What is Japan’s APPI?
The Act on the Protection of Personal Information (APPI), which is one of the first data regulations in Asia, was updated in May 2017 after a series of data breaches took place in Japan. The change in legislation happened a year ahead of EU GDPR, and both Japan and the European Union agreed to recognize each other’s data regulations as providing well-rounded protection to data subjects.
APPI applies to organizations who are located within the boarders as well as those with offices abroad, and who offer goods and services in Japan and handle personal sensitive data of Japanese people. This means that just like GDPR, APPI also has an extra-territorial reach which allows it to oblige organizations that process personal data to also comply with it. Companies from a wide range of areas such as baking, retail, telco fall under the APPI and could face penalties up to $4600 or up to a year imprisonment for failing to comply with certain requirements.
Requirements
Right of Access to Data:
Upon request, organizations are required to notify data subjects of the purpose of their personal data. Additionally, if an individual requests an organization to disclose the retained personal data which could eventually lead to its identification, the organization must meet the request with no delay.
How SecuPi Helps:
To enforce the right to object, for any purpose, SecuPi can use any condition to avoid processing of application processes, including a parameter where a data subject requested not to be processed – thus preventing any access or manipulation of the subject’s data. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request).
Right to Deletion:
Under APPI, data subjects may require an organization to add, modify, delete retained personal data if the given information is not correct.
How SecuPi Helps:
On the application level, SecuPi redacts information on customer who requested to be forgotten (referred to as “logical deletion” ). On the database level, SecuPi applies Format Preserving Randomization (FPR) Anonymization, ensuring that both the personal data is anonymized, as well as randomized on different databases, to prevent correlation of the same anonymized value between different data sets.
Consent and Right to Opt Out
Organizations are not allowed to acquire personal data by wrongful means and could get sanctioned. Additionally, they’re also prohibited from acquiring personal data without the consent of the individual except under certain circumstances.
How SecuPi Helps:
To enforce the right to object, for any purpose, SecuPi can use any condition to avoid processing of application processes, including a parameter where a data subject requested not to be processed – thus preventing any access or manipulation of the subject’s data. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request).
Right to Object to Processing:
Upon request, organizations are required to stop (a) the usage of, or erase, personal retained data as well as (b) stop providing the retained personal data to third-parties if the individual’s request is valid. Data subjects are also allowed to make such request if the information was collected, in violation of the APPI.
How SecuPi Helps:
Using Dynamic Masking and redaction, SecuPi can disable access to data subjects where consent wasn’t given or where the customer requested to restrict processing of personal data.
