TOKYO -- A year after the European Union imposed tough new rules governing the collection of personal data, nearly half of major Japanese companies have yet to fully comply -- an increasingly risky state of affairs as Brussels cracks down on violators.
Ninety-one of 100 companies surveyed by Nikkei said they were subject to the General Data Protection Regulation, for such reasons as having customers in Europe. Of these, 41 still had some or a significant amount of work to do to come into compliance as of Thursday. While this is an improvement from the survey conducted just before the new regulations took effect last May, when 70 companies said they were not fully ready, corporate Japan still has a long way to go.
Not only do violators potentially face fines of up to 20 million euros ($22.3 million) or 4% of annual global revenue, whichever is higher, but noncompliance also risks damaging trust in Japanese companies' handling of consumer data more generally.
The EU in January deemed Japan to have a comparable level of data protection regulation to its own, making it easier for Japanese businesses to transfer data out of Europe. But this so-called adequacy decision will come up for review after two years, and application of the rules will be taken into account.
The GDPR imposes strict standards on the collection and use of personal data by companies and organizations. Even given that the regulations set a high bar to clear, corporate Japan lags noticeably behind other countries.
As to the reasons for the discrepancy, some familiar with the situation -- including attorneys advising businesses on GDPR compliance -- suggest that there is a lack of urgency because Brussels has yet to take action against any Japanese enterprises.
"We were waiting to see what other Japanese companies did," said a representative at a large homebuilder that said it still had much work to do to comply with the EU rules.
The adequacy decision itself also may have lulled some into complacency. "A lot of companies misunderstood it to mean that they were now compliant with GDPR," a representative of a major consulting firm said.
Brussels started going after violators in earnest in the latter half of 2018. About 206,000 cases were reported in the first nine months of GDPR implementation, with a total of roughly 56 million euros in fines imposed by authorities in 11 countries, according to the European Data Protection Board, which is in charge of applying the regulations.
"The wave of crackdowns will reach Japan," said Izumi Umezawa of EY Advisory & Consulting. Companies "need to analyze the situation and get ready," Umezawa said.