PayPay Inside-Out People and Culture

First Fund Transfer Business in Japan to Acquire CBPR Certification ─ CDO Office in Charge of Safety and Security of Data Operations


This Professionals series showcases talented experts who support PayPay’s operations. In this issue, we interviewed four members of the CDO Office (CDO: Chief Data Officer), which is responsible for privacy protection and data utilization. The members involved in successfully acquiring the CBPR System (APEC Cross-border Privacy Rule System) certification , a first-time feat for a fund transfer business in Japan, shared the backstory of the project and what motivates them to work.

Yosuke Terada

Corporate officer, CCO(Chief Compliance Officer), CRO(Chief Risk Officer), and CDO(Chief Data Officer), Division Head of the Legal & Risk Management Division.

After serving as an assistant officer and clerk at court, he joined Yahoo! Japan in 2002. Following a stint as the Senior Manager of Legal Department 1 and Senior Manager of the Corporate Governance Department, he was appointed PayPay’s corporate officer, CCO, CRO, and Division Head of the Legal & Risk Management Division in April 2020. He likes to cycle and make plastic models in his spare time.

Yosuke Tsunoda

Senior Manager of the CDO Office, Legal & Risk Management Division

He joined PayPay as an engineer from Yahoo! JAPAN in January 2019.He assumed his current position in April 2021. He is currently working on the sophistication of PayPay’s data governance and system risk management.

Yoshihiro Utsuki

CDO Office, Legal & Risk Management Division

He was involved in data governance at a major telecommunications company and worked for an auditing consulting firm before joining PayPay in January 2022. In April of the same year, he was selected to lead the CBPR certification project.

Yasutaka Yokoi

CDO Office, Legal & Risk Management Division

He was a member of the information security team at a manufacturer’s sales company, where he was involved in obtaining the Privacy Mark and ISMS certifications. He joined PayPay in February 2022.

Tomoko Mishima

CDO Office, Legal & Risk Management Division

After working in the legal department in a foreign IT company, she joined PayPay in October 2019. She is a Certified Information Privacy Professional/Europe (CIPP/E), a certification for information privacy law in Europe.

Protecting and Utilizing Data

Please tell us about the responsibilities of the CDO Office

Different departments within the Legal & Risk Management Division, including the Compliance Department, Internal Control Office, and the CISO Office (which handles information security measures) fortify our defense system according to their area of expertise. Among these departments, the CDO Office is in charge of data governance. Data governance has both a defensive and offensive role, in terms of privacy protection and data utilization.

In order to strengthen our offensive use of data in the future, we have taken the step of acquiring the Cross-Border Privacy Rules (CBPR) certification, which is an unprecedented move for a mere four-year-old company. Still, we managed to acquire the certification.

How did the CBPR certification project get started?

Since the establishment of the CDO Office in April 2021, we focused on developing rules and processes to trace how personal data is used to protect users’ personal information. Around the time we had our privacy protection system in place, I heard that Yahoo! JAPAN, a group company, was aiming to obtain the CBPR certification. So I asked Mishima-san and others, “Why don’t we obtain the CBPR certification next year?” That’s how it all started. When I discussed this with Nakayama-san, our CEO, he encouraged me to go for it, saying, “Let’s do it. Let’s be the first to obtain it among all the fund transfer business.” So we started the certification project in April 2022.

Becoming a Leader in Privacy Protection in the Fintech Industry

What did you do to obtain the CBPR certification?

We mainly worked on internal maintenance related to personal information protection since CBPR is a system of cross-border related personal information protection rules. We reviewed all relevant regulations to ensure compliance with the audit criteria, created the missing guidelines and manuals, and submitted dozens of files for review as evidence. We then repeated the process of preparing additional materials in response to the points raised and confirming them in virtual meetings with our counterparts, submitting a total of more than 150 files. The final step was an on-site audit before finally obtaining the CBPR certification.

Since the audit criteria included an assessment on personal information protection, the cooperation of the Internal Auditor’s Office and other departments was indispensable in obtaining the certification.

How long did it take you to get certified?

After the project started in April 2022, we spent three months preparing for the audit, started the audit in July, and obtained the certificate five months later. The standard audit period was set at three months, but it was more rigorous than we had initially anticipated, and it took time to prepare additional materials and make internal adjustments. Still, I believe we were able to get it within this time frame because of PayPay’s interdepartmental cooperation.

The first hurdle was to submit the application for review in three months, and Yokoi-san greatly contributed to that part of the process. Yokoi-san joined the project early in April, shortly after joining the company, and responded to our unreasonable demand to create a revised draft of the Personal Information Protection Regulations in just one month. His presence was so significant, allowing us to jump-start the CBPR certification audit after a three-month preparation period.

The original Personal Information Protection Regulations in PayPay was about 17 pages long, but we have now doubled the volume by making additions to adhere to the CBPR certification standard. It was difficult to fill in the missing pieces, of course, but it was also challenging to make it consistent with the guidelines in the financial sector and current internal operations.

