European banks could face fines totalling €4.7 billion in the first three years under the new General Data Protection Regulation (GDPR), a new report from Consult Hyperion has forecast.

The report has been described as ‘conservative’, as it excludes compensation claims, costs associated with lost customers, damaged reputations and senior executive resignations.

Financial institutions may experience 384 data breaches with fines as high as €260 million per breach, according to predictions.

Under GDPR, financial penalties for a data breach are substantial. Institutions can receive fines of up to two per cent of the previous year’s global annual revenues for a first offence and four per cent for repeat offences where the regulator has previously ordered remedial action. There are also possible criminal penalties for executives deemed responsible.

GDPR’s 72-hour breach notification requirement means managing and responding to a data breach in an open and effective manner is critical. Regulators have significant discretion in the level of penalties they can levy, and are required to take planning, customer notification and mitigation into account in the decision.

Tim Richards, principal consultant at Consult Hyperion, said: “The highest risk item in the GDPR is the 72-hour breach notification requirement, and banks are not mitigating this. Data breaches are an unfortunate fact of life for financial institutions, and our analysis suggests that there have been no fewer than 27 data breach incidents among European Tier 1 banks in the last decade, with some banks as multiple offenders, potentially liable for fines at the four per cent level.

“This indicates an eight per cent chance that any Tier 1 bank will suffer a data breach in any given year. These figures, we believe, are conservative, and banks are not prepared for the consequences under GDPR.”

Share Story: