Data Security Compliance for the Act on Protection of Personal Information in Japan

Regulation Overview

The Act on the Protection of Personal Information (APPI) - No. 57 of 2003 is the primary legislation that applies to the collection and processing of personal data and the law went through revision in 2017 and 2022 respectively.

The APPI establishes the Personal Information Protection Commission (PPC) a regulatory body that can issue guidance on the application and interpretation of the Law and its requirements. 

Practical guidance for the APPI – General Rules was published by the PPC with 10 chapters below:

• Chapter 1: Purpose and Scope of Application
• Chapter 2: Definition
• Chapter 3: Obligations of Business Operators Handling Personal Information
• Chapter 4: Approach to Recommendations, Orders, Emergency Orders
• Chapter 5: Exemptions
• Chapter 6: Special Provisions for Application
• Chapter 7: Responsibilities of Academic Research Institutions
• Chapter 8: Extraterritorial application
• Chapter 9: Revision of Guidelines
• Chapter 10: Details of security control measures to be taken

Organizations based in Japan must comply with the APPI requirements when handling the personal data of data subjects. If you are a foreign organization, you will be subject to the APPI if the following three criteria are met:

• Personal scope: The APPI applies if your organization handles the personal information of Japanese data subjects.
• Territorial scope: If you collect the personal data of a data subject for the purpose of providing your products and services and handle the personal data of data subjects in a foreign country, you will be subject to the APPI requirements. 
• Material scope: The APPI applies to the “handling” of personal data. Handling refers to the collection, retention, use, transfer, and otherwise handling of personal information.

Thales helps Japanese organizations comply with the Act on Protection of Personal Information by addressing essential requirements of protecting personal information for the following requirements with advanced encryption and key management.

Requirement: Chapter 2-1: Personal Information; Chapter 3-5-3-1: Situations to be reported & Chapter 10-3: Organizational safety management measures

Encryption and tokenization can successfully secure sensitive data such as personal information, the cryptographic keys themselves must be secured, managed and controlled by the organization to further enhance data security.

Protect sensitive data

• Organization can secure sensitive data with CipherTrust Tokenization which provides comprehensive data security capabilities, including file-level encryption with access controls, application-layer encryption, database encryption, static data masking, vaultless tokenization with policy-based dynamic data masking, and vaulted tokenization to support a wide range of data protection use cases. CipherTrust Transparent Encryption (CTE) delivers data-at-rest encryption with centralized key management, privileged user access control, and detailed data access audit logging. This protects data wherever it resides, on-premises, across multiple clouds and within big data, and container environments.

Control:

• The regulation requires organizations to be able to monitor, detect, control, and report on authorized and unauthorized access to data and encryption keys. Organizations can control access to their data and centralize key management with CipherTrust Manager, CipherTrust Cloud Key Management (CCKM) and the CipherTrust Data Security Platform for a strong separation of duties and to enforce very granular, least-privileged-user access management policies.

Requirement: Chapter 10-6: Technical safety control measures

Network encryption can protect data in motion and ransomware protection solution helps organizations detect cyber attacks and secure sensitive data.

• Thales High Speed Encryptors (HSE) provide network-independent, data-in motion encryption (layers 2, 3, and 4) ensuring data is secure as it moves from site-to site, or from on-premises to the cloud and back.
• CipherTrust Transparent Encryption Ransomware Protection (CTE-RWP) provides a non-intrusive way of protecting files/folders from ransomware attacks. It continuously monitors processes for abnormal I/O activity and alerts or blocks malicious activity before ransomware can take complete hold of your endpoints and servers.