The Shiseido Group (hereafter “Group”) is fully aware of the importance of personal information obtained through business activities, considers ensuring the safety of such information to be its social responsibility, and makes sure to implement privacy protection on a Group-wide basis under the “Shiseido Group Privacy Rules,” which must be followed by all people working for the Group.
Also, the “Shiseido Global Privacy Principles,” which were established as the Group’s common privacy principles, as well as each Group company’s privacy policies are publicly disclosed.
The Shiseido Group has privacy protection systems in place under the leadership of the Chief Information Security Officer (CISO) and Chief Legal Officer (CLO). The CISO and CLO assume overall responsibility for privacy protection and engage in the planning and implementation of related strategies and initiatives while communicating with the management team.
Also, the CISO and CLO jointly supervise the development and enforcement of rules and guidelines for privacy protection as well as the implementation of safety measures and education/training in each Group company.
The heads of offices, departments, and affiliates are appointed as Information Managers responsible for the implementation of privacy protection-related initiatives at their respective organizations. As for the regional headquarters outside Japan, privacy protection contacts in the local Information Systems and Legal&Governance departments periodically communicate with the CISO and HQ’s Information Security and Legal&Governance departments to ensure continued efforts to maintain and improve the Group’s overall privacy protection activities.
To promote privacy protection systems, we refer to several major related guidelines or best practices such as the ISO 31000 international standard for risk management, the ISO 27701 international standard for privacy protection, National Institute of Standards and Technology’s Privacy Framework, and the Guidebook on Corporate Governance for Privacy in Digital Transformation (DX) promoted by the Ministry of Economy, Trade and Industry and the Ministry of International Affairs and Communications.
Furthermore, specific guidelines and rules have been formulated. These include the above-mentioned “Shiseido Group Privacy Rules,” in addition to rules and regulations regarding information asset handling/management and information systems development, operation, and management. We are working to promote compliance with these guidelines and rules on a global scale by encouraging the engagement of overseas offices.
To ensure privacy protection, we check the information security management systems of the companies to which we outsource the handling of personal information before we execute a service agreement requesting that they take appropriate safety management measures.
The Shiseido Group conducts e-learning programs and holds group sessions on a regular basis to help employees increase their awareness and knowledge of privacy protection. We provide guidance to new graduate and mid-career hires during orientation sessions to instill the importance of privacy protection in our personnel from the time they start with the Group.
To keep employees updated on privacy protection issues, the latest information is posted on our internal portal.
The Shiseido Group has developed internal systems and processes that enable the Information Security and Legal&Governance departments to be involved in the development of new business or services from scratch so that necessary privacy protection measures can be taken at the planning/designing stage.
The Shiseido Group periodically checks and assesses its information assets including personal information. Also, to check if privacy protection measures have been implemented appropriately in all offices, departments, and affiliates, we conduct a risk-based assessment of their information systems and issue an order for improvement if a problem is detected. As for our business partners to whom we outsource the handling of personal information, we check their information security management systems and operational status thereof on a regular basis even after executing service agreements with them.
At the Shiseido Group, the Information Security department responds to accidents and emergency situations related to privacy protection executing the necessary actions in cooperation with the Legal&Governance, risk management, and Information Systems departments depending on the impact of specific situations.
If a privacy incident such as personal information breach occurs, the Group will report to the authorities concerned and data subjects, following the laws and regulations of each country/region.
To verify that the Shiseido Group’s implementation of its privacy protection initiatives and management systems are appropriate, we enlist external experts to conduct an assessment if necessary. Issues and challenges identified through the assessments are then considered to develop privacy protection strategies and initiatives.
ABOUT US
BRANDS
SUSTAINABILITY
INNOVATION
CAREERS
INVESTORS