The data protection company Enobyte was founded in 2017 by a group of Unix experts in Munich and specialises in advising internationally oriented Japanese companies in the EU and Japan. The international, German, English and Japanese-speaking team with certified data protection expertise and over 20 years of industry experience supports its customers in implementing the GDPR and setting up secure IT systems and IT infrastructures. For this sponsoring special, J-BIG spoke to Dr Hermann Gumpp, Managing Director of Enobyte GmbH, about how the focus on Japanese companies came about, what requirements Japanese companies have and how Enobyte can contribute to their success in the internet age.
J-BIG: Can you tell us the story behind Enobyte?
Dr Hermann Gumpp: Even before founding Enobyte, I had been offering IT consulting and academic services together with friends since my student days. We had a small company called Gumpp & Partners, where we took on consulting, software projects and hosting projects, among other things. One of our clients was Allianz Insurance, for example, and we also had a few Japanese clients.
The idea for Enobyte came about in 2016 when a new European law was introduced: The so-called General Data Protection Regulation, or GDPR for short (Japanese: 一般データ保護規則 Ippan deeta hogo kisoku). The law firm of one of our Japanese clients had heard about it and approached us for support with its implementation. The law came into force in 2016, but was not fully implemented until May 2018, when fines could also be imposed. In response to this request, we immediately got involved with the new regulation to support our client, a subsidiary of the Pasona Group, a major Japanese recruitment company. At the time, we were hosting complex web applications for the client in Germany. They had a large amount of personal data and therefore urgently needed to implement the GDPR.
This project made us realise that this issue affects many Japanese companies that are unsure about the new data protection regulations in the EU and need help with implementation. With the experience gained from this project, we founded a new company that specialises in supporting the implementation of data protection issues, particularly from a technical perspective. Enobyte GmbH was then launched in May 2017.
J-BIG: How did you come up with the name for your company?
Dr Hermann Gumpp: I was influenced by Enoden, short for Enoshima Dentetsu Line, the electric railway in Enoshima near Tokyo. The E in Enoden stands for Edo, the old name of Tokyo. The idea for E-no-byte was inspired by this name. With Enobyte, the E can also stand for “Europe”. Our company logo consists of three characters for sun (日). On the one hand, it looks like a Japanese family crest, a kamon. On the other, it’s meant to evoke Sun Microsystems. As old IT nerds and fans of Sun Microsystems, we wanted to recreate its old logo with the “Japanese sun” as a tribute to the company.
J-BIG: Where does your personal connection to Japan come from?
Dr Hermann Gumpp: My interest in Japan began in the mid-1990s through my good friend Martin, who is now also my management colleague and who introduced me to Japanese culture. That was a time when the Internet was just becoming accessible to ordinary people. Our circle of friends became interested in manga and anime, and the Japanese subculture of geeks and nerds was right up our street. Back then, most technology and consumer electronics came from Japan, and Japanese popular culture portrayed technology in a very positive light. Humans and machines existed in harmony and there was a very optimistic vision of the future. In many ways, Japan already seemed to be living in the future, and that fascinated me immensely.
When I started my degree in physics with a minor in computer science in Munich in 1999, Martin literally forced me to sign up for the Japanese course at university with him. At the same time, I took up Aikido, which I practised as a hobby and to balance out my academic studies. In 2001, I had the opportunity to train in a dojo in Tokyo for three months. I earned my living as a database administrator and PHP programmer. That was my first time in Japan, and it really fuelled my interest in the country.
In the following years, I was able to travel to Japan again and again through various contacts and work on various Japan related projects. For example, I went to the very first Christmas market in Sapporo and helped out as a translator. Then I worked at Hitachi at the Leibniz Supercomputing Centre (LRZ, German: Leibniz-Rechenzentrum) as a German teacher and at the NII, the National Institute for Informatics in Tokyo, I had a student job as a software developer and administrator of a small Linux cluster with 128 computing nodes. After my doctorate, I first went to Freudenberg, where I had the opportunity to go to Niigata for a year in 2009 to work on a post-merger integration project.
