The new GDPR data privacy rules & your business in Japan

GDPR Rules Catherine O'Connell Law.png

Over the last several weeks you will have noticed an uptick in your email inbox from companies such as Google, MailChimp, Twitter, and LinkedIn, etc. informing you of updates to their Privacy Policy, User Terms & Conditions and Cookies. That is because the new EU data privacy law called GDPR (or “Global Data Privacy Regulation”) comes into effect this month and companies all over the world are rolling out updates at high speed to be compliant with the law from May 25th,2018. This article**aims to focus on determining if your business falls within the scope of the GDPR and the 4 steps to take to get GDPR ready.

Why has the new law come at this time? There are primarily 3 main reasons – the number of privacy issues that have arisen from the massive growth in consumer/mobile technologies; the fact that we now do business in an increasingly connected global world; and the mass cross-border data flows on a daily basis. 

Is the law relevant to me as a business owner in Japan? It dependsTo the extent your entity is offering goods and services to people in the EU, or collects, processes or stores data tied to EU citizens, the GDPR applies. Avoiding anything that touches EU residents will become increasingly difficult. For example, a U.S. company that engages a distributor based in Tokyo which does business with partners in Europe will find that the Japanese company also needs to be compliant. A business in Tokyo which offers products or services to customers in Tokyo or outside of Japan who are EU residents will need to be compliant. (“Offer/Offering” is a key concept explained below). 

What if I am not ready for the deadline of May 25, 2018?  You are probably not alone, but you need to act quickly. Sanctions for non-compliance include fines up to the greater of €20m or 4% of the global annual turnover of an infringer. 

What are the key changes under the GDPR that may affect my business in Japan?
The key changes under the GDPR are: it covers a wider scope than before; there are tougher sanctions; more varieties of data are caught; there is a data breach notification requirement; appointing a data protection officer is required, and there is a heavier burden of accountability and information governance. Let’s look at just one of these key changes “wider territorial scope” as it affects Japan-based businesses.

How does the “wider territorial scope” of the GDPR affect Japan-based businesses? The previous data protection directive covered any entity processing personal data in the EU. The GDPR changes this to cover any entity in the EU that handles personal data and any individual in the EU whose personal data is handled by an entity, wherever that entity is based – that includes, for our purposes, Japan.  For example, any person can go to a website and give their personal data, without knowing where their data will actually be processed. The GDPR gives EU citizens assurance their data is protected, where ever it is processed.  

The important aspect of the GDPR is that it states that its territorial scope includes the processing of personal data of someone in the EU by organisations outside of the EU, “where the processing activities are related to the offering of goods or services” to that person. The GDPR was written by lawyers and this wording of “offering” means simply the activity of “offering” such goods & services - even if no payment actually occurs. Therefore, the original drafters who decided to put in the words “offering goods or services” likely intended to cover new online services business models such as social media.

What about organisations not established within the EU? Even if an organization is able to prove that it is not established within the EU, (many Japan-based businesses) it will still be caught by GDPR, if the business processes personal data of data subjects who are in the EU where the processing activities are related "to the offering of goods or services" to such data subjects in the EU in addition to "the monitoring of their behaviour" as far as their behaviour takes place within the EU (internet use profiling is an example of monitoring). For example, tech companies in the US and other countries, are taking note as the provisions of GDPR have clearly been designed to capture them. Organisations that are overseas, (i.e. not within the EU) who are caught by the “offering goods or services or monitoring” tests must be GDPR compliant.

What are the key actions my business can take right now? Entities are likely to be impacted by the GDPR in different ways depending on the industry/sector and the nature/volume of personal data processed. Your business can focus on the following 4 key steps to assess the impact and take appropriate steps to identify and implement necessary changes:

1.    Data mapping (or “Snapshot Assessment”):Every business needs to carry out an extensive data audit across the organization/supply chains to identify current data collection and use. Record this information and have information governance in place to ensure that the data is kept up-to-date.

2.    Data protection impact assessments & Gap Analysis: Data protection impact assessments will need to be completed and documented for each of the high-risk processing areas identified in the data mapping (snapshot assessment) process. Businesses should assess the current level of compliance with the GDPR and identify gaps and remedial actions, prioritizing remedial actions for higher risk areas.

3.     Contracts: Review your supplier/customer/supply chain contracts. Most probably, commercial terms will need revision given the risk of penalties for non-compliance. As “everyone” is engaged in this review process now, there should be little pushback for requests to your counterparties to update contracts to make them GDPR compliant. 

4.    Insurance arrangements: Terms of policies require careful review as many policies may not be suitable for the types of losses which are likely to occur under the GDPR. Cyber/data protection exposure should be added to policies or purchased as stand-alone policies. 

Some DO’s and DON'Ts

DO review your Privacy Notices: Check the content of current privacy notices on your website etc. They will almost certainly need to be amended to include mandatory information about the way data is processed and statutory rights available to individuals. Privacy notices must be in plain language to be easily understood. 

DO email all your clients/customers to reconfirm their opt-in for e-newsletters, MailChimp distributions etc. It’s important your clients actively say “yes” to receiving your marketing material. Simply asking them to “opt out” won’t work after May 25th. 

DO establish a compliance framework: to demonstrate to a regulator that you are taking active measures for information governance. Establish a clear data governance model, review and refresh policies/procedures and establish effective audit processes. Privacy impact assessments added as a “checklist item” on new projects will be best practice.

DO document things precisely: If a regulator asks you why you are holding onto information you will need to explain. If users request access to their data, provide them with access rights and know where the data is, so that you can provide it promptly. 

DO question if you really need to retain the dataDON’T keep data indefinitely or without good reason. The more data you have the more exposure you have to losing it or to someone - a customer, regulator, a litigant - asking for it. Limit the type/volume of data collected as needed to complete certain specific tasks. Ask if there is a real business need to retain the data? If not, then delete.

DON’Tcollect sensitive data other than exceptionally. Use aggregated, key coded, pseudonymous or anonymous data where possible. 

DO have an effective data retention policy. Manage data leakage risk across the business.

DO establish clear rules for managing data throughout the supply chain. Incorporate EU model clauses into data sharing/processing agreements and use due diligence checklists.  

GDPR is focused on the process of how you identify the data you have, why you keep it and who has access to it. With the rise of cybercrime, it is important to consider consumer protection and brand reputation in your information governance. The GDPR is much broader than simply a “legal and compliance” challenge – it requires businesses to actively think about the way that they collect, process, securely store, share and securely wipe personal data.

Regarding the GDPR and the Japan “Act on the Protection of Personal Information” inter-relation, the EU Commission and the Japanese government are discussing the possible recognition of Japan’s adequacy in relation to its protection of personal data. Such adequacy, if recognized, will greatly facilitate EU-Japan data transfers. 

**This article is not legal advice. Have a conversation with your lawyer to get advice specific to your facts, industry/sector and requirements.

Catherine O'Connell