Poll: Japan firms slow to comply with new EU data privacy rules
TOKYO: Around a quarter of Japanese businesses have made progress on meeting some of the easier requirements under Europe’s new data privacy regulations while about another 20% plan to do so, a Reuters poll found.
But the number of companies who say they are currently equipped to deal with more onerous rules, such as those relating to data breaches and dealing with requests to provide personal data to customers – drops drastically to just a few.
The results of the Reuters Corporate Survey, conducted from June 4-15, shows only modest progress by Japanese firms in their efforts to grapple with the new European Union General Data Protection Regulation (GDPR), which took effect last month.
The rules, designed to protect the online data of European citizens, apply to all businesses that offer goods and services within the bloc, regardless of whether they have incorporated units. Violations can result in € fines of up to 4% of global revenue or 20mil, whichever is higher.
“The rules are really too tough,” wrote one manager at a chemicals firm.
The survey, conducted for Reuters by Nikkei Research, showed that 26% of firms have updated data privacy policies to take into account requirements such as the need for clear language and the seeking of affirmative consent, often effectively an opt-in e-mail.
Eight percent said they were working on the issue while another 15% said they planned to.
Similar numbers could also be seen in response to a question about whether companies have created the position of data protection officer or if they have appointed someone specifically responsible for data protection.
Some 539 big and medium-sized businesses were polled in the survey. Around 215 responded to questions about GDPR, answering anonymously so they can express opinions more freely.
Many firms noted they did not believe the rules would directly affect them as they did not do business in Europe.
Some rules are, however, proving tougher to meet than others.
Just 7% of companies said they were currently in a position to comply with a rule requiring them to notify authorities of data breaches within 72 hours of becoming aware of a breach and to notify people affected by a high-risk breach without undue delay.
Ten percent said they were working on it while another 25% said they aimed to.
A similar trend could be seen with the rule requiring companies to provide personal data free to EU customers should they request it.