J-BIG: What was your first impression of Japan and how has Japan influenced you professionally?
Dr Hermann Gumpp: Japan has had a very positive influence on my life. I am glad that I came to Japan so early – at the age of 21. As a young person, when you are almost treated like a child in Japan, it was very easy to immerse yourself in the language and culture. When I first came to Japan, I was still feeling the after-effects of the bubble economy years. Japan was still miles ahead of the rest of the world in some areas, such as mobile phones. I was fascinated by Japanese engineering, quality awareness and attention to detail, and these values still shape my work today. The technical progress, quality and creativity that I was able to experience in Japan in the late 1990s and early 2000s are also my professional motivation: with Enobyte I want to help Japanese companies regain the glory of the bubble years in terms of digitalisation.
J-BIG: How has Enobyte developed from its foundation in 2017 until today?
Dr Hermann Gumpp: We have specialised in Japanese customers from the very beginning and have grown steadily. In 2018, together with the well-known Japanese cybersecurity expert Teruyoshi Adachi, I published a Japanese-language guidebook on GDPR, which became a bestseller on Amazon Japan and helped us gain a reputation in the market at the beginning. As a result, we were also able to win some major clients and many new business areas were added. Our office in Munich has grown and we have opened a small office in Düsseldorf because there are many Japanese companies there. In 2019, we founded our sister company Enobyte K.K. in Tokyo and recently opened a representative office in London.
J-BIG: Enobyte initially specialised in data protection issues. What are the main business areas today?
Dr Hermann Gumpp: The GDPR and data protection served as a starting point for us, but Enobyte covers the entire area of IT safety, IT security and cybersecurity – in other words, everything that has to do with the responsible handling of data and networks. In the event of IT emergencies and breaches of personal data protection, we are available as incident responders.
Many companies initially viewed the GDPR as a purely legal issue and sought legal advice. In our view, however, the GDPR and data protection are primarily technical and organisational issues and are therefore inextricably linked to IT security in our digital age. This means that the GDPR is a legal regulation and brings with it numerous documentation and information obligations, e.g. privacy notices on websites. But legal documents are not enough, the topic must also be implemented technically. We are very well positioned in this area: We work with a number of well-known law firms that provide legal advice and we help with the technical implementation. Basically, the GDPR was a blueprint for new laws that will come in the next few years. And even with these laws, legal advice will not be enough – the laws must be implemented technically and organisationally within the company.
J-BIG: Regarding Enobyte’s clients, what types of Japanese companies do you serve?
Dr Hermann Gumpp: We have a broad spectrum of customers who have different requirements depending on the nature of their business. A rough distinction can be made between B2B and B2C companies. A major customer in the B2C sector, for example, is the Japanese hotel chain Toyoko Inn, which also operates hotels in Frankfurt and Marseille and has to work with a lot of personal data. As direct customer contact is the main focus in hotels, data protection is a major issue and it is important that employees are trained accordingly. We offer on-site training so that reception staff, for example, know exactly which data they must or may ask for and which they may not. We also provide IT support for the online booking portals.
In the B2B sector, on the other hand, it is important that the top management is also well trained, knows the legal framework and ensures that data protection and IT security are implemented accordingly within the company. Cybersecurity is a “team sport” where everyone has to work together.
We also have clients at the intersection of B2B and B2C, such as soy sauce manufacturer Kikkoman, which sells to retailers, but for which brand reputation with consumers is also very important. The main concerns here are a resilient infrastructure and a transparent online presence with various websites and social media channels.
A new business area is AI companies, which involve automated data processing. This area is very dynamic and new regulations and laws can be expected in the coming years.
J-BIG: How many Japanese companies have you worked for in recent years and how do you still support them?
Dr Hermann Gumpp: We now have well over 100 Japanese customers, more than half of whom we support continuously as external data protection officers or IT security contractors. We support both small and large companies operating in Europe. However, large corporations predominate. Some of our clients have more than a dozen locations in Europe.