There is no sense in just obtaining the CBPR certification because it is a management system. So it has to be ready for operation. Shortly after joining the company, I remember imagining how the management system would work and being very conscious about how we could actually operate the system as we proceeded with the project.

Right, Utsuki-san joined us in January 2022, and as soon as you came on board, we sort of gave you the leadership position for the CBPR certification project in an “it’s now all in your hands” kind of way, didn’t we (laughs)?

That sounds about right! It was my first big job with PayPay, so I was set on doing it, but at the same time, I had to start with, “So…what’s CBPR?” So, having Yokoi-san join us in April amidst the audit preparations was a huge help. In the beginning, it wasn’t easy to manage a project that needed the involvement of various departments when I hardly knew anyone in the company. But in hindsight, it was a very good opportunity for me. I was able to experience PayPay’s unique one-team approach through this project by working with nearly 50 people, from product to marketing, CS, HR, and general affairs.

CBPRs Certification

What does the CBPR certification bring to PayPay?

Concerns over security and handling of personal information are among the most commonly cited reasons for people not using the app. It’s not easy to wrap your head around how security and personal information are being treated because you can’t really see it. By obtaining the CBPR certification from an external institution, we believe we got our message across to our users that PayPay is operated under a safe and secure system for handling personal information.

In fact, there are currently only five companies in Japan that have obtained the CBPR certification, making us the first business in the fund transfer industry to do so. It goes to show how critical privacy protection is for the management of PayPay. I would be delighted to have PayPay be perceived as a leading company for both cashless payments and privacy protection.

Group of Professionals Headed to Create a User-First Service

What do you value most in your work?

Personally, what I value most is the fourth one, “Be sincere to be professional.” Despite our department’s often unlikable role, it’s pretty easy to do our job at PayPay. That’s because everyone on the first line of defense, the Product and Sales team, works with us professionally with a user-first mindset. It makes me want to be always professional, too.

I like the part about continuously accepting challenges in “Work for Life or work for rice,” as it allows me to work in my own way and in true PayPay fashion. I think the real thrill of being involved in legal affairs and data in a startup company that creates new value at such momentum is the excitement of taking on new challenges. Obtaining the CBPR certification was also a new challenge and one that I was very excited about.

I believe that being mindful of “Be sincere to be professional,” which can be applied to both the CBPR project and the day-to-day grind, inspired us to give our all to pass the audit and complete the project. So many people cooperated with us throughout the project, which was a testament to the third value, the culture of working as one team. The departments in the first and second lines are not in conflict. The second line tries to fortify the defense in a way that makes it easy for the first line to do their work. Similarly, the departments on the first line are mindful of the defense when creating a service. I feel that the company is on the right course since the departments complement each other well.

I also think it is important to work as one team. In my previous job, I was involved in acquiring the Privacy Mark and ISMS certifications, and I have witnessed firsthand the difficulty of carrying on while asking for the cooperation of each department. At PayPay, both the first and second lines handled the project at great speed and worked as one team, which led to the quick acquisition of the CBPR certification.

What do you hope to accomplish as the CDO Office in the future?

As I mentioned earlier, the CDO office has two roles: to protect privacy and to utilize data. With regard to privacy protection, one of our missions is to create an environment where users can comfortably entrust their data. We must build a culture of considering privacy first, even in product development. That’s an area with no finish line, so we’ll have to keep carrying on with our mission.

On the other hand, another of our missions is to create new value from the data generated from having this many users and the vast amount of daily transactions. It’s a balancing act of not having a one-sided defense-heavy approach by creating an environment where we can leverage the data.

It’s also very important to share information. So I also want to work on an initiative to properly disclose the measures we take on security and privacy.

What is PayPay like for you?

Quite frankly, it’s an exciting place!

A company where you can take on challenges! And I feel we can work as one team at this company.

There’s no hierarchy here, so it’s a very flat workplace that makes it possible for us to work as one on any new tasks we tackle. PayPay is still a very young company, so the process of acquiring the CBPR certification was significant in itself in terms of setting up a structure and system. This leads to a sense of security and trust among users, and that keeps me going.

Finally, what type of person would you like to work with?

We would love to have people who can work from the user’s point of view. Each department may have a different role, but as long as we are ultimately working toward delivering good service to users, everyone cooperates with each other, and we have a group of people who are all running towards the same goal. I myself would like to work with someone like that, and this is a place where this type of person can excel.

In terms of skills, communication skills are essential. We want people who can communicate smoothly with others because no work can be completed by our department alone, and we always consult and coordinate with various departments. If the person has knowledge of systems, laws, and data on top of that, then that’d be wonderful.

*The recruitment status is current at the time of the interview.

Special Thanks:Yosuke Terada / Yosuke Tsunoda, Yoshihiro Utsuki, Yasutaka Yokoi, Tomoko Mishima / Editor:Danata / Author:PayPay Inside-Out Editorial Team / Photographer:Keizo
*Employees’ affiliations are as of the time of the interview.