Cipher Committee, with limited exceptions.

However, the Law on Cyber Information Security does not clearly define what suffices as compliance for many of the aspects set out above. Subordinate legislation under the Law on Cyber Information Security is expected to be issued in order to clarify and provide guidelines on the implementation of these requirements.

Breach notification Are data owners/processors required to notify individuals in the event of a breach? No.

Are data owners/processors required to notify the regulator in the event of a breach? No.

Click here to view the full article.