We offer our customers service level agreements that guarantee companies round-the-clock availability. According to the GDPR, notifiable incidents must be reported immediately, if possible within 72 hours of the data breach becoming known. With the NIS2 Directive (Network and Information Systems), which must be transposed into national law in October 2024 and is intended to further increase cyber security within the European Union, there is even a reporting obligation within 24 hours. That’s why we have a call centre through which we can be reached 24 hours a day, seven days a week in English, German and Japanese, and other languages if required.
Then there are assignments in which we scan websites, check data protection breaches or clarify other security issues. We are currently also increasingly advising on TISAX (Trusted Information Security Assessment Exchange) – this is a certification that was created as a system optimised for the risk assessment of suppliers for the exchange of standardised test results in the automotive industry.
We also have our own software development team, which analyses large amounts of data using machine learning or automatically generates privacy notices using large language models (LLM) using our own software. And then there are cases where new customers call with an urgent problem, for example that they have been hacked. We then take care of damage limitation.
In the area of infrastructure, we not only work for Japanese companies, but also for some well-known German global corporations that attach great importance to secure communication between their sites. As one of the founding members of Sicherheitsnetzwerk München e.V., Enobyte was able to significantly expand its business in this area during the coronavirus pandemic. Among other things, we had the honour of setting up and operating a specially hardened video conferencing platform for the Munich Cyber Security Conference 2021 at the Hotel Bayerischer Hof in Munich, because the “normal” video conferencing providers widely used in the rest of the business world were unable to meet the high requirements.
J-BIG: What are classic worst-case scenarios in terms of data protection and cyber security and how can they be avoided?
Dr Hermann Gumpp: The classic example is a ransomware infection that paralyses the entire infrastructure of a major Japanese corporation in Europe. In large corporations, the computers of thousands of employees are networked throughout Europe or even globally. This is of course practical because it facilitates communication and data exchange between countries. In the case of malware, however, this is bad because the infection spreads and everything is destroyed. To prevent this, it would have been possible to work with network separation and micro-segmentation. This means that if a problem occurs in a network, it does not spread so easily and can be solved selectively. However, this adaptation of the network structure is often neglected.
Another example is multi-factor authentication: passwords can be easily guessed nowadays because attackers have easy access to large leaked password databases. You can protect yourself against this with hardware tokens. These are small devices that you connect to your computer via USB and use to authenticate yourself. The hardware tokens cost between 20 and 50 euros and if every employee has such a device, the company gains an enormous amount of cyber security with relatively little effort. A lot of damage can be prevented with simple solutions.
J-BIG: Why is it that many companies do not ensure sufficient cyber security in good time despite the major risks?
Dr Hermann Gumpp: There is often a lack of risk awareness – “nothing has happened yet” or “we’re not of interest to hackers after all” is often heard. Such statements show that the lack of server and network monitoring in particular is a problem. Companies often do not know how much data flows in and out every day and to which countries. The new laws are now forcing companies to monitor their own IT infrastructure for the first time. As a result, they realise what problems they are already facing. However, they are often unable to localise the problems precisely or assess how serious they are.
I believe that humans are not made for long correlation times between the cause of the problem and the occurrence of the problem. The human brain has a correlation time of around half a year, after which we no longer know what happened and why. In contrast to a cold, where the symptoms become visible relatively quickly after the infection, the correlation time for cyber security is too long. This means that many small problems usually add up unnoticed, you have long been compromised by malware until the problem is no longer so easy to solve and you no longer know the cause. Part of our work is to raise awareness of these risks. To make the problems visible, we also set up monitoring systems for our customers.
J-BIG: Are Japanese companies in Germany a different target for hackers than local companies or do they face the same problems?
Dr Hermann Gumpp: Most “hackers” are not people, but fully automated bots that travel the internet and attack anything that has a security vulnerability. The hacking systems don’t care whether the company is from Germany, Japan or another country. Many Japanese companies have not invested sufficiently in IT security over the last 20 years, but have paid high extortion money via Japanese insurance companies to buy their way out in the event of a hacker attack. As a result, cyber criminals are getting stronger and stronger. The damage has now reached levels that can no longer be covered by insurance. This has led to a shift in thinking in Japanese companies. Japan has woken up!
