Earlier this year, Japan became the first country to earn an adequacy decision from the European Commission after the enforcement of the EU’s General Data Protection Regulation (GDPR). This means that the Commission has decided the level of data protection in Japan is high enough to allow personal data to flow freely between Japan and the EU. However, the decision was reached after Japan offered strong protection guarantees for the personal data of EU data subjects.
Japan was the first country in Asia to adopt a data protection regulation, the Act on the Protection of Personal Information (APPI) in 2003. After a number of high profile data breaches shook the country, the Act received a major update to bring it in line with current international standards. The amendments came into force on 30 May 2017, but like most regulations that entered the legal scene before the GDPR, it failed to live up to the new data subject and privacy-centered European legislation. Which is why Japan, when negotiating its adequacy decision with the European Commission, developed a set of supplementary rules meant to bridge the differences between the two data protection systems.
These additional safeguards strengthen the protection of sensitive data, the exercise of individual rights and overall ensure that the same guarantees provided by the GDPR for EU personal data will be applicable in Japan. These rules are in force as of the adequacy decision reached on 23 January 2019 and are legally binding for all Japanese businesses handling EU personal data. Their enforcement will be carried out by the Personal Information Protection Commission of Japan (PPC).
How can businesses become APPI compliant?
The new improved APPI and the supplementary rules mean Japanese businesses collecting and processing personal information as well as businesses around the world offering services and products to Japanese data subjects must implement cybersecurity measures and physical safeguards that guarantee the security of the personal information they process.
And while traditional cybersecurity solutions like firewalls and antiviruses are an indispensable part of a comprehensive data protection strategy, focusing on outside threats can leave companies vulnerable to the biggest actual threat to personal information: their own employees.
Last year IAPP reported that no less than 84% of data breaches were the result of employee carelessness. The data breach suffered by Japan’s biggest travel agency, JTB, that resulted in the theft of data belonging to 7.93 million users, including passport numbers, was due to one employee.
Because of this, it’s essential that organizations look at vulnerabilities and threats coming both from the inside and the outside. Data Loss Prevention (DLP) solutions tackle this blind spot of traditional data protection strategies that focus on outside malicious actors and provide the tools needed to ensure sensitive data is protected from careless mishaps both in the office and outside it.
Protecting data in transit with DLP
DLP solutions offer granular policies that can be applied at different levels, from computers to users, groups and departments. They can be tailor-made to serve specific company needs, but most also come with predefined policies for sensitive information which is protected under various data protection regulations including the GDPR and APPI. This refers in particular to personally identifiable information (PII) such as passport numbers, national ID numbers, driver’s license numbers etc.
These policies, once in place, control and monitor where sensitive data is being transferred by employees. Transfers, whether they take place over the internet via anything from browsers to social media and instant messaging or through copy paste, the cloud or printing, are monitored and can be blocked or limited depending on a company’s needs.
This ensures not only that sensitive data does not mistakenly get transferred through insecure channels outside the company network, but also provides useful monitoring information such as detailed logs of all incidents which can be used for auditing purposes. Thus it can be identified which employees require further training on best data protection practices.
Protecting data at rest
Companies are rarely aware of the kind of data stored on their employees’ computers. This can become a problem especially when such data is sensitive and requests to delete or correct it are made by Japanese data subjects. Organizations can unwittingly still be storing incorrect data or data they no longer have the consent to hold or process because their employees have downloaded it onto their computers and forgotten about it.
DLP solutions like Endpoint Protector allow companies to scan all computers in their networks for sensitive data and when it is found, administrators have the option of taking remediation actions such as data deletion or encryption.
Protecting data on the go
A third possibility of data breaches occurs when employees leave the security of company networks and take their devices, whether computers, phones or removable storage devices with them on business trips or for presentations at clients’ or partners’ offices.
It is easy for an employee to leave a USB behind or for one to fall out of his pocket in a taxi for example. Once lost, any sensitive data stored on them can be stolen or made public. Some DLP solutions offer the possibility of automatically encrypting data transferred onto USB devices, effectively ensuring that, in case of loss or theft, the information on them cannot be accessed without the correct password. Not only that, in case a password is forgotten or compromised, administrators can reset it remotely.
Another way to avoid data loss on the move is by limiting or blocking the connection of removable devices all together. DLP tools can restrict the use of USB and peripheral ports, completely blocking all connections or ensuring that only trusted devices – like those with automatic encryption – can connect to computers.
DLP solutions can help Japanese companies and organizations on their way to compliance with APPI by offering effective tools for the control and monitoring of personal and special care-required data. Only by knowing where the data they process is and how it is being used can companies build effective data protection strategies that will ensure that they will comply with APPI and its supplementary rules.