In response to the Cabinet Decision on the Revised Personal Information Protection Act, Practical Guidelines for "AI Utilization x Personal Information Protection" for SMEs Have Been Developed
Prerana Inc. has developed practical guidelines for "AI Utilization x Personal Information Protection" for SMEs, following the cabinet decision on the revised Personal Information Protection Act. These guidelines aim to help SMEs safely utilize generative AI, offering support for AI plan implementation and training programs combining anonymization technologies.
📋 Article Processing Timeline
- 📰 Published: April 9, 2026 at 18:50
- 🔍 Collected: April 9, 2026 at 10:32
- 🤖 AI Analyzed: April 18, 2026 at 18:38 (224h 6m after Collected)
Prerana Inc. (Headquarters: Kita Ward, Osaka City, Osaka Prefecture; Representative Director: Tomoki Ichikawa, hereinafter "Prerana") has developed "Practical Guidelines for AI Utilization x Personal Information Protection" to enable SMEs to safely utilize generative AI in their business operations, in response to the amendment bill to the Act on the Protection of Personal Information that was decided by the Cabinet on April 7, 2026. Considering the revised content, which includes the establishment of a penalty system and the strengthening of regulations for entrusted parties, which will directly impact SMEs, we will provide unique training programs nationwide to companies and professional offices, combining support for the introduction of secure corporate AI plans such as Google Workspace and ChatGPT Team / Enterprise with personal information anonymization processing technology.
### Cabinet Decision on the Personal Information Protection Act Amendment Bill - What are the Impacts on SMEs?
On April 7, 2026 (Tuesday), the amendment bill to the Act on the Protection of Personal Information was decided by the Cabinet. This amendment aims to balance the utilization and protection of personal data in the AI era, based on the "triennial review."
The main points of the amendment bill (related to SMEs) are as follows:
**[Establishment of a Penalty System]** Collection of illegal profits equivalent to the amount of illegal gains for violations concerning personal data of over 1,000 individuals. Companies handling large amounts of customer/employee data should be cautious.
**[Strengthening of Regulations for Entrusted Parties]** Review of obligations for businesses that have been entrusted with data. Management responsibilities when using AI services will be strictly enforced.
**[Establishment of Statistical Exception]** No consent from individuals required for statistical processing for AI development purposes. However, this is a relaxation for AI development companies, and general corporate AI use is not covered.
**[Strengthening Child Protection]** Explicitly requiring consent from legal representatives for individuals under 16 years old. Companies handling minors' personal information must comply.
It is important to note that the "statistical exception" is a regulatory easing for AI development companies; inputting customer data into services like ChatGPT by general SMEs remains subject to regulation. Furthermore, the strengthening of regulations for entrusted parties means that "inputting after anonymization" is becoming increasingly important.
### SMEs' Biggest Challenge in AI Utilization: "I Don't Know What I Can Input"
In a pre-survey for AI training conducted by Prerana targeting SMEs and professional offices nationwide, the biggest concern regarding AI utilization was: "I cannot determine whether I can input personal or confidential information into AI."
If this anxiety is left unaddressed, the following risks may arise:
- Stagnation of AI Utilization: Adoption and use of AI do not progress due to uncertainty about safe usage.
- Shadow AI: Employees use AI without permission via personal accounts due to the absence of company rules.
- Risk of Legal Violation: Personal information is input into AI without proper environmental preparation, leading to violations of the revised law.
### Prerana's Solution: A Safe AI Utilization Model with "3-Layer Defense"
Prerana advocates and provides a "3-Layer Defense Model" through training and consulting to enable SMEs to safely utilize AI while complying with laws and regulations.
**[Layer 1: Selection of Secure Corporate Plans]** Introduce corporate plans that guarantee non-learning, such as ChatGPT Team/Enterprise, Gemini Business, and Claude Team.
**[Layer 2: Execution of DPA (Data Processing Agreement)]** Legally classify the relationship with the AI service provider as "entrustment" and operate it as an exception to third-party provision. Based on Article 27, Paragraph 5, Item 1 of the Act on the Protection of Personal Information, business use without individual consent is legally secured.
**[Layer 3: Acquisition of Anonymization Processing Technology]**
### Cabinet Decision on the Personal Information Protection Act Amendment Bill - What are the Impacts on SMEs?
On April 7, 2026 (Tuesday), the amendment bill to the Act on the Protection of Personal Information was decided by the Cabinet. This amendment aims to balance the utilization and protection of personal data in the AI era, based on the "triennial review."
The main points of the amendment bill (related to SMEs) are as follows:
**[Establishment of a Penalty System]** Collection of illegal profits equivalent to the amount of illegal gains for violations concerning personal data of over 1,000 individuals. Companies handling large amounts of customer/employee data should be cautious.
**[Strengthening of Regulations for Entrusted Parties]** Review of obligations for businesses that have been entrusted with data. Management responsibilities when using AI services will be strictly enforced.
**[Establishment of Statistical Exception]** No consent from individuals required for statistical processing for AI development purposes. However, this is a relaxation for AI development companies, and general corporate AI use is not covered.
**[Strengthening Child Protection]** Explicitly requiring consent from legal representatives for individuals under 16 years old. Companies handling minors' personal information must comply.
It is important to note that the "statistical exception" is a regulatory easing for AI development companies; inputting customer data into services like ChatGPT by general SMEs remains subject to regulation. Furthermore, the strengthening of regulations for entrusted parties means that "inputting after anonymization" is becoming increasingly important.
### SMEs' Biggest Challenge in AI Utilization: "I Don't Know What I Can Input"
In a pre-survey for AI training conducted by Prerana targeting SMEs and professional offices nationwide, the biggest concern regarding AI utilization was: "I cannot determine whether I can input personal or confidential information into AI."
If this anxiety is left unaddressed, the following risks may arise:
- Stagnation of AI Utilization: Adoption and use of AI do not progress due to uncertainty about safe usage.
- Shadow AI: Employees use AI without permission via personal accounts due to the absence of company rules.
- Risk of Legal Violation: Personal information is input into AI without proper environmental preparation, leading to violations of the revised law.
### Prerana's Solution: A Safe AI Utilization Model with "3-Layer Defense"
Prerana advocates and provides a "3-Layer Defense Model" through training and consulting to enable SMEs to safely utilize AI while complying with laws and regulations.
**[Layer 1: Selection of Secure Corporate Plans]** Introduce corporate plans that guarantee non-learning, such as ChatGPT Team/Enterprise, Gemini Business, and Claude Team.
**[Layer 2: Execution of DPA (Data Processing Agreement)]** Legally classify the relationship with the AI service provider as "entrustment" and operate it as an exception to third-party provision. Based on Article 27, Paragraph 5, Item 1 of the Act on the Protection of Personal Information, business use without individual consent is legally secured.
**[Layer 3: Acquisition of Anonymization Processing Technology]**