TOKYO (Reuters) – Around a quarter of Japanese businesses have made progress on meeting some of the easier requirements under Europe’s new GDPR data privacy regulations while about another 20% plan to do so, a Reuters poll found.
But the number of companies who say they are currently equipped to deal with more onerous rules – such as those relating to data breaches and dealing with requests to provide personal data to customers – drops drastically to just a few.
The results of the Reuters Corporate Survey, conducted June 4-15, shows only modest progress by Japanese firms in their efforts to grapple with the new European Union General Data Protection Regulation (GDPR), which took effect last month.
The rules, designed to protect the online data of European citizens, apply to all businesses that offer goods and services within the bloc, regardless of whether they have incorporated units. Violations can result in fines of up to 4% of global revenue or 20 million euros, whichever is higher.
“The rules are really too tough,” wrote one manager at a chemicals firm.
The survey, conducted for Reuters by Nikkei Research, showed that 26% of firms have updated data privacy policies to take into account requirements such as the need for clear language and the seeking of affirmative consent, often effectively an opt-in email.
Eight percent said they are working on the issue while another 15% say they plan to.
Similar numbers could also be seen in response to a question about whether companies have created the position of data protection officer or if they have appointed someone specifically responsible for data protection.
Some 539 big and medium-sized businesses were polled in the survey. Around 215 responded to questions about GDPR, answering anonymously so they can express opinions more freely.
Many firms noted they did not believe the rules would directly affect them as they did not do business in Europe.
Some rules are, however, proving tougher to meet than others.
Just 7% of companies said they were currently in a position to comply with a rule requiring them to notify authorities of data breaches within 72 hours of becoming aware of a breach and to notify people affected by a high-risk breach without undue delay.
Ten percent said they were working on it while another 25% said they aim to.
A similar trend could be seen with the rule requiring companies to provide personal data free to EU customers should they request it.
While not directly comparable, separate data by consultancy PwC Global in January suggests that US and British companies have made far more progress.
Just 19% of Japan firms in Europe have completed or set about steps to respond to the new regulations, compared to 39% of US companies and 43% of British businesses, the PwC data showed.
A member of the EU delegation to Japan told Reuters in early June that while “there has been a perceptible interest across the business community about the GDPR”, the delegation had not received much in the way of enquiries from Japanese businesses.
“We talking at most ten questions,” the person said, declining to be identified.
(Reporting by Tetsushi Kajimoto; Additional reporting by Tom Wilson and Izumi Nakagawa; Editing by Malcolm Foster and Edwina Gibbs)