Banks facing fines totalling €4.7bn under GDPR
Consult Hyperion is forecasting that European financial institutions could face fines totalling €4.7 billion in the first three years under the new General Data Protection Regulation (GDPR).
The report, “GDPR: Banks, Breaches and Billion Euro Fines”, which was commissioned by security firm AllClear ID, is a “conservative” forecast and excludes compensation claims, costs associated with lost customers, damaged reputations and senior executive resignations.
This anxiety is not new. Earlier this month, research by Veritas showed 47% of respondents fear their organisation won’t meet the requirements of the legislation, with 18% worried non-compliance could ultimately put their organisation out of business.
According to Consult Hyperion, under GDPR financial penalties for a data breach are substantial. Institutions can receive fines of up to 2% of the previous year’s global annual revenues for a first offence and 4% for repeat offences where the regulator has previously ordered remedial action. There are also possible criminal penalties for executives deemed responsible.
GDPR’s 72-hour breach notification requirement means managing and responding to a data breach in an open and effective manner is “critical”. Regulators have significant discretion in the level of penalties they can levy, and are required to take planning, customer notification and mitigation into account in the decision.
Tim Richards, principal consultant, Consult Hyperion, says: “Data breaches are an unfortunate fact of life for financial institutions, and our analysis suggests that there have been no fewer than 27 data breach incidents among European tier 1 banks in the last decade, with some banks as multiple offenders, potentially liable for fines at the 4% level.
“This indicates an 8% chance that any tier 1 bank will suffer a data breach in any given year. These figures, we believe, are conservative, and banks are not prepared for the consequences under GDPR.”
To compound the issue, Consult Hyperion says new European regulations, such as the second Payment Services Directive (PSD2), will mandate institutions to hold more data and make it available over open interfaces, just when data loss becomes especially dangerous.
With less than a year before GDPR goes live the report advises banks to take action to meet legislative requirements and to avoid financial and reputational loss.
The report offers advice and three “key crucial elements are required”. Namely, the expertise to deal with breach-specific issues including identity theft; the specialised manpower to handle the volume of queries generated when the breach is publicised; and the infrastructure for secure communication channels to notify customers.