European banks could face fines totalling €4.7bn in the three years after General Data Protection Regulation comes into force, according to a report from data security solutions firm AllClear ID.
The latest in a string of sales pitches reports on businesses’ preparedness for GDPR to land in The Reg‘s inbox says that banks are not properly prepared to meet the requirement that data breaches be reported within 72 hours.
Failure to do so could see firms face fines of up to €10m (£9m) or 2 per cent of global turnover for first offenders, or up to €20m or 4 per cent for those that have had their wrists slapped before. These are much greater than current UK sanctions, which max out at £500,000.
The analysis, based on previous breaches across the European banking sector and carried out by Consult Hyperion, estimates the number of breaches that could happen in a year.
It then plugs in the potential sanctions those breaches would incur to come up with a scenario that would see banks facing fines of €1.5bn in one year; it multiplies this by three to ping out the magic €4.7bn figure.
The report said that, globally, between 2013 and 2016 there were over 3,000 reported data breaches in the financial sector, and that “in the absence of the mandatory reporting that GDPR requires these numbers are almost certainly understating the problem”.
In a statement, Tim Richards, principal consultant for Consult Hyperion, reiterated that the figures in the assessment were “conservative” and that “banks are not prepared for the consequences under GDPR”.
He said: “The highest risk item in the GDPR is the 72-hour breach notification requirement, and banks are not mitigating this.”
And, in an apparent attempt to shame the banking sector into action, the CEO of AllClear ID, Bo Holland, said that a poorly managed customer notification process after a breach has taken place “makes you look like a fool”.
Source: The register