J-BIG: What are the differences in data protection in Japan and Germany and to what extent do these differences play a role in your business?
Dr Hermann Gumpp: In general, people in Germany are very aware of history and due to the bad experiences from the Nazi era and the GDR, where many people suffered because of surveillance, we now have the highest data protection standards in the world. In Japan, the regulations are less strict. However, in 2019, an adequacy decision was adopted between the EU and Japan, through which Japan introduced additional safeguards to ensure that data transferred from the EU is subject to protections equivalent to European standards. However, the fundamental challenges to IT security are more or less the same everywhere and cyber attackers look for the easiest targets. Many companies were initially afraid of the GDPR fines. In the end, however, it turned out that it is not the usually quite mild fines that you need to fear, but the cyber attackers.
At company level, however, there are differences between Japan and Germany that are relevant to our business. Most Japanese companies have a strict hierarchical structure and consider decisions carefully. Communication between the Japanese head office and the branches in Europe is often a challenge also due to the language barrier. This is why direct contact with the Japanese side is very important for us at customer level. We regularly travel to Japan for presentations and meetings and explain the IT security requirements to the managers at headquarters directly in Japanese so that they can then implement them using the top-down approach and create a basis for the entire company. The fine-tuning for each country is done by our team, who know the different regulations inside out. You have to look at the company as a whole and see where it wants to go in the next few years. This is the only way we can provide our customers with the best possible advice. Many large Japanese companies think very long-term and trust plays a major role. I am very grateful for this trust. Anyone who has been in the Japanese business as long as I have knows that you have to work hard to earn your reputation over many years or decades. We have made it our mission to continue to develop in a sustainable way together with our customers.
J-BIG: What other factors make Enobyte an ideal partner for Japanese companies?
Dr Hermann Gumpp: Most managers in Japanese companies operating in the European market are very busy. That’s why we try to offer our customers an all-round carefree package that covers both legal and technical aspects, takes Japanese corporate culture into account, but also includes business aspects, in particular what the best options are for the European market. This includes questions such as “what is possible in Europe in terms of data protection law”, or “which good and favourable IT service providers are available in Europe”. Japanese companies often only look to Silicon Valley, but there are also many good and inexpensive service providers in Europe that we can introduce to Japanese companies with our expertise on the European market.
Some companies want to deal with the GDPR quickly and with minimal effort. In our opinion, this is the wrong approach. If you only ever put out the hot spots, you won’t have a long-term solution and it will cost more money in the long run than if you had done it properly from the outset. We therefore recommend creating solid foundations. In traditional Japanese culture, for example in the tea ceremony or martial arts, great importance is attached to the basics and a lot of time is spent training them. Unfortunately, these cultural foundations are often neglected in the area of IT security. In reality you regularly see companies that have not trained in cybersecurity at all for years – and that is an invitation for cyber criminals. On the other hand, the same companies then want to use artificial intelligence and play at the forefront of technology without even mastering the absolute basics. Our goal is sustainability in IT and sustainability through IT by helping to minimise risks and strengthen the resilience of companies in these uncertain times. In this area, we can offer Japanese companies great added value.
J-BIG: In your opinion, what do Japanese companies need to consider when opening a branch in Germany?
Dr Hermann Gumpp: To begin with, it is important for a company to understand the legal requirements and the infrastructure available on site. To get started, we offer an automated GDPR assessment with a questionnaire in Japanese that analyses the type and scope of data, the context and purposes of the data processing activities and the company’s existing data protection measures. Based on the questionnaire, we determine the necessary organisational and technical measures and by answering the questions the company is sensitised to the topic of data protection. As external data protection officers, we train the management and employees with regard to the data protection laws to which the company is subject. On the technical side, we help with the selection of hosting companies and assess risk profiles. We have lists that contain significantly better and cheaper alternatives to the major cloud providers.
