Kyocera Document Solutions Europe is making group-wide efforts to reinforce its risk management system to cope with global decisions that are becoming ever more complicated. The President, supported by the EMEA Audit Division and the Risk Advisory Council, oversees and manages risks with Kyocera Document Solutions Europe’s strategy and activities. The Governance, Risk & Compliance department, Internal Audit department and Risk Advisory Council consists of a number of functional experts covering the various categories of risks. They provide support by increasing the risk awareness in the company through policy setting, risk assessments, implementation of standards and controls, trainings, audits and management reviews and continuous improvements, such as the implementation of recommendations from audits and reviews.
The company's risk and control framework is in line with the Integrated Framework of COSO as defined by our ultimate parent company Kyocera. On top of this, our risk and control framework includes risk and controls from the ISO 9001, 14001, 27001 standards as well as self-defined risks and controls in order to meet compliance requirements. In accordance with the risk and control framework, the objective of our EMEA Audit Division is to provide reasonable assurance that our business objectives can be achieved and our obligations to customers, shareholders and society can be met.
The corporate governance of Kyocera Document Solutions Europe is built on the foundation of Kyocera Corporation, the corporate philosophy “Doing the right thing as a human being”. In short, governance is the way the company is directed and controlled. This means that the President takes business decisions in accordance with defined Kyocera policies and procedures and the corporate philosophy.
The objective of corporate governance is to secure sound and transparent management and lead the company in a fair and efficient manner whilst pursuing the management policy. Kyocera aims to be respected by the society as “The Company” from the perspective of corporate ethics, while maintaining continuous sales growth and high profitability. To achieve this vision, Kyocera’s management policy is to further drive business expansion by being “a creative company that continues to grow”. In order to implement this policy, Kyocera aims to increase corporate value by expanding business, namely by promoting efficient use of management resources and further strengthening of the consolidated group management.
POPI is the Protection of Personal Information Act, Act 4 of 2013, South Africa’s version for the
European Union’s General Data Protection Regulation. The purpose of this law is to put in place conditions concerning how the personal information of data subjects, whether natural or juristic, is processed.
With the rise of the digital age comes all manner of risks related to personal information and the processing of such data. Risks include discrimination, defamation, theft, damage, and more. The POPI Act was created to ensure the protection of data subjects against these risks.
The Protection of Personal Information Act also serves to hold responsible those parties processing said data for any untoward actions that can result in such harm. Responsible parties are those who decide why and how to process personal information, and they are, according to the Act, obligated to comply with the conditions in the Act.
The POPI Act contains a total of eleven conditions, eight being general, and the other three being “extra”. According to the Act, responsible parties are also held liable for failures by those who work for them and for operators serving their needs. Such persons must also meet the conditions of the POPI Act in order for responsible parties to be considered compliant.
An organisation’s Information Officer will be responsible for compliance, and compliance will be regulated by a new Information Regulator. Although the information officer is responsible for compliance, the CEO is the one who might go to jail in the unlikely event of non-compliance combined with exacerbating factors.
Failing to comply with the POPI Act can lead to fines such as a fine for failing to protect account numbers. Other risks can include imprisonment, paying out claims due to damages from the data subjects, and reputational damages. For this reason, complying with the POPI Act is important for South African companies.
Organisations in the financial, marketing, and healthcare sectors will be most highly impacted by the Act because they process a lot of personal information. Any company or organisation processing personal information, children’s information, and account numbers will also be influenced by the Act.
The POPI Act is set to commence during 2020. Once officially commenced, organisation will have a 12-month grace period.
In line with Kyocera’s Philosophy “Customer 1st Principle”, we are continuously working to meet the needs of our customers, as reflected by ensuring our products, services and solutions are of good quality, reliable, available, value adding and appreciated. By default our company is therefore committed to business continuity.
Kyocera Document Solutions Europe has formulated a Business Continuity Plan against occurrences that could potentially block the business and has taken necessary measures including fixation of important equipment, arrangement of repair and acquisition of alternative production means. We continue to improve our response capability against emergency situations by continuing response measures to identified risks and sharing of information among departments.
Kyocera complies with requirements that individuals‘ personal information must be processed in accordance with applicable data protection law. Kyocera also recognises the corporate social responsibility in ensuring private data is handled in a fair and respectful manner. Kyocera therefore does everything possible to be legally and ethically compliant in order to safeguard personal data.
The organisation of Kyocera is committed to the protection of personal data from its employees, clients, suppliers, business partners and other individuals. Data Protection is a fundamental right, protected not only by national laws, but also by European law in the EU countries.
Pursuant to local Data Protection laws and the General Data Protection Regulation, Kyocera is obliged to implement procedures for the Processing of Personal Data. Kyocera has a Personal Data Protection Policy which outlines the rules and procedures on Processing Personal Data from employees, clients, suppliers, business partners and other individuals.
Kyocera Document Solutions Europe has in place the Information Security Management Policy as we see management strategies, product development, expertise, technology, organisation, personnel information and others as the company’s most important assets. Based on the Information Security Management Policy, we set up the Digital Information Security Management Regulations, Personal Information Protection Management Regulations, and Technological Know-how Leak Prevention Guideline for classified information management, intellectual property management, physical security management, visitor control, and human control, thereby ensuring thorough information security management.
