• Inquiry
  • +81-3-6425-6735
    (Business hours 9:00 am - 6:00 pm)

GDPRGDPR Compliance Consulting

Inforamation / Flow

What is GDPR?

The European General Data Protection Regulation (GDPR) is a privacy protection framework enacted in the EU in 2016. It replaces the existing Data Protection Act and is a stricter regulation with direct effect for EU member states. It not only regulates but also provides strict penalties for non-compliance.

Why is it necessary to be GDPR compliant?

Against the backdrop of the rapid global shift to the Internet for business and personalization of services, personal information previously stored on paper or electronic media is now being processed online. There are many opportunities to register online even highly personal information such as names, addresses, and PINs for credit cards and accounts. In some cases, data such as location information, purchase history, and web browsing history are acquired and used without the user's explicit knowledge.
In many countries around the world, it is becoming increasingly important to require businesses that handle personal data to have strict safeguards and management systems in place.

Who is subject to GDPR?

The following types of businesses are subject to GDPR in Japan:

  • Businesses that have subsidiaries, branches, or sales offices in the EU
  • Businesses that provide goods or services in the EU
  • Businesses that are entrusted with the processing of personal data by businesses in the EU

It does not necessarily mean that the businesses not mentioned above are not subjected to GDPR but simply because the entity does not do business in the EU, as the GDPR covers virtually all data, including:

  • a. Customers in EU countries register their IDs, email addresses, etc. through customer support or other sites.
  • b. Stores and processes personal data of EU citizens registered on its website on a system outside the EU

Key Points for GDPR Implementation

In order to meet GDPR requirements, a review of management rules, business processes, and organizational structures is essential. Businesses undertaking the application of the GDPR will be prescribed to take practical measures.

The first step is to understand the personal data of expatriates collected by the business and then thoroughly devise a response plan.

Flow of GDPR Compliance Consulting

Comprehensive support from understanding the current situation to formulating a response plan and supporting actual operations will be provided.


Assessment Preparation

  • Identification of personal information
  • Organize personal information to be collected
  • Check the personal information management regulations and detailed rules for personal information management.
  • Interview items and questionnaires are carefully examined.
  • Organize data flow

Conduct Assessment

  • Conduct assessments for applicable departments
  • Reconcile the application/non-application of GDPR to the relevant personal information
  • Analyze gap between personal information management status and GDPR requirements
  • Organize the results of the gap analysis
Policy making

Strengthen management system

  • Organize global management system and consider policies to strengthen it
  • Examine procedures for extraterritorial transfers (individual consent, SCC, BCR (Binding Corporate Rules))

Review of personal data use operations

  • Review of personal data management operations (from acquisition of personal information to data processing, information destruction, etc.)
  • Consider strengthening incident response management operations

Implementation of measures to strengthen personal information protection measures and deployment in each country

  • Provide support for revised internal guidelines of Personal Information Protection
  • Assistance in concluding consents/agreements for extraterritorial transfers
  • Assist in reviewing and establishing management systems
  • Provide support with business process changes and prepare training materials and training for local business customs when deployed to other offices outside of the country.
  • Assist in organizing requirements, design, and project management for implementation/renewal of system solutions
  • Provide training from incident insights to liaison with relevant national authorities and public relations response

MASON's Strengths

Extensive experience in supporting companies with global operations to comply with GDPR.

We have extensive experience in assisting Japanese companies expanding globally to comply with the GDPR. In addition, our consultants regularly research information from ENISA (European Network and Information Security Agency) so that we can provide consulting services based on the latest information trends.

What is a SOC Report?

SOC report is an abbreviation for "System and Organization Controls.
It is a report used to check the status of internal controls of outsourcing companies.

MASON provides assurance on internal controls for security, issuing certificates (SOC reports) on assurance of internal controls related to security, availability, processing integrity, confidentiality, and privacy.

MASON provides services tailored to the customers' needs. Please contact us.

MASON Consulting, Co., Ltd.

10th Floor Shiba Daimon Center Bldg.,
1-10-11 Shiba Daimon, Minato-ku, Tokyo

Location Map

MASON has acquired ISO27001 certification.

MASON is committed to implementing security measures in accordance with the Guidelines for Information Security Measures for Small and Medium Enterprises.