Data Security Compliance for the Act on Protection of Personal Information in Japan

Regulation Overview

The Act on the Protection of Personal Information (APPI) - No. 57 of 2003 is the primary legislation that applies to the collection and processing of personal data and the law went through revision in 2017 and 2022 respectively.

The APPI establishes the Personal Information Protection Commission (PPC) a regulatory body that can issue guidance on the application and interpretation of the Law and its requirements. 

Practical guidance for the APPI – General Rules was published by the PPC with 10 chapters below:

• Chapter 1: Purpose and Scope of Application
• Chapter 2: Definition
• Chapter 3: Obligations of Business Operators Handling Personal Information
• Chapter 4: Approach to Recommendations, Orders, Emergency Orders
• Chapter 5: Exemptions
• Chapter 6: Special Provisions for Application
• Chapter 7: Responsibilities of Academic Research Institutions
• Chapter 8: Extraterritorial application
• Chapter 9: Revision of Guidelines
• Chapter 10: Details of security control measures to be taken

Organisations based in Japan must comply with the APPI requirements when handling the personal data of data subjects. If you are a foreign organisation, you will be subject to the APPI if the following three criteria are met:

• Personal scope: The APPI applies if your organisation handles the personal information of Japanese data subjects.
• Territorial scope: If you collect the personal data of a data subject for the purpose of providing your products and services and handle the personal data of data subjects in a foreign country, you will be subject to the APPI requirements. 
• Material scope: The APPI applies to the “handling” of personal data. Handling refers to the collection, retention, use, transfer, and otherwise handling of personal information.

Thales helps Japanese organisations comply with the Act on Protection of Personal Information by addressing essential requirements of protecting personal information for the following requirements with advanced encryption and key management.

Requirement: Chapter 2-1: Personal Information; Chapter 3-5-3-1: Situations to be reported & Chapter 10-3: Organisational safety management measures

Encryption and tokenisation can successfully secure sensitive data such as personal information, the cryptographic keys themselves must be secured, managed and controlled by the organisation to further enhance data security.

Protect Sensitive PII and PCI Data

• Organisation can secure sensitive data with CipherTrust Tokenisation which provides comprehensive data security capabilities, including file-level encryption with access controls, application-layer encryption, database encryption, static data masking, vaultless tokenisation with policy-based dynamic data masking, and vaulted tokenisation to support a wide range of data protection use cases. CipherTrust Transparent Encryption (CTE) delivers data-at-rest encryption with centralised key management, privileged user access control, and detailed data access audit logging. This protects data wherever it resides, on-premises, across multiple clouds and within big data and container environments.

Control:

• The regulation requires organisations to be able to monitor, detect, control, and report on authorised and unauthorised access to data and encryption keys. Organisations can control access to their data and centralise key management with CipherTrust Manager, CipherTrust Cloud Key Management (CCKM) and the CipherTrust Data Security Platform for a strong separation of duties and to enforce very granular, least-privileged-user access management policies.

Requirement: Chapter 10-6: Technical safety control measures

Network encryption can protect data in motion and ransomware protection solution helps organisations detect cyber attacks and secure sensitive data.

• Thales High Speed Encryptors (HSE) provide network-independent, data-in-motion encryption (layers 2, 3, and 4) ensuring data is secure as it moves from site-to-site, or from on-premises to the cloud and back.
• CipherTrust Transparent Encryption Ransomware Protection (CTE-RWP) provides a non-intrusive way of protecting files/folders from ransomware attacks. It continuously monitors processes for abnormal I/O activity and alerts or blocks malicious activity before ransomware can take complete hold of your endpoints and servers.