As a group, Kyocera has established a Digital Information Security Committee with the President as its chairman. This committee is implementing various digital security measures including periodic employee education by post or job, restrictions on the external use of information equipment, measures to prevent information assets leaks, thorough management of IT assets, internal audit, and enhancement of information security against cyber attacks.
In line with Kyocera’s commitment to protect data of employees, clients, suppliers, business partners and other individuals, Information Security plays an essential role within our business. Kyocera’s Information Security Program consists of several elements to ensure we reach an optimum security level. A designated Information Security Officer has been appointed to lead this Program within our EMEA region. Our security program consists of six elements and are listed as follows:
1. EMEA Information Security Committee
The EMEA Information Security Officer is responsible for coordinating and executing Kyocera’s security program. Its main objective is to dedicatedly assess the Information Security risks and plan to mitigate them. In support of Kyocera’s Information Security Program, we have established an EMEA Information Security Committee. Within this committee, the EMEA Information Security Officer reports directly to the Board Committee consisting of the General Manager of the EMEA Audit Division and the President.
2. Risk Assessments
Information Security risks are assessed on a frequent basis using our Risk Assessment Methodology fit for our industry and business. This risk monitoring allows us to continuously improve in line with the Plan-Do-Check-Act (PDCA) cycle. Besides our internal Information Security control framework, Risk Assessments are also conducted on the basis of the following standards and regulatory compliance frameworks: ISO 27001, SOC 1 Type II, J-SOx (Japanese equivalent of Sarbanes-Oxley).
3. Policies and Procedures
Throughout the EMEA region, we have developed and implemented baseline Policies and Procedures to govern our Information Security. These Policies and Procedures are there to cover the risks resulting from the aforementioned Risk Assessments. In the creation of these documents, emphasis has been given to ensure Confidentiality, Integrity, Availability (CIA triad) and Privacy of corporate and personal data. In addition to the CIA triad, the Privacy component reflects back in our processes at every stage.
4. Information Security Awareness
Within our Information Security Strategy the human aspect plays an important role. Kyocera expressed its commitment to develop its employees awareness and vigilance level. In line with this, we have set up an Information Security Awareness and Vigilance Program. This program consists of mandatory e-Learning modules, Simulations, and Continuous Awareness Material. The overall objective of our Awareness and Vigilance program is to remind each employee of their Information Security responsibilities.
5. Regulatory and Standards Compliance
Achieving ISO 27001 certification, Kyocera re-confirms the importance it puts on Information Security. The ISO 27001 cycle follows stringent accreditation norms, which are audited by an external auditor, ensuring an independent assessment on our Information Security Management System (ISMS). Furthermore, as a stock listed company in Japan, we have an obligation towards society. This obligation brings along Regulatory Compliance to Kyocera, and therefore we have to adhere to J-SOx. Amongst others, these include information security controls ensuring adequate financial reporting.
Kyocera is recognised as an “authorised exporter” and “authorised importer” in accordance with the AEO (Authorised Economic Operator) system, an international standard designed to ensure safety and smoothness of international trading and for which the mechanism of mutual approval is established in each country. This authorisation helps our company to ensure security and smooth trading related to products delivered to customers inside and outside of Europe. Through being AEO certified Kyocera has proven itself to have high-quality internal processes in place that protect goods in transit across the world by meeting the following criteria: customs compliance, appropriate record-keeping, financial solvency and high security and safety standards.
Kyocera has a zero tolerance policy towards bribery and corruption. In the Kyocera Group, “What is the right thing to do as a human being?” is always the basis of decision-making and one of the core fundaments of the Kyocera Philosophy. All matters are decided in accordance with this fundamental principle. For Kyocera, the basics of dealings with business associates is to always be fair and just, and to approach all manner of transactions, in the spirit of fair play with the correct attitude as a human being. [link to CSR Report 2017]
Kyocera Documents Solutions Europe expects its employees to behave in accordance with Company regulations and Philosophy at all times. This means acting ethically, with integrity and in conformity with local legislation and with defined internal policies.
Nevertheless misconduct may happen within our Company and we are not closing our eyes to this possibility. Employees can seek advice and consult on diverse matters of doubt, and report actions that are or may be in violation of laws and internal regulations relating to human rights, labour, safety and health, environment, fair business practices, financial misconduct and any other potential issue.
The company encourages its employees to speak up and offers a Helpline and a Whistleblower report line alongsides the direct line of management.
The Company takes the subject harassment and non-financial misconduct very seriously. To provide a consistent approach to general misconduct including harassment taking full account of the health and safety and any possible legal issues of the Kyocera Document Solutions Europe Group employees a Helpline is established. Employees are entitled to use the Helpline Document, but are under no obligation to do so.
Under the Helpline, employees can report non-financial misconduct, including harassment. Harassment is defined by the company as any form of verbal, non-verbal, or physical behaviour in conflict with the dignity of the other employees at the place of work that is undesired, unreasonable, or insulting to its recipient and which may lead to the creation of an atmosphere of enmity or humiliation, which is intimidating to its recipient.
Kyocera Document Solutions Europe has implemented a Financial Whistleblower Policy as a mechanism for employees to report financial misconduct internally through a specific channel.
Under the Financial Whistleblower System employees may anonymously report financial misconduct. Reported cases are investigated and ascertained in co-operation with the relevant divisions. This is followed by corrective action and preventive measures against recurrence.