GDPR (General Data Protection Regulation)

What is GDPR (General Data Protection Regulation)?

GDPR is data protection regulation the European Union enacted in May 2018. Known as the world’s strictest privacy law, it applies to any organization handling personal data of EU residents. Even Japanese companies face compliance obligations if processing EU user information.

In a nutshell: Personal information is “someone’s valuable asset,” and the law strictly prohibits companies from using or selling it without permission.

Key points:

• What it does: Establishes strict rules for EU residents’ personal data processing
• Why it matters: Protects individual rights from excessive corporate data use accompanying digitalization
• Who it affects: All companies handling EU resident information (regardless of nationality)

Why it matters

Before GDPR, personal data was treated as corporate “assets.” Facebook sold 2 billion user data points to third parties, and data breaches drew light fines.

GDPR fundamentally changed this thinking. Personal data is “basic human rights” deserving strict protection. Companies cannot use data without explicit individual consent.

This shift dramatically increased fines for breaches and misuse. Violation fines become 4% of revenue or €20 million maximum, whichever is larger—exposing multinational companies to potential billions in damage. Consequently, Apple strengthened data minimization, Microsoft expanded privacy features, and global tech companies pursued GDPR compliance.

Application scope

GDPR applies to organizations meeting either of these:

Organizations with sites in EU or European Economic Area (EEA) face compliance regardless of data location. Not just EU companies—Japanese companies processing EU user data have compliance obligations.

Organizations offering “products/services to” or “monitoring behavior of” EU users face GDPR regardless of location. For example, Japanese companies running online stores for EU users must comply with GDPR for customer data.

Key requirements

GDPR-mandated compliance includes:

Explicit individual consent is essential. Before processing personal data, you must obtain clear written or electronic consent stating what you’re consenting to. Default-checked consent boxes fail GDPR requirements.

Data minimization principle applies. Collect only minimum necessary data and keep no more. For example, if email and name suffice, collecting address and phone violates GDPR.

Transparency is required. Explain to users what data you collect, how you use it, in plain understandable language. Privacy policies need plain language, not legal jargon.

Right to be forgotten must be recognized. Users can demand data deletion; absent legitimate reasons, you must comply.

Data Protection Impact Assessment (DPIA) may be required. High-risk data processing requires pre-assessment and documentation of privacy impact.

If violated

GDPR violation fines vary by severity.

Minor violations (e.g., insufficient user information) cap at 2% revenue or €10 million maximum, whichever is larger.

Serious violations (processing without consent, failing to report breaches) reach 4% revenue or €20 million maximum. Multinational companies with trillions in annual revenue face billions in potential fines.

Additionally, data breaches must be reported to authorities within 72 hours. Delayed response or concealment attempts trigger fines plus major reputation damage.

Related terms

• Data Minimization — Core GDPR principle
• Right to be Forgotten — Basic individual right guaranteed by GDPR
• DPIA (Data Protection Impact Assessment) — Privacy evaluation process GDPR mandates
• Privacy by Design — Approach meeting GDPR requirements
• APPI (Act on Protection of Personal Information) — Japan’s equivalent personal data protection law

Frequently asked questions

Q: Do Japanese companies need GDPR compliance?

A: Yes, if handling EU user data. For example, sending newsletters to EU users, holding EU customer credit cards, or GDPR applies. “We’re Japanese” won’t excuse non-compliance.

Q: Are small enterprises excluded from GDPR?

A: No. No employee count or revenue-based exemptions exist. Solo entrepreneurs handling EU user data need compliance. Required response intensity varies by processing method and scale.

Q: Do pre-collected user databases fall under GDPR?

A: Databases from May 2018 onward (GDPR enactment) are generally covered. Even older data, if still processed, requires retroactive explicit consent, not implicit consent.