NATIXIS_PILLAR_III_2017_EN

11 NON-COMPLIANCE RISK Personal data protection

As regards the Business Continuity Plan, the BCP and IT Contingency Plan (ICP) plans were merged to increase their effectiveness. The 2017 second-level control plan covered most of the entities and critical IT infrastructures and was supplemented with a large-scale “Telework” test involving almost 700 staff and emergency drills. The Seine Flooding (“Crue de Seine”) project was successfully completed: new protection measures have been installed and successfully tested; the Paris IT network was secured as was

most of the access of the international platforms to the network; and a new fallback solution offering greater accessibility for staff was tested. Lastly, the new real estate strategy is being implemented as leases expire. Natixis is steadily strengthening its business continuity system to contend with cyber threats. A crisis unit is in place, emergency procedures have been distributed on what to do in case of known cyber attacks (ransomware, DDos, etc.), and we are currently reviewing ways of boosting our resilience to extreme shocks.

Personal data protection 11.6

Natixis is committed to protecting the personal data of customers and employees alike. As such: processes involving the use of personal data are conducted a pursuant to the French Data Protection Act and, when necessary, are declared to the Commission Nationale de l’Informatique et des Libertés (CNIL – French Data Protection Authority) or the international equivalent; Natixis takes the necessary measures to guarantee the a confidentiality of such data and to keep the persons whose data are being processed informed so that they can fully exercise their rights of access and rectification.

This is ensured at two levels of the organization: CNIL coordination (Compliance) and local CNIL representatives in every business line. Compliance with the General Data Protection Regulation (GDPR) is in progress: a body of procedures is being established, as is a register of personal data as well as an inventory - for each relevant operation - of security requirements to be compliant, and a deputy manager in charge of personal data protection has been recruited.

134

NATIXIS Risk report Pillar III 2017