For small and medium-sized companies that are strongly growth-orientated, we recommend introducing a management system for data protection and information security from the outset and thus documenting the company processes, risk assessments and responsibilities. By nurturing this management system, the company can grow on the basis of these structures. And for certifications such as TISAX or ISO 27000, you already have data in a system with which many requirements can be verified.
J-BIG: What are the challenges for companies that have been active in Europe for a long time and have already established and grown systems?
Dr Hermann Gumpp: In large, long-established companies, the challenge is to mediate between the generations that have different ideas about IT in the company. In both Germany and Japan, there is still a strong traditional 20th century mindset that IT is a practical tool – like a typewriter – but not the core business of the company. Japan and Germany were very successful in the production and manufacture of material objects (monozukuri 物作り) after the Second World War. In the last 50 years, however, more and more things can be modelled, simulated and automated by software. The physical world is therefore merely a manifestation of information processing in the computer. In Japan, in particular, the hierarchical structures make it a challenge for digital natives, for whom IT is the alpha and omega regardless of industry, to communicate this new way of thinking. We want to give young, committed employees a voice. As data protection officers, we have a right of audience with the management thanks to the GDPR. And through this channel, we want to sensitise the company to the topic and work together to find a way to integrate new ideas into the company and reinvent themselves.
An Aikido master once said: “If you want to drink my tea, you must first empty your tea bowl”. Applied to IT, a fundamental rethink is required and the courage to empty your own tea bowl in order to be open to new things. Many Japanese companies with a long history are often doing things very differently than they used to, which proves that Japanese companies are very good at reinventing themselves.
J-BIG: What will Japanese companies have to prepare for in the IT environment in the future – in general and in Europe in particular?
Dr Hermann Gumpp: It can be assumed that cyber attacks will continue to increase. Geopolitical tensions are also contributing to this. Data sovereignty will remain a major issue. However, I believe that many Japanese companies will handle this well, as there is a pronounced sense of duty and quality awareness that is unique in the world. Problems are tackled in a structured and pragmatic way. With increased risk awareness and the right preparation, I believe that Japan will be very well positioned in the digital world in the future. The market for high-quality software is not yet very large. I believe that Japanese companies have recognised this potential and can be very successful if they bring their high quality standards to the digital world. I would like to see the creativity and quality that I experienced in Japan in the early 2000s also being realised to a greater extent in the digital world and on the Internet.
We have many dynamic developments and influences from different countries in the EU. I believe that both sides can learn from each other. Japan can be positively influenced by the dynamics in the area of regulations and safety rules in Europe, and the EU would certainly benefit from the Japanese standards of quality and discipline.
This also applies to Enobyte: we learn and benefit from both sides and our aim is to bring the Japanese Omotenashi philosophy, which focuses on service, to IT so that people can digitise responsibly and look forward to the future without having to be afraid. Our goal is a people-friendly digitalisation that focuses on data protection and security and allows people to work with computers with joy.
J-BIG: So far fear of the risks still seems to prevail and companies are primarily concerned with protecting themselves. How can digitalisation be made enjoyable?
Dr Hermann Gumpp: You can learn a lot from the tea ceremony. One of the four principles of the tea ceremony, alongside respect, purity and harmony, is inner peace and serenity. This is the goal you want to achieve when you fulfil the other three principles. It must be remembered that the Japanese ceremony originated in a dark, warlike time in the Japanese Middle Ages, perhaps comparable to the state of the internet today. But if you take the principles to heart, invest a lot of time in cleaning and preparing the tea room and the tea utensils and practise the procedures, then you can be calm when the guest arrives. Every movement is important. The utensils are handled with care. Over time, you learn to enjoy the process and see the beauty in the procedures. Applied to IT: it’s not just about the goal, but about the process, which can be designed to be aesthetically pleasing and secure. Valuable data is treated like a precious tea bowl and with more security, more convenience can also be achieved. These are the elegant solutions we are looking for. In summary, a lot of international cooperation, long-term strategic thinking and consistent implementation are required to pursue responsible and high-quality digitalisation. But it will pay off in the end.