Initiatives for Information Security

IIJ has established the "Basic Information Security Policy" as a code of conduct in how to appropriately handle information asset. All officers and employees, including contractors and temporary workers, are educated on information security when they join IIJ to deepen their understanding of basic policy and related rules.

IIJ has appointed a Chief Information Security Officer (CISO) and established the "Information Security Committee." With these in place, IIJ has recognized accurately the status of operations related to information security and implemented necessary measures in a timely manners. In order to check compliance by all officers and employees with the “Basic Information Security Policy" and related rules, IIJ has conducted internal audits once a year and outside audits (ISMS) once a year.

Initiatives for privacy policy

As IIJ acknowledges the importance of personal information, it has established the "Privacy Policy". All officers and employees, including contractors and temporary workers, are educated on the protection of personal information when they join to deepen their understanding of basic policy and related rules.

IIJ assigns a person in charge of managing personal information at each department that handles personal information to ensure appropriate collection, use, management and other practices of personal information. When IIJ receives requests for inquiry, revision, deletion and others, IIJ responds to such requests as soon as possible. In order to check compliance by all officers and employees with the "Privacy Policy" and related rules, IIJ has conducted internal audits once a year and outside audits (Privacy Mark System) once a year.

Approval for its Binding Corporate Rules (BCR）(*1)

IIJ Group has received an approval for its Binding Corporate Rules (BCRs), IIJ Group's documented rules on personal data protections, which are subject to EU's personal data protection law called the General Data Protection Regulation (GDPR) (*2), from Germany's Data Protection Authority (DPA). With the BCR approval, IIJ Group has proven that its services have the same level of privacy protection as in Europe, which has allowed the legitimate distribution of EU personal data across borders within IIJ Group.

(*1)A policy for protecting personal data obtained in the European Economic Area (EEA) per the EU's personal data protection law, the General Data Protection Regulation (GDPR), stipulating rules for sharing this personal data with group companies outside the EEA
(*2)Obligations and rules concerning personal data processing and transfers in the EEA

Initiatives for Data Governance

IIJ holds the Data Governance Council chaired by the executive vice president to strengthen data governance. The council has the role of receiving reports on the operation status of the internal control system related to data governance from departments in charge of services, conducting a multifaceted and comprehensive risk assessment of such systems and services, providing advice to each of these departments and making recommendations to the president.