1. Home
  3. Compliance and Risk Management
  4. Privacy Protection

Privacy Protection

1. Privacy Principles

2. Privacy Protection Management Systems

(1)Management structure

Privacy Protection Management Systems

(2)Development of policies and rules

  • *Center for Internet Security (CIS): An organization established in 2000 by the National Security Agency (NSA), the Defense Information Systems Agency (DISA), the National Institute of Standards and Technology (NIST), and other government agencies, businesses, and academic institutions to work together on Internet security standards.

3. Initiatives to Promote Privacy Protection

(1)Employee training/education/awareness

The Shiseido Group conducts e-learning programs and holds group sessions on a regular basis to help employees increase their awareness and knowledge of privacy protection. We provide guidance to new graduate and mid-career hires during orientation sessions to instill the importance of privacy protection in our personnel from the time they start with the Group.
To keep employees updated on privacy protection issues, the latest information is posted on our internal portal.

(2)Promotion of privacy by design

The Shiseido Group has developed internal systems and processes that enable the Legal & Governance and Information Security departments to be involved in the development of new business or services from scratch so that necessary privacy protection measures can be taken at the planning/designing stage.

(3)Supply chain security

At the Shiseido Group, when entrusting all or part of the handling of Personal Information to a third party, we appropriately manage and supervise the entrusted third party to ensure the security management of the Personal Information.

(4)Monitoring activities

The Shiseido Group periodically checks and assesses its information assets including personal information. Also, to check if privacy protection measures have been implemented appropriately in all offices, departments, and affiliates, we conduct a risk-based assessment of their information systems and issue an order for improvement if a problem is detected. As for our business partners to whom we outsource the handling of personal information, we check their information security management systems and operational status thereof on a regular basis even after executing service agreements with them.

(5)Privacy incident response

The Shiseido Group has established a system to respond to incidents related to personal information. In the event of a possible data breach or violation of laws and regulations, the Legal & Governance, Risk Management, Information Security, Information Systems, and other departments work together to respond to the incident.
If a privacy incident such as personal information breach occurs, the Group will report to the authorities concerned and data subjects, following the laws and regulations of each country/region.

(6)Third-party assessment

To verify that the Shiseido Group’s implementation of its privacy protection initiatives and management systems are appropriate, we enlist external experts to conduct an assessment if necessary. Issues and challenges identified through the assessments are then considered to develop privacy protection strategies and initiatives.