Are there any data breach notification requirements?
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Local data protection regulations have required data controllers to report such breaches in certain circumstances.
In Japan, there are no mandatory requirements to report data breaches. Generally, it’s recommended to report breaches to the Personal Information Protection Commission (PIPC) where there may be a personal data breach, unless the potential breach:
- is unlikely to result in a risk to the data subjects (for example, when the personal data has been encrypted); or,
- is insignificant (for example, when an email was sent to the wrong person and does not contain personal information beyond the addressee).
Reports to the PIPC should include the details of the personal data breach and the measures that have been taken or are proposed to address the breach. In addition, data subjects should be notified of the breach depending on the sensitivity of the data and scale of the breach.
HR Best Practices: Make sure to follow any security and data protection controls outlined in your company’s security policies. Notifications to the Personal Information Protection Commission and impacted individuals are recommended, depending on the nature of the breach.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.