South Korea has had a difficult run of data security breaches. In 2014, 20 million accounts at three South Korean credit card companies were hacked. The country has stepped up its data privacy regulation and is backed by extensive enforcement measures. What is the basic structure, its key features and enforcement measures? What are the recent changes and their implications?