It’s less than a year until the General Data Protection Regulation (GDPR) comes in and it looks like the new regulations could be very costly for financial institutions (FIs).

A report from business management consultants Consult Hyperion has predicted that European FIs could face fines of up to €4.7bn ($5.2bn) in the first three years as financial services begin to adapt to the new regulations.

What does the GDPR mean for the financial sector and why will it cost so much?

What is the GDPR?

The GDPR is a new regulation approved by the European Parliament. It intends to bring together data privacy laws across Europe, to “protect and empower” the data privacy of EU citizens and change the way organisations approach data privacy.

Any company or organisation that deals with data, whether that’s tech companies, charities or financial institutions will be subject to the regulations and will have to adapt to them in order not to be hit with pretty big fines.

The new regulations come into force on 25 May 2018 – so companies have some time to adapt before the rules are in effect.

If it’s an EU ruling, will the UK still be part of it after Brexit?

Despite the UK leaving the EU in March 2019, the UK government will replace the 1998 Data Protection Act with legislation that mirrors the GDPR, according to the digital minister Matt Hancock.

He told the House of Lords EU Home Affairs Sub Committee that it would be implemented in full because it is a “decent piece of legislation” due to “significant” UK negotiating successes during its development. As well, it will help to ensure the UK is starting from a position of “harmonisation” in the Brexit negotiations, will are due to start at the end of June.

The Information Commissioner’s Office will set out guidelines for UK businesses to help them prepare for the regulations next year.

What is the policy surrounding data breaches?

In recent years, data breaches have been hitting the headlines from Yahoo to Wonga.

Under the new regulations, data breaches which may pose a rise to individuals must be notified to the Data Protection Authorities (DPA) within 72 hours, as well as individuals affected by the breach. In addition, the GDPR financial penalties for a data breach are substantial.

Why will the fines be so large?

If a company or institution faces a data breach, they can receive fines of up to two percent of the previous year’s global annual revenues for a first offence and four percent for repeat offences.

3 Things That Will Change the World Today

As well, there are also possible criminal penalties for executives deemed responsible

Why will this affect financial institutions?

Research by Consult Hyperion, commissioned by data breach advisory company AllClear ID, has forecast how much European FIs could be fined by if they are hit with data breaches because unfortunately, FIs are one of the most targeted when it comes to data hacks.

Globally, there were around 514 verified breaches annually in the financial sector between 2013 and 2016.

Tim Richards, principal consultant at Consult Hyperion, said:

Data breaches are an unfortunate fact of life for financial institutions, and our analysis suggests that there have been no fewer than 27 data breach incidents among European Tier 1 banks in the last decade, with some banks as multiple offenders, potentially liable for fines at the four percent level. This indicates an eight percent chance that any Tier 1 bank will suffer a data breach in any given year.

In fact, the breaches could be even higher than we’ve seen here according to the report and it appears that many businesses may not be ready for the GDPR. One of the hardest problems will be ensuring institutions notify customers within the 72-hour period

Bo Holland, chief executive of AllClear ID, said:

GDPR raises the stakes even higher [in data breaches]. With only 72 hours to react, financial institutions that have not invested in response readiness will face the most serious fines and collateral business damage.

Based on previous data breaches, there could be two or three breaches of Tier 1 banks, whose average fine will be €260m; six breaches of Tier 2 banks, with an average fine of €48m; and several breaches at Tier 3 Fis

These predicted costs don’t include compensation claims that could come after a breach, as well as costs associated with the loss of customers, damaged reputations and senior executive resignations.

In total, European FIs can expect fines in the region of €4.6bn in the first three years of the introduction of GDPR.

The countdown is on for companies to fall in line with the regulations to ensure they can protect their businesses, and their customers, from data breaches and subsequent fines.