The DX Engine Driven by Treasure Data and Dentsu Inc. [5]Challenges and Insights for Companies Facing "Personal Information Handling" in the DX Era (Part 1)
The handling of "personal information" is once again drawing significant attention.
This is because the digitization of customer touchpoints has progressed, enabling the collection of personal information at various contact points.
Globally, the trend toward stricter personal information protection regulations, such as GDPR (※1) and CCPA (※2), is intensifying. In Japan, revisions to the Personal Information Protection Act (※3) have also been implemented, presenting challenges for various corporate departments regarding "how to handle customer personal information."
This article presents a roundtable discussion among three experts who confront client challenges directly. They explore the essential handling of personal information for DX advancement, the difficulties in advancing related projects, and potential solutions.
Participants include Hiroyuki Tanaka, an attorney providing legal perspectives; Kohei Yamamori from Treasure Data, which provides customer data platforms; and Murasaki Imai from Dentsu Digital Inc., which offers comprehensive digital marketing solutions.
※1 GDPR
General Data Protection Regulation: A unified, stringent regulation on personal information protection implemented in 2018 across the EEA (European Economic Area).
※2 CCPA
California Consumer Privacy Act: Enforced in 2020. Applies to businesses handling the personal information of California residents. The first comprehensive state law on personal information in the United States.
※3 Revised Personal Information Protection Act
In 2020, Japan enacted and promulgated the Revised Personal Information Protection Act, which will come into effect within two years. Regulations have been strengthened and expanded, including restrictions on the use of certain cookies.
<Table of Contents>
▼Challenge 1: Decision-making slows due to "differing awareness of personal information" across departments
▼Challenge 2: Shortage of personnel specializing in privacy
▼Challenge 3: Difficulty achieving transparency in data processing procedures
▼What is required is "explaining things clearly to users"
Issue 1: Decision-making delays due to "differing awareness of personal information" across departments
Imai: In this roundtable, I hope we can share the personal information-related questions and challenges we receive daily from our respective clients and derive hints for solutions.
At Dentsu Inc. and Dentsu Digital Inc., starting with digital marketing, we address personal information concerns across various corporate departments and divisions, covering everything from strategy formulation to tactical implementation. Recently, we've particularly noticed difficulties in coordinating between stakeholders regarding personal information.
Yamamori: The "Treasure Data CDP(※4)" we provide is a data platform capable of managing all data, including customer information. Therefore, "handling personal information" is absolutely our top priority. With that as a given, what we've noticed recently is the challenge that clients inevitably tend to take a long time to consider and implement data utilization services like CDP.
※4 CDP
Customer Data Platform. Integrates and manages customer data held by companies, serving as the foundation for DX. For details on Treasure Data CDP, refer to the Treasure Data website.
Imai: Since Treasure Data CDP itself is a cloud service, the implementation effort should be significantly less compared to building a data platform on-premises (using your own equipment and systems). Where exactly is the time being consumed?
Yamamori: Because multiple departments and divisions handle personal information, the decision-making process for implementation itself takes a significant amount of time.
Imai: I see. Dentsu Digital Inc. faces a similar challenge. Previously, coordination could be handled within a single company, but recently we've received requests to share data and unify privacy policies across broader corporate entities, including group companies and sales subsidiaries. In such cases, there's often a disconnect in awareness or physical distance between the field teams holding customer data and headquarters, making coordination difficult.
Furthermore, digital marketing personnel are not legal experts, so it can sometimes take months to get them to fully grasp the importance of privacy.
Yamamori: Japan has also revised its Personal Information Protection Law. For groups operating globally, understanding the privacy-related legal systems and case law in each country becomes even more essential, doesn't it?
Now, Professor Tanaka, you are well-versed in personal information, intellectual property, and IT, handling data protection cases both domestically and internationally. I and Mr. Imai often consult with you. As a legal professional, what are your thoughts on cross-departmental coordination within companies?
Tanaka: As an attorney, I frequently interact with corporate legal department personnel. I often sense a disconnect between the legal department and other departments. Coordinating across diverse departments—the operational level, management, legal, and global teams—is extremely challenging, and I fully understand why project management takes considerable time.
On the other hand, companies driven by executive leadership show real speed. Projects where members understand the importance of both data utilization and privacy protection tend to make decisions quickly, regardless of the business.
I mai: I agree. For projects involving privacy, rather than starting directly from the marketing field, it seems that only after key stakeholders—the legal department, compliance, and management—share a common understanding of its importance can we truly reach the starting line.
