European banks could face fines totalling €4.7bn in the three years after General Data Protection Regulation comes into force, according to a report from data security solutions firm AllClear ID.
The latest in a string of sales pitches reports on businesses' preparedness for GDPR to land in The Reg's inbox says that banks are not properly prepared to meet the requirement that data breaches be reported within 72 hours.
Failure to do so could see firms face fines of up to €10m (£9m) or 2 per cent of global turnover for first offenders, or up to €20m or 4 per cent for those that have had their wrists slapped before. These are much greater than current UK sanctions, which max out at £500,000.
The analysis, based on previous breaches across the European banking sector and carried out by Consult Hyperion, estimates the number of breaches that could happen in a year.
It then plugs in the potential sanctions those breaches would incur to come up with a scenario that would see banks facing fines of €1.5bn in one year; it multiplies this by three to ping out the magic €4.7bn figure.
The report said that, globally, between 2013 and 2016 there were over 3,000 reported data breaches in the financial sector, and that "in the absence of the mandatory reporting that GDPR requires these numbers are almost certainly understating the problem".
In a statement, Tim Richards, principal consultant for Consult Hyperion, reiterated that the figures in the assessment were "conservative" and that "banks are not prepared for the consequences under GDPR".
He said: "The highest risk item in the GDPR is the 72-hour breach notification requirement, and banks are not mitigating this."
And, in an apparent attempt to shame the banking sector into action, the CEO of AllClear ID, Bo Holland, said that a poorly managed customer notification process after a breach has taken place "makes you look like a fool".
Holland said: "Financial institutions are myopically focused on preventative measures, ignoring the importance of the resilience. History tells us that companies that have dealt with data breaches poorly have seen loss of customers, reduced earnings and board level resignations, while those with a prepared plan and a managed response have sidestepped these issues.
"GDPR raises the stakes even higher. With only 72 hours to react, financial institutions that have not invested in response readiness will face the most serious fines and collateral business damage."
Of course, the issue of preparedness for the impending GDPR is real, with a spate of surveys indicating that many businesses are not properly aware of the new regulations, which – as well as higher fines and tougher deadlines – will require organisations to demonstrate how they comply with the rules and to grant free access to their data.
Last month, a YouGov poll of 2,000 businesses found that only 29 per cent had started preparing for the legislation, while the Information Commissioner's Office has repeatedly urged organisations to get their houses in order before May 2018, when the rules come into force – albeit using slightly less inflammatory terms.
Speaking at a recent event, Information Commissioner Elizabeth Denham said: "I don't think all companies are ready for GDPR. That said, changes in the law is evolution, not revolution."
In the meantime – and even if firms do start to pull their socks up – we can expect more scaremongering from various firms with skin in the security game in the months to come.