Key Considerations Regarding the Accelerated Implementation of Measures for the Separate Storage and Management of Resident Registration Numbers and Connecting Information

Recently, the Korea Media and Communications Commission (“KMCC”) issued an administrative notice regarding a proposed partial amendment (“Amendment”) to the “Standards on the Generation and Processing of Connecting Information” (KMCC Notice No. 2026-199). The Amendment aims to accelerate the implementation timeline for measures requiring organizations using connecting information to separately store and manage Resident Registration Numbers and Connecting Information*.

*Connecting Information (“CI”) refers to information generated by irreversibly encrypting a user’s Resident Registration Number (“RRN”) to enable service linkage across information and communications service providers.

1. Key Provisions of the Amendment

A. Current Regulations

The Act on Promotion of Information and Communications Network Utilization and Information Protection (“Network Act”) imposes an obligation on organizations using CI to take safety measures, such as storing and managing CI separately from RRNs (Article 23-6(2) of the Network Act and Article 13(2)(iii) of the Enforcement Decree of the Network Act). Attached Table 4 of the Standards on the Generation and Processing of Connecting Information stipulates the details of such security measures. However, the current regulations defer the implementation timeline for measures to separately store and manage CI until May 1, 2027. The rationale for requiring the separate storage and management of RRNs and CI is that if such information is stored together, the likelihood of identifying the data subjects in the event of a data breach increases, posing a significant risk of secondary harm. 

B. The Amendment

The Amendment moves the implementation timeline for the separate storage and management measures forward by 4 months, from the original date of May 1, 2027, to January 1, 2027. Accordingly, organizations using CI must implement a system for the separate storage and management of RRNs and CI and complete the corresponding separate storage measures by that date.

2. Implications and Response Strategies

A. Increased Operational Risks from Shortened Preparation Period

Separating the storage and management of RRNs and CI goes beyond a simple change in storage location; it requires a comprehensive redesign of the entire personal information processing system, including the identifier framework, database structure, access permissions, log records, encryption policies, and API integration methods. Consequently, modifying the relevant systems and verifying their stability through trial runs will require a significant amount of time.  

If the implementation timeline is moved forward by 4 months, underprepared organizations using CI may face adverse effects during the rushed system modification process. These may include system failures, authentication errors, and personal information processing issues. Furthermore, it could give rise to disputes regarding the allocation of liability between the entrusting and interconnected entities.

B. Necessity of Establishing a Proactive Response System

Therefore, in preparation for the enforcement of the Amendment, organizations using CI must proactively review the following items and promptly begin the implementation of the corresponding systems. Furthermore, it is critical to note that failure to implement separate storage and management measures may subject organizations to administrative sanctions, such as penalty surcharges.

• Current Status Analysis and Implementation Planning: Organizations must promptly analyze how RRNs and CI are currently processed within their operational systems and develop a detailed technical and administrative implementation plan regarding their separate storage and management.
• Establishment of Risk Management Plan: Organizations must identify potential risks in advance—such as data loss, service disruptions, and authentication errors that may occur during the system migration process—and establish a comprehensive risk management plan that includes test scenarios and contingency plans.
• Collaboration with External Experts: Organizations should consider actively engaging external legal and technical experts to minimize trial-and-error during complex procedures, including system modifications, data migrations, and compliance reviews.

The Amendment reflects the growing public demand for enhanced protection of personal information. Thus, relevant companies need to monitor regulatory trends and make company-wide efforts to mitigate risks associated with the Amendment’s impending enforcement.

Leveraging our deep expertise and extensive experience, Shin & Kim’s ICT Group provides tailored legal advisory services to help companies effectively respond to the Amendment. Please consult our experts today if you need prompt and precise solutions for every stage of the process, including the current system assessment, implementation planning, and risk management.

About Shin & Kim’s ICT Group

Shin & Kim’s ICT Group possesses expertise and extensive professional network in the ICT sector, consistently earning top-tier client recognition in recent years. Drawing upon our deep-seated capabilities in broadcasting, telecommunications, personal information protection, and internet IT, we deliver the highest level of legal advisory services encompassing regulatory trend analysis in broadcasting, telecommunications, and ICT; government affairs, legislative improvement and consulting; regulatory impact assessment; and corporate strategic planning. Furthermore, we possess extensive experience and expertise in data breach response and related areas. Please contact us any time if you have any questions or require more specialized information.

[Korean version] 「연계정보 생성·처리 등에 관한 기준」 개정안 행정예고 - 주민등록번호와 연계정보 분리 보관·관리 조치 시행 시기 단축에 따른 유의사항 -