Privacy Protection

To promote privacy protection systems, we refer to several major related guidelines or best practices such as the ISO 31000 international standard for risk management, the ISO 27701 international standard for privacy protection, National Institute of Standards and Technology’s Privacy Framework, and the Guidebook on Corporate Governance for Privacy in Digital Transformation (DX) promoted by the Ministry of Economy, Trade and Industry and the Ministry of International Affairs and Communications.
Furthermore, specific guidelines and rules have been formulated. These include the above-mentioned “Shiseido Group Privacy Rules,” in addition to rules and regulations regarding information asset handling/management and information systems development, operation, and management. We are working to promote compliance with these guidelines and rules on a global scale by encouraging the engagement of overseas offices.
To ensure privacy protection, we check the information security management systems of the companies to which we outsource the handling of personal information before we execute a service agreement requesting that they take appropriate safety management measures.

The Shiseido Group conducts e-learning programs and holds group sessions on a regular basis to help employees increase their awareness and knowledge of privacy protection. We provide guidance to new graduate and mid-career hires during orientation sessions to instill the importance of privacy protection in our personnel from the time they start with the Group.
To keep employees updated on privacy protection issues, the latest information is posted on our internal portal.

The Shiseido Group has developed internal systems and processes that enable the Information Security and Legal&Governance departments to be involved in the development of new business or services from scratch so that necessary privacy protection measures can be taken at the planning/designing stage.

The Shiseido Group periodically checks and assesses its information assets including personal information. Also, to check if privacy protection measures have been implemented appropriately in all offices, departments, and affiliates, we conduct a risk-based assessment of their information systems and issue an order for improvement if a problem is detected. As for our business partners to whom we outsource the handling of personal information, we check their information security management systems and operational status thereof on a regular basis even after executing service agreements with them.

At the Shiseido Group, the Information Security department responds to accidents and emergency situations related to privacy protection executing the necessary actions in cooperation with the Legal&Governance, risk management, and Information Systems departments depending on the impact of specific situations.
If a privacy incident such as personal information breach occurs, the Group will report to the authorities concerned and data subjects, following the laws and regulations of each country/region.

To verify that the Shiseido Group’s implementation of its privacy protection initiatives and management systems are appropriate, we enlist external experts to conduct an assessment if necessary. Issues and challenges identified through the assessments are then considered to develop privacy protection strategies and initiatives.