Challenge 2: Shortage of Specialized Privacy Talent
Yamamori: When speaking with clients now, I notice more people expressing concerns about handling personal information and privacy. I think this is largely influenced by the increasing number of actual enforcement cases under GDPR, which imposes massive fines. When companies then review their internal operations, they likely find numerous points needing reconsideration to align with the revised Personal Information Protection Law.
Imai: However, the privacy landscape is evolving extremely rapidly. Realistically, it's difficult for a single company's compliance officer to keep up with global regulations in real time. Even with GDPR, many companies face situations where "translating the letter of the law into practical systems is impossible," making "legal interpretation" increasingly crucial. Professor Tanaka, what are your thoughts on the relationship between the law and practical implementation?
Tanaka: Honestly, the only way is to study daily (laughs). Personally, I strive to stay updated on the latest regulations not just in the EU and the US, but worldwide, so I can provide advice grounded in clients' practical realities.
Working on specific cases also involves collaborating with overseas lawyers to accumulate knowledge. Furthermore, over the past few years, I've regularly conducted seminars for companies on global data protection laws, and I make sure to update my knowledge during the preparation for these sessions.
Yamamori: Lately, I feel CRM and marketing managers also need to study the law to some extent just to do their jobs effectively. I often tell clients, "Business is becoming like mixed martial arts" (laughs). It's not about grappling versus striking, but rather that existing systems and legal departments, built on static structures, need to cooperate with marketing and DX departments seeking to address dynamically changing requirements. Otherwise, they can't keep up with reality. We're actually seeing cases where departments can't even agree on terminology.
Another factor hindering progress on privacy-related projects is the severe shortage of specialized talent in privacy and data compliance within Japanese companies.
Imai: In Japanese companies, information security officers often focus primarily on "incident response" as their main duty, with privacy falling outside their jurisdiction. While some overseas companies have dedicated privacy officers, Professor Tanaka, do you see similar movements emerging in Japanese companies?
Tanaka: I believe companies of a certain size are starting to establish roles like the so-called CPO (Chief Privacy Officer). Their role is essentially the "accelerator" side – leveraging data for business while respecting privacy, taking into account the needs of the business side.
On the other hand, there's also a role like the GDPR-mandated DPO (Data Protection Officer), which acts as the "brake" – monitoring whether the business and company are operating in compliance with the law.
Having both an accelerator and a brake responsible for data utilization creates a good balance. However, to be honest, I don't think many companies in Japan currently have both roles properly established and functioning effectively.
*Continued in Part 2
If you are interested in the solutions provided through the collaboration between Treasure Data and Dentsu Inc./Dentsu Digital Inc., please feel free to contact us.
[Download Overview Materials Here]
https://www.treasuredata.co.jp/d-dd-td-download/
[Contact Us Here]
https://www.treasuredata.co.jp/dx-engine-contact-us/
Was this article helpful?
Share this article
Newsletter registration is here
We select and publish important news every day
For inquiries about this article
Back Numbers
Author
Hiroyuki Tanaka
Graduated from Keio University Faculty of Law, Department of Law in 2004; Graduated from Keio University Graduate School of Law in 2006; Registered as an attorney in 2007; Completed New York University School of Law in 2013 (LL.M. in Competition, Innovation, and Information Law); Practiced at Clayton Utz LLP (until August 2014), admitted to the New York State Bar in 2014, served as a part-time lecturer at Keio University Faculty of Law from April to August 2018. Extensive experience in Japanese Personal Information Protection Law, global data protection laws (including GDPR and CCPA compliance), and privacy protection measures. Also handles numerous cases involving intellectual property and IT.
Kohei Yamamori
Treasure Data Inc.
At Dream Incubator Inc., primarily engaged in consulting services for the entertainment industry and private equity funds, as well as hands-on support for the company's portfolio companies. From 2013, seconded to portfolio company iPet Insurance, later transferring permanently to become Head of the President's Office. Listed on Mothers in 2018. At iPet, led initiatives including sales channel shift leveraging digital marketing, RPA implementation projects, development of agency-facing operational systems, liaison with the Financial Services Agency, and investment operations. Joined Treasure Data in 2019.
Imai Shiki
Dentsu Digital Inc.
Since joining Dentsu Inc., I have been dedicated to developing and implementing IT systems and overseas applications utilizing marketing technology. I possess extensive experience in formulating data strategies and developing new businesses leveraging cutting-edge technologies. My primary areas of responsibility include government agencies, telecommunications companies, and the automotive sector. After being seconded to Dentsu Digital Inc. in 2016, I directed the entire digital transformation process—from data infrastructure design and DMP construction to establishing operational frameworks. In recent years, I have also been involved in data management with a focus on data privacy.
