GDPR (General Data Protection Regulation)

Glossary

GDPR (General Data Protection Regulation)

This glossary explains various keywords that will help you understand the mindset necessary for data utilization and successful DX.
This time, we will explain the GDPR (General Data Protection Regulation), which will have a major impact on the future of data utilization, and through that we will consider issues related to data utilization.

What is the GDPR (General Data Protection Regulation)?

The General Data Protection Regulation (GDPR) is a regulation that stipulates the considerations that must be taken into account when handling "personal data" in the European Union (EU).
The GDPR will have a major impact on Japanese companies as well, as it applies not only to companies with headquarters in the EU, but also to companies with branches in the EU and those that handle personal data of people residing in the EU. Violations can result in huge fines.

What is the GDPR (General Data Protection Regulation)?

Recently, it has been widely said that we are living in an age of data utilization. There are various types of data that can be used in business, but the utilization of "customer data" is expected to be extremely effective. However, while the utilization of data can be useful for business and economic development, using people's data too freely can lead to human rights issues.

In the past, there was a lack of regulation in this area, and it was left unchecked. For example, the collection of personal information on the Internet, and the identification and tracking of individuals were sometimes carried out without their consent. Furthermore, collected personal information was sometimes shared between organizations, and data use was left to run too freely.

The purpose of the GDPR is to protect the rights of people living in the EU regarding the use of their personal data. It is a declaration of the European Union's intention to not tolerate data use that violates human rights, and it effectively forces companies to use data appropriately, including by imposing large fines on companies that do not comply with the rules.

Widespread impact on Japanese companies

When you hear that it is an EU regulation, it may seem that Japanese companies are not affected. However, the GDPR applies not only to European companies with headquarters in Europe, but also to organizations that conduct business in Europe, such as those with branches, and even to those that handle (even indirectly) the personal information of people living in Europe. Failure to comply with the regulations could result in penalties, including large fines, from EU authorities.

In particular, if you are providing services or content via the Internet and do not exclude access or use of services from Europe, you will inevitably have to be mindful of GDPR compliance.

Definition of Personal Data

In Japan, there has been a debate regarding what constitutes personal information in relation to the Personal Information Protection Act. Under the GDPR, not only information clearly relating to an individual, such as a photograph or name, but also "any information relating to an individual" is considered personal data. For example, while "location information about where and how someone has traveled" is not like a name or photograph, it is not only information relating to an individual, but also data that contains important privacy information that can identify a specific individual.

In the case of online activities, IP addresses are also considered personal data, and even "cookies," which have traditionally been widely used in online advertising and web marketing activities, are now considered "personal data" under the GDPR. As a result, many web-related activities will be significantly affected by the GDPR's regulations. It is now necessary to obtain explicit permission to acquire and use cookies, and usage policies must also be clearly stated.

Under the GDPR, the acquisition and use of personal data requires explicit consent, including opt-in, after clearly and explicitly indicating the purpose, scope, and period of data use. It is also necessary to be able to prove that consent that meets the requirements has been obtained after the fact. It is also necessary to respond to measures such as erasing data after the usage period has expired, as well as the right to request data erasure and the right to transfer data to other systems.

Penalties

If any problems arise with the processing of data, they are required to report them to the supervisory authority within 72 hours and to notify the individual if there is any adverse effect.

In addition, if the scale of data usage exceeds a certain level, organizations are required to appoint a "Data Protection Officer (DPO)" to oversee the protection of personal data, and organizations without a base in the EU may also be required to appoint an "EU Representative" within the EU to be responsible for complying with the GDPR.

Penalties can include fines of up to 20 million euros or 4% of global turnover (not European turnover), whichever is greater. This can result in significant economic and social losses. These penalties are not just a formality; there have been cases where companies have been fined huge amounts, such as the 50 million euro (6.2 billion yen) fine imposed on Google in 2019.

Data utilization and personal data

Each country has different regulations

GDPR has attracted particular attention due to its strict regulations and the imposition of fines, but other countries also have legal restrictions regarding data. Japan also has the Personal Information Protection Act, and the United States also has legal regulations, with some states (such as California) having strict regulations regarding the handling of personal information. China and India also have their own unique rules, and in addition to personal information, they may also impose restrictions on the handling of data for security reasons.

Another purpose of GDPR

Each country has its own laws, and considering that they are revised every year, it is difficult to keep up. Unfortunately, there are no universal rules, but another purpose of the GDPR is to prevent different laws from being enacted in European countries, which could hinder business activities related to data. In Europe, too, learning from past experiences where the specific content of regulations differed from country to country, one of the aims of the GDPR is to establish common rules across the EU.

GDPR is often perceived as a restriction on business, but if a system is created to comply with GDPR, it can also be said that an environment has been created in which data business can be conducted smoothly within the EU.

Guidelines for what should be essentially observed when handling personal information

Before we even consider whether or not to follow rules, there are some things that are essentially good and bad. Even if a company complies with the laws and regulations of each country (at the time), if it is discovered that it has handled personal information in a way that lacks morality in light of socially accepted standards, the company will lose trust and face social sanctions. Companies are expected to fulfill their social responsibilities when it comes to handling data.

