IIJ to Increase Compliance Support for the EU's Personal Data Protection Regulation, GDPR | News

IIJ to Provide Tools to Support GDPR Compliance, and to Launch an Outsourcing Service for Data Protection Officers

March 19, 2018

PDF [145KB]

Japanese Version

TOKYO-March 19, 2018-Internet Initiative Japan Inc. (IIJ, NASDAQ: IIJI, TSE1: 3774), one of Japan's leading Internet access and comprehensive network solutions providers, today announced that it will launch its Quick GDPR Compliance Assessment, the IIJ Compliance Platform for GDPR, and other support tools for helping its customers respond to the General Data Protection Regulation (GDPR), which the EU enacted as a framework for personal data protection. The Quick GDPR Compliance Assessment is meant to assess corporations' current ability to comply with GDPR, while the IIJ Compliance Platform for GDPR includes the functions that corporations will need to respond to GDPR on their own. Furthermore, IIJ will provide its IIJ DPO Outsourcing Service so that companies can outsource data protection officers (DPOs (*1)) whom the Data Protection Supervisory Authority requires to be appointed.

The GDPR is an EU regulation that establishes legal requirements that must be satisfied in the processing of personal data within the EU and in the transfer of personal data from within the EU to third countries. The law also makes companies liable for administrative fine up to four percent of their global annual revenues or up to 20 million euros, whichever is higher, when a company is found to be in violation. The law will come into effect on May 25, 2018, but the public is not well-informed about the regulation. Because the compliance requirements cover a lot of ground, many companies that will be subject to the regulation are not completely prepared for the changes it will bring.

As part of its compliance with GDPR, IIJ has leveraged the knowledge it has gained through early steps in responding to data protection regulations, which include its submission of IIJ Group's documented uniform information management tool Binding Corporate Rules (BCR) to the UK's Information Commissioner's Office (ICO) in October 2016 (*2). In July 2017, IIJ launched the IIJ Business Risk Management Portal, which provides GDPR guidelines, explanations of related news, and other relevant information in Japanese. Now, to complete its support for corporations looking to comply with GDPR, IIJ will launch three new services.

(*1)DPOs are obligated to observe and advise data managers and processors on GDPR compliance and to report to the supervisory authorities and executive management.
(*2)For the announcement, see the press release of October 26, 2016 (https://www.iij.ad.jp/en/news/pressrelease/2016/1026.html).

1. Quick GDPR Compliance Assessment

By answering 25 questions in five categories related to GDPR compliance, companies can easily assess their own current state of compliance with the new regulation. The results appear in the form of a radar chart, and IIJ's customers can visually grasp the areas in which they are not yet compliant. This will be useful in formulating a compliance plan. This service will be available starting today as an option on the IIJ Business Risk Management Portal. Registered users of the IIJ Business Risk Management Portal may use the Quick GDPR Compliance Assessment for free.

IIJ Business Risk Management Portal Registration Fees

Membership type (*3)	Registration fees	Simple GDPR Compliance Assessment use fees
Free membership	JPY 0 per month	JPY 0(*4)
Basic membership	JPY 3,480 per month
Advanced membership	JPY 15,000 per month

(*3) These are the types of membership available for the IIJ Business Risk Management Portal. Free memberships and basic memberships are monthly agreements, while advanced memberships are annual agreements.
(*4)Users can review their current compliance state with radar charts. In addition, basic and advanced members can view suggestions for various aspects of compliance.

IIJ Business Management Portal : https://www.bizrisk.iij.jp (Japanese text only)

2. IIJ Compliance Platform for GDPR

This platform provides functions for visualizing companies' own current compliance with GDPR and its compliance progress, while also automatically producing reports to executive management and supervisory authorities. Just by registering their internal systems for handling personal information on the platform, customers will be able to follow guidance and perform easy-to-understand tasks. The platform is provided under the partnership with Digital Control Room Limited (UK) and will be available starting March 26, 2018.

Service Menu

Category	Feature	Summary
Preparation	Setup	Users set their DPO's names, organizational structures, data handling policies, and other basic information.
Preparation	System and data flow map	This maps the organization's system and third-party processors.
Assessment	Data processing	This is an assessment of data processing compliance.
	Relations with third-party organizations	This assesses compliance in terms of relations with all third-party organizations.
	Transfers to third countries	This assesses the gap in protective measures when transferring data to third countries.
	Security	This assesses data security.
Achieve and Maintain	Deviations	This provides follow-up, management, and resolution of compliance deviation.
	Privacy notices	This establishes and maintains privacy notices.
	Third-party compliance audits	This assesses third-party compliance and manages applicable audits.
	Breach notifications	This provides notifications when data breach occurs.
Privacy by design	Data privacy impact assessment	This conducts a DPIA (*5) and performs an audit.
Reports		This automatically creates reports. (*6)
Support		IIJ representatives can help with any unclear matters.

