Consult Hyperion together with AllClear ID have released a report that forecasts banks to face fines totalling EUR 4.7 billion in the first three years under the new GDPR.
Furthermore, the report GDPR: Banks, Breaches and Billion Euro Fines also predicts the number of data breaches in the European financial services sector over the next three years and corresponding fines under GDPR (General Data Protection Regulation). As result, financial institutions may experience 384 data breaches with fines as high as EUR 260 million per breach.
The figures were compiled from an analysis of historic data breach figures, adjusted for the size of financial institution. GDPR sanction levels were then applied to the data. It was assumed that breaches were at the lower end of the GDPR fine scale, which is EUR 10 million or 2% of global annual turnover.
Under GDPR financial penalties for a data breach are substantial. Institutions can receive fines of up to 2% of the previous year’s global annual revenues for a first offence and 4% for repeat offences where the regulator has previously ordered remedial action. There are also possible criminal penalties for executives deemed responsible.
Furthermore, GDPR’s 72-hour breach notification requirement means managing and responding to a data breach in an open and effective manner is critical. Regulators have significant discretion in the level of penalties they can levy, and are required to take planning, customer notification and mitigation into account in the decision.
To compound the issue, new European regulations such as PSD2, ePR and AMLD4/5 will mandate institutions hold more data and make it available over open interfaces, just when data loss becomes especially dangerous.
With less than a year before GDPR goes live the report advises banks to take urgent action to meet GDPR and other legislative requirements to avoid financial and reputational loss.