Top of Page
The IIJ Privacy Compliance Solution is a solution that supports compliance with privacy protection regulations in various countries worldwide. These include the EU GDPR, Chinese Cyber Security Law, California Consumer Privacy Act/California Privacy Rights Act (CCPA/CPRA) in the USA, and Act on the Protection of Personal Information in Japan.
As IIJ has deployed our own business globally, we have developed a system for rapid compliance with each country's regulations, and we make decisions about work compliance under this system. We have used this knowledge to provide consulting services to more than 300 companies that represent Japan in the global market. Our deep knowledge at IIJ enables us to provide various solutions for integrated support, from current status analysis and system buildout to the operational phase.
In addition, measures for protecting privacy are required from the design stage when promoting DX that utilizes personal data or developing services that use new technology, such as Connected Car or other IoT. For this kind of "Privacy by Design" and "Privacy by Default," we provide advice for compliance with the laws of each country, as well as for implementations that should be performed as a part of corporate social responsibility. Please contact us anytime for a consultation.
We provide support for IT security solutions and compliance with the laws and regulations of each country, utilizing our practical experience in helping more than 300 Japanese companies comply with privacy protection regulations in various countries around the world. These include the GDPR, Chinese Cyber Security Law, CCPA/CPRA, and Amended Act on the Protection of Personal Information.
Our total solution package includes meetings with you to discuss your current situation, assessing your current state of GDPR compliance, and providing support during the planning phase through continuous support during the production phase. We also provide tailored solutions in accordance with your specific requirements.
IIJ has applied to implement Binding Corporate Rules (BCR) in October 2016 as verification of compliance with GDPR. Receiving approval from the Supervisory Authority: European Union to implement these BCR serves as acknowledgment that the IIJ Group and all services provide the same level of privacy protection as that of the EU. Personal data can be transferred easily and without restriction by using the IIJ GIO cloud computing service as a platform for exporting personal data on customers from the European Economic Area. Other IIJ services used by many of our customers can also be included together with the GDPR compliance support service.
The GDPR (General Data Protection Regulation) defines a statutory requirement to manage personal information and enable data in EEA to be legally transferred to outside the continent.
The GDPR took effect on the 25th of May 2018. “It provides for very severe sanctions against controllers or processors who violate data protection rules. Data controllers can face fines of up to €20 million or 4% of their global annual turnover, whichever is greater. These administrative fines will be imposed by the national data protection authorities.” (European Council: https://www.consilium.europa.eu/en/policies/data-protection-reform/data-protection-regulation/)
For more information about GDPR, please access to the IIJ's site ‘Global Reach';‘What GDPR is ‘
The GDPR stipulates that companies meeting certain requirements have an obligation to appoint a Data Protection Officer (DPO). Furthermore, even companies that are not obligated to appoint a DPO are recommended to do so to maintain and improve corporate GDPR compliance.
The role of the DPO under the GDPR is to provide both legal and IT support for GDPR compliance and IT security solutions, so the DPO needs to have specialist knowledge in a wide range of fields.
Furthermore, regarding communications with Europe, if a quick and appropriate response cannot be made to an inquiry about personal data or the exercise of personal data rights by a data subject, such as a European citizen, based on the GDPR, then the DPO must notify the Supervisory Authorities. The DPO must also report data breaches to European Supervisory Authorities within 72 hours of an incident, and follow-up reports are also required. The DPO is also required to consult on Data Protection Impact Assessments (DPIAs) and difficulty with esoteric interpretations. Such close communication must be performed quickly and appropriately, which places a heavy burden on the DPO.
Furthermore, under the GDPR, the DPO must be guaranteed independence within the company and should not receive work instructions from the company or be dismissed or penalized for performing work duties. The DPO must be in a position that the company cannot control, like reporting directly to the executive board of the company. Managers who handle personal data, such as executives, administrators, or staff in the operational, human resource, or IT departments, cannot be appointed as DPO due to conflicts of interest. The appointment of a DPO is typically outsourced, because it is difficult to find an appointee who meets the DPO requirements internally and because the DPO cannot be dismissed.
Recently, the obligation to appoint a DPO/CPO has spread from the EU to other countries around the world, based on the GDPR (for example, in Singapore, Brazil, and Thailand). In response, Japan headquarters have started to use the appointment of a centralized DPO in Japan as one method for taking advantage of global governance.
(Japanese text only)
End of the page.