What is GDPR? Explanation of data protection that you should pay attention to in marketing

Do you know about “GDPR”? There are probably many people who are not used to hearing it. This is a regulation that protects personal information operated in Europe, and there is a risk that serious penalties will be imposed if you violate it.

This time, we will explain the contents of GDPR and points to be aware of when conducting marketing.

What is GDPR?

GDRP stands for “General Data Protection Regulation” and is called “EU General Data Protection Regulation” in Japanese. It was established with the aim of unifying the methods of processing personal information data in the EEA (European Economic Area). Corporations that are based within the EEA or that do business with companies or people within the EEA must manage personal information appropriately in accordance with the GDRP.

1. How GDPR was established

In 1995, the predecessor of GDRP, the EU Data Protection Directive 95, was established. This was a more limited regulation compared to today, as it targeted corporations with physical facilities (local subsidiaries, servers, etc.) within the EEA. However, with the spread of the Internet and globalization, the GDRP was enacted in April 2016, which has been applied more widely and incorporates regulations that suit the times. It came into effect in May 2018.

1. Data subject to GDPR regulations

Persons subject to the GDPR must appropriately process or transfer personal data.

We have summarized it below, so please check it out.

personal data	・Name, address, phone number, email address, online identifier (IP address, cookie information) ・Factors related to physical, physiological, genetic, mental, economic, cultural, and social characteristics
process	・Storing credit card information ・Collecting email addresses ・Disclosing customer names ・Viewing supervisors’ performance evaluations of employees ・Deleting online identifiers ・Names, job functions within the company, business address, and photos of all employees Creating a list containing
transfer	・Sending electronic documents containing personal data from within the EEA by email to outside the EEA ・Transferring employee personal data from a subsidiary within the EEA to a parent company outside the EEA ・A cloud provider within the EEA Re-entrusting the personal data acquired with a cloud provider outside the EEA

For example, if you are running an online shopping business, you will obtain personal data such as “customer’s name and address” and “credit card number,” and you will routinely perform the process of “storing credit card information” for payment purposes. Masu. These must be handled appropriately in accordance with GDPR.

1. Scope of GDPR

In Japan, corporations that fall under any of the following three categories are subject to the GDRP.

This means that companies based in the EEA or doing business with customers in the EEA must comply with the GDRP.

1. What happens if you violate GDPR?

If a company violates the GDPR, it must pay a fine of 4% of the company’s annual worldwide turnover or 20 million euros, whichever is higher.

As of February 20, 2020, 20 million euros is approximately 2.5 billion yen, so a very heavy penalty will be imposed.

How should I respond to GDPR?

So what should we do to comply with GDPR? We have summarized what companies should do.

1. Creation of internal regulations

First of all, it is important to understand the contents and targets of GDPR. Details can be found on the Japan External Trade Organization (JETRO) website.

Then, create internal regulations regarding what kind of data is being collected and how it will be handled. We will also post our privacy policy on our homepage, etc.

1. Building an internal system

We also need to improve our internal structure. We will appoint a data protection officer (DPO) and create an internal environment centered around the DPO.

1. Improvement of provided services

If the services you currently provide do not comply with GDPR, you will need to change the specifications. For example, if your homepage has a system (such as an application form) that allows you to collect personal information such as customers’ names, addresses, and email addresses, use pop-ups or checkboxes to communicate that personal data is being collected. Let’s create a system to get consent.

1. Deepen your understanding within the company

There have been many scandals in the past where employees leaked personal information at various companies. If the regulations, risks, and mindset regarding the handling of personal information are not widely known within the company, the risk of personal data being leaked to the outside, whether by mistake or intentionally, is extremely high. Therefore, we hold study sessions to deepen our understanding of the GDRP. Let’s.

1. Create a flow when an incident occurs

If

an incident

occurs, such as a cyberattack or the leakage of personal information, it must be reported to a supervisory authority within 72 hours. Strengthen security and build systems and mechanisms that allow you to quickly discover incidents.

GDPR pitfalls

Do you think that it doesn’t matter because we don’t do business with European customers? In fact, many companies may be subject to the GDRP even if they do not do business with customers in the EEA. Marketers need to be especially careful.

1. Could you be violating the law without knowing it?

As mentioned above, GDRP’s personal data also includes web identifiers (IP addresses, cookie information). If IP information or cookie information is obtained through access analysis and there is also access from EAA, it will be subject to GDRP regulations.

For example, if you run a site written in a foreign language for overseas users, there is a good chance that it will be accessed from the EEA.

Additionally, the GDPR protects not only customers residing within the EEA, but also people visiting the EEA. For example, a case where a Japanese person going on a business trip or traveling to Europe and using a smartphone to browse a Japanese company’s homepage while there is also subject to the GDRP.

The Internet has no borders. Compatibility with GDPR is especially essential for companies that publish their websites, sell products or provide services online. It can be said that most companies now have a homepage. Let’s take a closer look at your company’s GDPR compliance.

summary

◆GDRP (EU General Data Protection Regulation) is a regulation established for the purpose of protecting personal information within the EEA.

◆Those subject to GDPR regulations must handle personal data appropriately in accordance with the regulations, and violations will result in significant penalties.

◆Many companies that publish their websites and provide services online may be subject to GDRP regulations.

◆It is necessary to create an environment that can comply with GDRP through the flow of creating internal regulations, building a system, and improving services.