However, the handling of data can be difficult to deal with with a mindset of "don't do anything bad." If you unknowingly end up performing unreasonable processing on a system, or if a company you outsource work to acquires or uses data in an immoral manner, you may face criticism from society even if you have no malicious intent.

While complying with GDPR does not mean that accidents will not occur, GDPR is known as an initiative that prioritizes protecting human rights. Even in circumstances where regulations may seem difficult due to the possibility of disrupting business operations, some companies prioritize the protection of rights based on principles. Taking measures in line with this stance may be helpful when considering your company's attitude toward personal information.

Anonymization of data

Not just for the GDPR, but also as a way to resolve the dilemma between the use and protection of personal information, anonymization of data is one option. The results of anonymized processing and statistical processing are often not subject to regulation in the laws of each country.

However, in cases where an individual can be effectively re-identified from the anonymized data, or where information about a specific individual can be inferred and restored from statistical data, anonymization is no longer a problem. There have been cases where companies have been in trouble for providing anonymous data knowing that it could be restored.

While malicious intent is out of the question, there are also cases where re-identification is possible due to insufficient capabilities of anonymization tools. In such cases, anonymization or pseudonymization alone is not enough.

More consideration is needed when using data

There is not just one credit card company. Initially, each card company began to establish its own "security standards," but from the perspective of those developing and operating IT systems, it was inefficient to have to comply with each company's standards separately, and this could have hindered the spread of card payments over the Internet.

When working to utilize data, it is necessary to consider the circumstances in each country, where the data was obtained from, where it is currently stored (the laws of the place where it is stored), where and how the data will be processed, and what is acceptable to do and what should not be done.

Data utilization does not simply mean collecting and utilizing data, but there are many other things that must be taken into consideration. In addition to legal regulations such as GDPR, there are also many other things that must be considered besides protecting personal data.

There are many things to consider, such as what kind of data is necessary to achieve results, how the data must be stored technically, whether to keep it in-house or not, and if storing it on the cloud, which service to use and how. How to prepare for data loss due to a major disaster, how to share data in projects involving collaboration with other companies, etc. In the first place, data tends to be scattered in various formats both inside and outside the company, and if nothing is done, not only will GDPR compliance be difficult, but data utilization itself may become uncertain.

Is there a way to freely retrieve and use data?

When it comes to data utilization, people tend to focus on analytical functions and other processing capabilities. However, data utilization requires the development of "connecting" functions that can connect to a wide variety of data sources, acquire data, and integrate it as needed. This is necessary not only for the realization of data utilization itself, but also for achieving data utilization in accordance with GDPR.

Developing and setting up these integration needs in-house can be a daunting task, and it can also be difficult to quickly respond to the ever-changing needs for on-site data.

However, there are solutions that can address this situation: software called "EAI" or "ETL," or a cloud service called "iPaaS." By simply placing connection icons on the GUI and configuring various settings, you can connect to a wide variety of data and systems, from cloud to on-premise, and access, transfer, process, and manipulate data.

Related keywords (for further understanding)

EAI
- It is a concept of "connecting" systems by data integration, and is a means of freely connecting various data and systems. It is a concept that has been used since long before the cloud era as a way to effectively utilize IT.
ETL
- In the recent trend of actively working on data utilization, the majority of the work is not the data analysis itself, but rather the collection and preprocessing of data scattered around, from on-premise to cloud. This is a means to carry out such processing efficiently.
iPaaS
- A cloud service that "connects" various clouds with external systems and data simply by operating on a GUI.
SaaS
- When people generally think of the "cloud," they are referring to an initiative to provide software usage as a service.

Are you interested in "iPaaS" and "connecting" technologies?

Try out our products that allow you to freely connect various data and systems, from on-premise IT systems to cloud services, and make successful use of IT.

The ultimate "connecting" tool: data integration software "DataSpider" and data integration platform "HULFT Square"

"DataSpider," data integration tool developed and sold by our company, is a "connecting" tool with a long history of success. "HULFT Square," a data integration platform, is a "connecting" cloud service developed using DataSpider technology.

Another feature is that development can be done using only the GUI (no code) without writing code like in regular programming, so business staff who have a good understanding of their company's business can take the initiative to use it.

Try outDataSpider/ HULFT Square 's "connecting" technology:

There are many simple collaboration tools on the market, but this tool can be used with just a GUI, is easy enough for even non-programmers to use, and has "high development productivity" and "full-fledged performance that can serve as the foundation for business (professional use)."

It can smoothly solve the problem of "connecting disparate systems and data" that is hindering successful IT utilization. We offer a free trial version and online seminars where you can try it out for free, so we hope you will give it a try.

Free trial seminar here

Why not try a PoC to see if HULFT Squarecan transform your business?

Why not try verifying how "connecting" can be utilized in your business, the feasibility of solving problems using data integration, and the benefits that can be obtained?

I want to automate data integration with SaaS, but I want to confirm the feasibility of doing so.
We want to move forward with data utilization, but we have issues with system integration
I want to consider data integration platform to achieve DX.

PoC Program | HULFT Square

GDPR (General Data Protection Regulation)