Security
GDPR & Personal Data Protection Laws and Data Erasure Obligations - Legal Compliance for Enterprises
Explanation of data erasure obligations under EU GDPR and Japanese Personal Information Protection Act. Learn about violation penalties, corporate response strategies, and proper data erasure methods.
Data Erasure is a Legal Obligation
For companies handling personal information, proper data erasure is a legal obligation.
EU GDPR (General Data Protection Regulation)
Main Provisions
- Right to be forgotten: Individuals' right to request deletion of their data
- Data minimization principle: Retain only minimum necessary data
- Storage limitation: Prompt erasure after purpose fulfillment
Violation Penalties
Up to €20 million (approximately ¥3 billion) or 4% of global annual turnover, whichever is higher
Numerous actual enforcement cases have been reported.
Japanese Personal Information Protection Act
Main Provisions
- Obligation to delete after purpose achievement (Article 22)
- Security management measures (Article 23)
- Contractor supervision (Article 25)
2022 Amendment Key Points
- Strengthened breach reporting obligations
- Stricter penalties
- Enhanced cross-border transfer regulations
Corporate Response Measures
1. Data Erasure Policy Development
- Clear retention periods
- Documented erasure procedures
- Clear responsibility assignment
2. Appropriate Erasure Method Selection
Logical Erasure
Software-based overwriting
Physical Destruction
Physical destruction of hard drives
Degaussing
Magnetic record erasure
3. Erasure Certificate Storage
- Erasure work records
- Certificate issuance
- Audit trail assurance
MASAMUNE Compliance Support
MASAMUNE Erasure supports legal compliance with the following features:
- NIST SP 800-88 compliant erasure algorithms
- Detailed log recording
- Tamper-proof erasure certificates (NFT support)
- Automatic audit trail generation
Summary
Data erasure is not just "work" but a "legal obligation." Establish proper tools and procedures to ensure compliance.