June 2015

New independent research underpins need for education and training within FS
sector to prepare for life under GDPR

According to Varonis (Nasdaq:VRNS), a leading provider of software solutions for

unstructured, human-generated enterprise data, banks will be among the first to
be hit with massive fines for falling foul of the EUs General Data Protection
Regulation (GDPR).

In a poll conducted at Cebit - Europes largest IT show the company revealed

the level of how unprepared the financial services sector is to life under GDPR.
Notably, 50% of all respondents that took part in the survey worked within the
European banking sector.

According to Varonis, despite the small sample size of 145 respondents, its
survey reflects a much wide degree of how under prepared the financial services
sector is as well as the nervousness that has penetrated the wider banking
community.

Key survey findings:

80% think that a bank is the most likely organization to be the first to suffer
the maximum fine (of 100m) for failing to meet the requirements of GDPR
When asked in which country the bank is most likely to be based, of those
surveyed 30% said Germany, 28% said US and 22% said another EU
country
Only 48% of respondents thought that their organization could report a
breach within the proposed 72-hour deadline (which could be reduced to
24 hours when the draft Regulation is agreed by the European Parliament,
Council of Ministers and the European Commission)
Only 31% have a plan to enable them to comply with GDPR and only a
33% have the processes and technology in place to prevent their
organization from getting a large fine as a result of GDPR
71% of respondents didn't know what companies need to do in order to
comply with GDPR
Only 22% of respondents knew that the maximum fine under the new
legislation is planned to be 100 million - most thought it was only going to
be 10m (41%) or 1m (32%) and a small number thought the fine could
be 1bn
A third of respondents thought that the GDPR will come into effect in 2015,
a further 28% thought it would take another year to 2016, 7% thought it
 would never become law, and 32% did not know when it would become
law.

From looking at this survey, it's not clear whether the nervousness stems from
worries over data protection standards where many banks have as yet to conduct
data protection impact assessments (DPIA) across their whole business or
whether theres a fear that supervisory authorities in Europe will take action as a
result of new powers that theyll have under GDPR.

Either way, the message is clear all banks that operate within the EU need to
start to take action today in order to avoid running the risk of being fined after the
transition period of the GDPR ends, likely to be in 2017, observes Professor
Bryan Foss, a leading data protection and governance expert and former director
of IBMs financial services global business.

The survey tends to indicate that education and training in what banks and other
financial services organisations should do in order to protect business continuity
is now a major risk management issue.

And most respondents assume that GDPR will impact the financial services
sector more than any other once the Regulation is imposed.

David Gibson, Varonis Vice President, adds:

"We can expect a major upgrade of the EU's General Data Protection Regulation
in the next 12-24 months. Fines are expected to be 2% of annual income up to
100m for failing to protect EU citizens' personal data. And there could also be a
significant number of individual claims in addition to fines, so the sums involved
could be a substantial cost, even to a large enterprise.

The new Regulation will also mark a shift from a self-regulated environment to
an enforcement regime, which will affect any organization storing personal
identifying information on European citizens (including US companies operating
in the EU).

Organizations need to be prepared to protect customer data and prove that they
are doing so to an appropriate degree of care, report any breaches and remove
any data at the request of EU citizens."

Hazel Grant, partner and Head of Data Protection at Fieldfisher LLP says that
given the extended scope and reach of GDPR as well as the increased nature of
fines, the Varonis survey raises important concerns as to the extent that
organisations are ready to comply with the terms of GDPR and manage any data
breach scenario.
The scale of potential fines will be closer to those handed down for bribery or
anti-trust violations and for the financial services sector data protection
compliance will be every bit as important as FCA regulatory compliance.

Even though the GDPR may not be in full force until 2017, theres considerable
work to be done now by those seeking to offer goods and services to data
subjects in the EU and to ensure that theyre in the best possible position to
comply with the GDPR or run the risk that they will also suffer significant
reputational damage to their businesses."

Varonis has seven produced the following tips for organisations to keep
unstructured data in compliance and enable them to prepare for life under GDPR.

1. Minimize data collection - the proposed GDPR has strong requirements

that companies limit the data they collect from consumers
2. Report promptly - data breach notification is a new requirement that EU
companies will have to handle
3. Retain carefully the GDPR minimization rules apply not only to the scope
of the data collected but also how long it's kept. In other words, you
shouldn't be storing data longer than is necessary for its intended purposes
4. Beware the new definition of personal identifier GDPR expands the
definition of personal identifiers and this change is important because the
EU law centres on protecting these identifiers
5. Use clear and easy to understand language companies will need to
obtain explicit consentan 'opt-in' from the consumerwhen collecting
data.
6. Find your delete key right to erasure' means that when consumers
withdraw consent on data they've given, the companies will have to
remove it.
7. Remember cloud computing doesn't escape from requirements under
GDPR the new EU Regulation follows the data.

The full guide in English and German can be downloaded here