What You Must Protect Even Across Borders: GDPR

This article reflects information as of 2020. For the latest details, please contact us.

Written by:

画像1

Hello!

Thank you for reading this article! This time's "Buzzword" is "GDPR." It's a term about personal information and security — one that's been in the news a lot lately. For those of you thinking about expanding into EU countries or cross-border EC going forward, this will become important, so I'll write it to be as easy to follow as possible!

画像2

1. What Is GDPR?

"GDPR" is the abbreviation for (General Data Protection Regulation), a law on personal-data protection in the EU. It was enacted in April 2016 and took effect on May 25, 2018. The background to its enactment is the rapid advance of IT technology and the progress of globalization. What's protected is not only the information of general consumers residing in EU member states and the three EEA (European Economic Area) member states (Liechtenstein, Iceland, Norway), but also that of employees, corporate representatives, and all individuals — information that leads to identifying that individual. I'll describe this in detail later. If you don't comply with "GDPR," fines occur! At most, whichever is higher of 4% or less of a company's global annual revenue, or 20 million euros or less, applies. As of 2020/09/28, one euro is 122 yen, so 20 million euros is about 2.44 billion yen — an absurdly high amount! In Summer Jumbo lottery terms, that's the top prize five times over. It's despairing. It's unquestionably a serious amount for a company. Let's comply.

画像3

2. The Personal Information Covered

Examples of what counts as personal data include the following. ・Things containing an employee's name (employee rosters, HR systems, org charts, emergency contact networks, seating charts) ・Things containing a customer's name (customer-management systems, shareholder registers) ・Things containing a business-partner representative's name (event participant lists, exhibition visitor information) ・Email addresses (mailing lists) ・Video, images, or audio relating to an individual (event photos). As a note of caution, online identifiers like IP addresses and cookies are also regarded as personal information. Also, when acquiring personal information, a company must clearly state to the user its own identity and contact details, the purpose of processing, whether it will be provided to third parties, the retention period, and so on, and obtain consent.

3. When an Impact on Japanese Companies Is Conceivable

An impact on Japanese companies is conceivable in cases like the following. ・A subsidiary, branch, or sales office is located in the EU and personal data is handled there. ・Personal data of EU residents is handled without going through an EU company ※such as cross-border EC. ・You receive data transferred from within the EU to outside it ※e.g., cases where a business-partner representative list is sent by email from an EU local entity to the Japanese head office, or where a person in charge at the Japanese head office can access the HR system of the EU local entity. ・On behalf of a controller, you handle the personal data of EU residents. The cross-border EC market grows larger year by year, so it may draw even more attention.

越境EC画像

4. Finally

This time I wrote simply about "GDPR"! Personal-information protection is very important for trust and for not getting bashed by the public, so if you work in the EU region, you'd better be careful. Also, in the US — which we deal with more often than the EU region — a similar bill called the CONSENT Act was introduced. We'll need to keep an eye on that too. A movement to treat even online identifiers as personal information is happening around the world. Let's lock down our security tight. Thank you for reading!