TOKYO -- Nearly 80% of the major Japanese corporations surveyed by Nikkei say they are not yet completely compliant with the tougher data protection rules the European Union will put into force on Friday.
The General Data Protection Regulation mandates rigorous data warehousing protocols for companies that possess or transfer personal information on European citizens and employees. This applies to all businesses that offer products and services within the EU, regardless of whether they maintain incorporated units inside the region.
The GDPR requires transparency about the use of personal data, as well as layers of technological safeguards and revised guidelines on protecting the data. Companies will also have to appoint data protection officers. Those failing to comply face civil penalties of up to 4% of the global annual revenue, or 20 million euros ($23.3 million), whichever is greater.
But when Nikkei asked 93 large Japanese corporations that will be subject to the GDPR about their progress in getting ready, only 21% said they were completely up to speed. The rest of the respondents to the multiple-choice survey said they are not fully compliant. Most of the companies, at 60%, however, report they are nearly done with the overhauls, with only a number of issues remaining.
When describing the hard parts of the job, many respondents singled out the work identifying the type of data the company uses. One process specified is data mapping to show how personal information belonging people in the EU is being handled.
A Japanese food company said it is difficult to establish which data should be classified as personal or not. The GDPR stipulates that names, physical and email addresses and other determining factors count as personal data, meaning getting the full picture of the data will take a significant amount of time.
Several respondents also said getting their systems compliant with the new rules will be a time-consuming task. Many companies use different systems in different departments that handle personal data for business use. That would place an organization in an awkward position to carry out an individual's "right to be forgotten," which requires a subject's personal data to be erased from all systems if the person wishes it.
Though the risk of fines hitting noncompliant companies soon after the Friday deadline is slight, there is evidence that some operations have ceased in the EU. No company in Nikkei's survey reported taking such action. But a firm involved in information systems says at least one Japanese operator of an English-language online retail platform removed "Europe" from the regional tags identifying the shopper, indicating a virtual shutdown of EU sales.
The new data protection rules are also affecting how companies maintain their competitive advantage. Toyota Motor, faced with the requirement to obtain consent before transferring personal data outside the EU, has set up a British unit that will specifically manage data from connected cars. China has also come out with its own rules governing data protection.