(*5)An abbreviation of data protection impact assessment.
(*6)Automatically created reports can be customized to meet the needs of IIJ's customers. (Additional fees are required.)

IIJ Compliance Platform for GDPR Use Fees (*7)

Type of IIJ Business Risk Management Portal Membership	Initial Fees	Monthly Fees (by number of systems registered)
General customers	JPY 300,000	One system: JPY 100,000 Two systems or more: Add JPY 12,000 for each additional system.
IIJ Business risk management portal Advanced membership	JPY 100,000	One system: JPY 100,000 Two systems or more: Add JPY 10,000 for each additional system.

(*7)Users must be registered users of the IIJ Business Risk Management Portal.

IIJ Compliance Platform for GDPR introductory page: https://www.iij.ad.jp/biz/cp-gdpr/ (Japanese text only)

3. IIJ DPO Outsourcing Service

In addition to their knowledge on EU regulation and each EU member state law related to GDPR and privacy protection, DPOs need to have diverse knowledge and abilities regarding how to handle personal data and the related IT systems and data security technologies. Furthermore, because DPOs are granted a high degree of independence and authority in their roles as data protection officers, they are not allowed to concurrently serve as managers in departments involved in handling personal data. As a result, companies find it challenging to appoint well-qualified individuals from within their own ranks. This service leverages the wealth of knowledge of IIJ's expert staff to provide contract DPOs. This service includes up to 10 corporate systems registered on the IIJ Compliance Platform for GDPR, so that user companies can effectively manage operations globally. Registration will begin on March 26, 2018, and the service will be available starting April 9.

Service Menu and Fees

Service Menu	Fees	Summary
Startup (Initial setup)	JPY 2 million (8) (9)	IIJ arranges and determines the operation plan and tasks, including creating a DPO team, arranging an annual plan for the DPO team, and performing weekly and monthly reviews, based on all the documents for GDPR compliance that the client company has prepared so far.
Operation	JPY 120,000 per month (*10)	Monitor and compliance reports for privacy protection in all departments and at all sites, and advice for corrective strategies On-site audits and corrective advice for sites that handle personal data Quarterly reports to executive management Planned development of personal data protection education Response to inquiries from data subjects (including employees) (*11) Responding to inquiries from and consulting with supervisory agencies Formulating an annual plan for the next year Communicating with supervisory agencies at the time of personal data violations (a non-regular task) Advice for DPIAs and preliminary consultations with supervisory agencies (a non-regular task)

(*8)Client companies should prepare a list of personal data processing records from Article 30, documents for reporting procedures and drafts to supervisory agencies after recognizing data breach in Article 33, a list of IT systems, and other relevant documentation. If the required documents are not ready, additional fees will be required.
(*9)Users of IIJ GDPR Compliance Consulting Service Type A will pay JPY 500,000.
(*10)This guarantees 25 hours of support per month. Support can be extended by five-hour units, and additional unit costs an additional JPY 175,000.
(*11)IIJ provides a dedicated e-mail support desk that can accept inquiries in the 24 official EU languages. Support is available for up to 50 e-mails per month, and separate estimates are required for additional inquiries.

IIJ DPO Outsourcing Service introductory page: https://www.iij.ad.jp/biz/dpo/ (Japanese text only)

IIJ will continue to quickly respond to changes to laws and regulations in all countries, to provide support for its customers' business risk management strategies.

Endorsements from

I welcome the launch of the IIJ Compliance Platform for GDPR - a joint initiative driven by the close partnership between IIJ and Digital Control Room (DCR). We are proud to support IIJ's customers with this powerful compliance system, which efficiently integrates DCR's proven technology with IIJ's expert GDPR consultancy services.

Digital Control Room Ltd.
Stephen Hickey, Managing Director

About IIJ

Founded in 1992, IIJ is one of Japan's leading Internet-access and comprehensive network solutions providers. IIJ and its group companies provide total network solutions that mainly cater to high-end corporate customers. IIJ's services include high-quality Internet connectivity services, systems integration, cloud computing services, security services and mobile services. Moreover, IIJ has built one of the largest Internet backbone networks in Japan that is connected to the United States, the United Kingdom and Asia. IIJ was listed on the U.S. NASDAQ Stock Market in 1999 and on the First Section of the Tokyo Stock Exchange in 2006.

For more information about IIJ, visit the IIJ Web site at https://www.iij.ad.jp/en/.

The statements within this release contain forward-looking statements about our future plans that involve risk and uncertainty. These statements may differ materially from actual future events or results. Readers are referred to the documents furnished by Internet Initiative Japan Inc. with the SEC, specifically the most recent reports on Forms 20-F and 6-K, which identify important risk factors that could cause actual results to differ from those contained in the forward-looking statements.

For inquiries, contact

IIJ Corporate Communications

+81-3-5205-6310
+81-3-5205-6377
press@iij.ad.jp

(*) All company names and service names used in this press release are the trademarks or registered trademarks of their respective owners.