Appointing a CPO Is Becoming a Board Matter

PrivacyAdvance Notice

On July 9, the PIPC issued an advance notice (haengjeong-yego) of a partial amendment to the "Notice on Career Recognition for Personal Information Protection Officers." Comments are due by July 29, addressed to the Voluntary Protection Policy Division.

The title of the notice itself changes — to the "Notice on Designation and Career Recognition of Personal Information Protection Officers." The scope broadens from career recognition to designation reporting.

The backdrop: the law taking effect September 11

Until last year, a company designated its CPO on its own and noted it in the privacy policy — and that was that. The amended Personal Information Protection Act (Act No. 21445, promulgated March 10, 2026) changes this when it takes effect on September 11. Personal information controllers specified by Presidential Decree must obtain a board resolution when they designate, change, or dismiss a CPO, and must report it to the PIPC.

This amendment is the follow-up work that defines the form and manner of that report. The Act and the Enforcement Decree build the frame; the notice fills in the form.

Per the explanatory statement, four types are covered: controllers with annual revenue or income of KRW 180 billion or more that also process personal data on 1 million or more people, or sensitive/unique-identifier data on 50,000 or more; universities with 20,000 or more enrolled students; tertiary (top-tier) general hospitals; and public system operating institutions.

The current CPO qualification (expertise) requirement applies at a threshold of KRW 150 billion in annual revenue. The reporting-obligation threshold written into this explanatory statement is KRW 180 billion. The numbers differ. Because the Enforcement Decree amendment hasn't been finalized and promulgated, the final threshold can't be stated with certainty yet. When judging whether you're covered, verify this gap against the original text.

The form fields are the real content

The amendment attaches a separate report form. What it asks you to fill in reveals what the PIPC intends to look at.

There's a checkbox for whether a board resolution was passed. And there's a separate "not resolved" field, with a field next to it for the reason for non-resolution. A board resolution is mandatory, yet they deliberately included a non-resolution field — which means they anticipate cases of reporting without going through the board, and they intend to collect the reason. Whatever you write in that field stays on the record as-is.

Relevant work experience is broken out: personal information protection X years Y months, information security X years Y months, information technology X years Y months, and total X years Y months. Until now, CPO experience requirements were judged internally by the company and that was the end of it. Going forward, you write that calculation out as numbers and submit it.

And under "other matters," you fill in whether there is a dedicated privacy organization and how many staff are assigned. This isn't information about the CPO as an individual. It's the regulator collecting how many people a company has put on personal information work. As reports pile up, the staffing distribution by industry and by size gets captured as statistics. Where that data ends up being used isn't hard to imagine.

The processing period is 30 days. You don't need to submit the corporate registration certificate or the business registration certificate — the PIPC verifies them directly through administrative information sharing under Article 36(1) of the Electronic Government Act.

What changes on the consulting side

Reviewing the CPO experience requirement has mostly been a formality. Designate one of the executives, and if the career is borderline, wave it through with "this should be good enough" — I've seen it happen plenty of times. Now you write that judgment out as numbers and hand it to the regulator. There's less room to wave things through.

If you're a client caught by the criteria, there are three things to start looking at now. First, whether you're covered at all. Since the revenue threshold isn't finalized, anyone sitting between KRW 150 billion and 180 billion has to wait for the Enforcement Decree. Next, whether your current CPO's experience can fill the report's fields. It's worth confirming you can substantiate the requirement — a total of four years including two-plus years of personal information protection experience — with an actual work history. Last, the board schedule. If a reason to change your CPO comes up after September 11, you have to convene the board, and for companies that only meet quarterly, that becomes a bigger constraint than it sounds.

The notice itself takes effect on the day it's issued. Given the law's effective date, it's likely to be finalized sometime in August. If your company is caught by the criteria, you're better off reading the amendment text at least once during the advance-notice period. The form is the requirement.


Source