Inorder to prevent consumers' personal information from being stolen, tamperedwith, damaged, lost, or leaked, the Ministry of Digital Affairs of theExecutive Yuan promulgated the "Regulations Regarding the SecurityMaintenance and Administration of Personal Information Files in Digital EconomyIndustry" (hereinafter the "Digital Personal Information Regulations"or “DPIR”) on October 12 this year. If you are in a “digital economy-relatedindustry” such as an "industry engaged in the retailing of goods throughthe Internet" (commonly known as online shopping), "softwarepublishing industry," “computer programming, consulting and relatedservices industries," "industry engaged in the handling of data onbehalf of customers, hosting of servers and website and related services,""third-party payment industry", "other information serviceindustry," you will be subject to the regulation of the Digital PersonalInformation Regulations.  

■Penalty might be imposed if not completed by January 12, 2024

Businessesin the aforementioned industries are required to formulate a “Personal InformationSecurity Maintenance Plan” (“PISMP”) before January 12 next year. If they failto complete the plan within the deadline, they may be subject to fines rangingfrom $20,000 to $2,000,000 per incident. And if the circumstances are seriousor if they fail to make corrections after the designated period, they may evenbe subject to fines ranging from $150,000 to $15,000,000 per incident.Businesses should pay special attention to this matter.

Inaddition, in order to prevent small businesses from incurring excessive costsin formulating and implementing the PISMP, the DPIR adopts a tiered managementfrequency. If a business has a capitalization of $10 million or above, ormaintains 5,000 or more personal data files, it must implement and review itssecurity maintenance plan at least once a year. For other special circumstances(e.g., those who have increased their capital to over $10 million after theimplementation of the DPIR), Article 18 of the DPIR also provides for otherdetailed requirements.

The PISMPformulated by a business must include the following contents (refer to Articles3 to 17 of the DPIR), and the business must keep the relevant records of theimplementation of the PISMP for at least five years:

1.         The purposes and circumstances for the collection, processing, and use ofpersonal information by the business shall abide by the provisionsof Article 6.1, Article 7.1, Article 8, Article 9, Article 19.1, and Article 20of the Personal Data Protection Act.

2.         Businesses are required to implement appropriate security managementmeasures for personal information, including the protection of encryption andbackup, transmission security, firewalls for communication systems, emailfiltering mechanism or other intrusion detection devices, monitoring ofabnormal access to data, updating and implementing anti-virus software,implementing malware detection, setting up authentication mechanisms, andappropriate and consistent masking of the presentation of personal information.

3.         In a security incidentinvolving the theft, tampering, destruction, loss, or leakage of personalinformation jeopardizes the normal operation of a business or the rights andinterests of a large number of data subjects, the business must notify theMinistry of Digital Affairs or copy the Ministry of Digital Affairs whennotifying the municipal or county governments within 72 hours of becoming awareof the incident.

4.         Regarding security incidents involving the theft,tampering, destruction, loss, or leakage of personal information, businesses are required toestablish a contingency mechanism (including ways to minimize and controldamage to the data subjects involved, and appropriate ways and content ofnotifying the data subjects after investigating the incident), a notificationmechanism (to notify the data subjects involved of the occurrence of theincident and how it has been handled, as well as a channel for the datasubjects to make subsequent inquiries), and a prevention mechanism (to deliberateon measures to avoid the recurrence of the security incident).

Abusiness is required to stipulate with its employees the obligation ofconfidentiality regarding personal data, to set up restrictions on their accessto personal data, and to implement awareness-raising and educational trainingon personal data protection for employees.

5.         If a business transmits personal data internationally, the business isrequired to notify the data subject of the region to which the data is to betransmitted and supervise the recipient of the data.

6.         A business is required to regularly check the current status of the personalinformation it has collected, processed, or used, and determine whatinformation should be included in the scope of the PISMP. It also needs to regularlyassess the risks that may arise from the process of collecting, processing, orusing personal information, and implement appropriate security measures basedon the results of the risk assessment. In addition, it should periodicallyreview the implementation of the PISMP and prepare an evaluation report.

7.         A business shall establish a mechanism for maintaining the accuracy ofpersonal information and a mechanism for deleting personal information. Withrespect to a data subject’s request to search, view, copy, supplement, correct,delete, and cease collection, process, or use his/her personal information, thebusiness shall stipulate the means of exercising such right and confirming theidentity of the data subject.

Thisarticle was published in the Expert’s Commentary Column of the CommercialTimes. https://www.ctee.com.tw/news/20231226700106-439901

‍