# Japan APPI — Privacy Impact Assessment > Draft and validate a Privacy Impact Assessment for processing under Japan's Act on the Protection of Personal Information (APPI, amended 2022). Covers data categorisation, cross-border transfer assessment, and PPC guidelines compliance. Tags: Japan, APPI, Privacy, PIA, Data protection ## Example Prompts - Draft a PIA for our Japan operations under APPI - Check our PIA for APPI data categories and cross-border transfer basis - Validate PIA for PPC guidelines and four security measure categories URL: https://rakenne.app/skills/jp-appi-privacy-impact-assessment/index.md Try this skill: https://rakenne.app/a/?skill=jp-appi-privacy-impact-assessment ## Overview Draft and validate a Privacy Impact Assessment for processing under Japan's Act on the Protection of Personal Information (APPI, amended 2022). Covers data categorisation, cross-border transfer assessment, and PPC guidelines compliance. ## Example Conversation > **You:** We’re expanding into Japan and need a PIA under APPI. We process customer and HR data, some of it sensitive, and we transfer to our EU parent. Can you draft the PIA and run the compliance checker? > **Agent:** I’ll draft the PIA with APPI data categories (personal information, sensitive, anonymised/pseudonymised), purpose specification, cross-border transfer basis under Art. 28, and the four security measure categories (organisational, human, physical, technical). Then I’ll run `appi_pia_compliance_checker`. > **Agent:** Created `pia-japan-appi.md`. Running `appi_pia_compliance_checker`… > **Agent:** Check **PASS** — data categories are applied, cross-border transfer basis is documented (adequacy/contractual), sensitive PI with explicit consent is covered, all four security categories are addressed, and PPC notification for database operators is mentioned. Ready for legal review. ## What the Tools Validate **`appi_pia_compliance_checker`** scans the PIA document for: - **APPI data categories** — Personal information, individually identifying codes, sensitive (special care), anonymised, pseudonymised must be correctly applied. - **Cross-border transfer basis** — For each international flow, a basis under Art. 28 (adequate country, consent, contractual safeguards, APEC CBPR) must be specified. - **Sensitive personal information** — Handling of sensitive PI with explicit consent must be documented. - **Security management measures** — All four categories (organisational, human, physical, technical) must be addressed. - **PPC notification** — Obligations for personal information database operators (notification to PPC) must be addressed. **Output:** PASS if all are present; otherwise FAIL with a line per missing element. Fix gaps and re-run until the check passes. ## Output Excerpt **PIA (excerpt):** ```markdown ## Data categorisation - Customer contact data: personal information (retained personal data for disclosure/correction requests). - Health data for benefits: sensitive personal information requiring special care; explicit consent obtained at collection. - Analytics datasets: pseudonymised where applicable; re-identification controls documented. ## Cross-border transfer (Art. 28) - Transfers to EU parent: adequate jurisdiction (EU adequacy recognition by PPC). Documented in transfer register. ``` **appi_pia_compliance_checker report (excerpt):** ``` === APPI PIA COMPLIANCE CHECK === Result: PASS Document: pia-japan-appi.md APPI data categories are applied... Cross-border transfer basis (Art. 28) is specified for international flows. Security measure category 'Organisational' is addressed. ... PIA meets APPI PIA compliance expectations. ``` ## Getting Started Add your source materials to the project workspace (e.g. processing inventory or transfer list), then activate the *Japan APPI — Privacy Impact Assessment* skill. The agent will guide you through drafting the PIA and running `appi_pia_compliance_checker` until the check passes. --- Back to [Skill Library](https://rakenne.app/skills/index.md)