Introduction
Data protection law is one of the most rapidly evolving areas of law of the past decade. Beginning with the EU's GDPR (General Data Protection Regulation, effective 2018), powerful personal data protection laws have come into force one after another around the world, and enforcement has grown more active. As for penalties for violations, under the GDPR the fine is the higher of 4% of total worldwide annual turnover or EUR 20 million; under the APPI (Japan's Act on the Protection of Personal Information), a corporate penalty of up to JPY 100 million is expected to be introduced in the 2026 amendment.
The difficulty of data protection law lies in the fact that (1) multiple jurisdictions apply in overlapping fashion; (2) both technical and organizational measures are required; and (3) the reputational impact of a violation is greater than the fine itself. For multinational companies, SaaS providers, and companies operating e-commerce sites, data protection compliance is a management issue that bears directly on business continuity.
Our firm supports integrated compliance design informed by the data protection regulations of the major jurisdictions—the APPI, the GDPR, U.S. state laws (CCPA/CPRA and those of Virginia, Colorado, Connecticut, and others), China's PIPL, and Singapore's PDPA. Rather than mere regulatory box-ticking, our stance is to reconcile driving the business forward with legal compliance—"making full use of data while staying within the law."
Areas of Practice
1. APPI (Act on the Protection of Personal Information) Compliance - Responding to the 2022 and 2026 amendments - Designing the privacy policy, purposes of use, and consent-acquisition flows - Reporting to the Personal Information Protection Commission and notifying data subjects upon a breach - Designing the use of pseudonymized and anonymized information - Building frameworks for third-party provision and management of entrusted parties - Consent for cross-border transfers and surveying the protection laws of the destination country
2. GDPR (EU General Data Protection Regulation) Compliance - Determining GDPR applicability when providing services to the EU - Organizing the legal bases (consent, performance of a contract, legitimate interests, etc.) - Preparing records of processing activities (ROPA) and DPIAs (Data Protection Impact Assessments) - Responding to data-subject rights (right of access, right to erasure, right to portability) - Determining whether a DPO (Data Protection Officer) must be appointed, and supporting the role - Transfers outside the EU: use of SCCs (Standard Contractual Clauses) and adequacy decisions - Support in appointing an EU representative (Article 27 Representative)
3. U.S. Data Protection Law - California CCPA/CPRA compliance - Compliance with state laws such as those of Virginia, Colorado, and Connecticut - HIPAA (health information protection) and GLBA (financial information protection) compliance - COPPA (Children's Online Privacy Protection Act) compliance - Responding to enforcement trends at the U.S. Federal Trade Commission (FTC)
4. Data Breach and Incident Response - Initial response upon discovery of a breach (including the 72-hour GDPR reporting requirement) - Directing forensic investigation and liaison with investigation firms - Preparing and submitting reports to supervisory authorities - Draft notifications to data subjects and guidance for call-center response - Damages negotiations and response to class actions
5. Cross-Border Data Transfers - Surveying the protection laws of the destination country - Preparing SCCs (Standard Contractual Clauses) and BCRs (Binding Corporate Rules) - Conducting a TIA (transfer impact assessment) - Supporting EU–U.S. Data Privacy Framework certification - Compliance with Chapter III of China's PIPL (cross-border transfer regulation)
6. Other Related Areas - Cookie banner design and compliance for web tracking technologies - Privacy design in the AdTech and MarTech space - Internal training and building a data protection governance structure
Representative Matters (Illustrative Examples)
Example 1: A SaaS Provider's GDPR Compliance Project
A homegrown B2B SaaS startup needed full GDPR compliance upon concluding a large contract with a mid-sized European company. Until then, it had been in a state of "complying with Japan's APPI but not addressing the GDPR."
Our firm completed a six-month project consisting of: (1) a current-state gap analysis (making visible the difference between the GDPR requirements and the status quo); (2) revising the privacy policy and terms of use (bilingual Japanese/English); (3) preparing records of processing activities (ROPA); (4) conducting a DPIA (Data Protection Impact Assessment); (5) appointing an EU representative; (6) building a transfer scheme based on SCCs (Standard Contractual Clauses); (7) preparing a DPA (data processing agreement) template for key customers; and (8) designing an internal training program. As a result, the company successfully concluded the contract with the European company, and its transactions with multiple European companies have since expanded.
Example 2: A Project to Address the 2026 APPI Amendment
A mid-sized retail chain comprehensively overhauled its personal-data protection structure in response to the 2026 APPI amendment (strengthened criminal penalties for breaches, closer alignment with foreign regimes, and the like). Multiple data categories existed—POS data, membership data, security-camera footage, and employee data—and the company's internal data flows had grown complex.
Our firm provided integrated support: (1) company-wide data mapping; (2) taking inventory of and reorganizing the purposes of use; (3) advising on a redesign of the consent-acquisition UX/UI; (4) amending contracts with entrusted parties (cloud providers, marketing companies, etc.); (5) a full revision of internal rules and manuals; (6) preparing a breach-response manual; and (7) delivering training for executives and frontline staff. The company was able to begin operating under the new structure at the same time the amended law took effect.
Example 3: Response to a Large-Scale Personal Data Breach Incident
At an e-commerce operator, an incident occurred in which hundreds of thousands of records of customer personal data (name, address, telephone number, and purchase history) were leaked through unauthorized external access. Although the leak of credit card information was avoided, social attention was high and an immediate response was required.
Our firm carried out: (1) directing the initial response within 24 hours of discovery (evidence preservation and selecting a cause-investigation firm); (2) a preliminary report to the Personal Information Protection Commission; (3) preparing draft notifications to data subjects, FAQs, and a call-center response manual; (4) drafting a press release and website notice; (5) supporting the filing of a criminal complaint with the police; (6) reporting to business partners (payment processors and logistics companies); (7) preparing for the possibility of a class action; and (8) designing measures to prevent recurrence (introducing multi-factor authentication, strengthening the WAF, and staff training). Through highly transparent disclosure, customer attrition was minimized and reputational recovery was achieved.
How to Engage Us
- Initial Consultation (30–60 minutes / available online): We hear your current situation and challenges and organize the issues.
- Estimate and Proposal: We present the scope and timeline. We accommodate both project-based and retainer arrangements.
- Commencement and Progress Sharing: We report progress at each milestone and coordinate with your internal approval processes.
- Completion and Aftercare: We can also provide continued support with updates on legal amendments and enforcement trends, and periodic reviews.
Fee Guide (Reference Figures / Subject to Discussion)
- Initial consultation: Free for the first 30 minutes; time charge thereafter
- GDPR compliance project: Estimated JPY 1.5–5 million (varies with scale)
- APPI compliance project: Estimated JPY 800,000–3 million
- Incident response (emergency): Time charge plus retainer
- Retainer (data-protection focused): Estimated JPY 150,000–400,000 per month
- Outsourced DPO: Estimated JPY 300,000–800,000 per month
Contact
For consultations in the data protection field, please reach out via our contact form. For emergency breach response, please note this and we will prioritize your matter.