Banks will be among the first organisations to be hit with massive fines for falling foul of the EU’s General Data Protection Regulation (GDPR) when it finally comes into force, according to European professionals polled by security firm Varonis.
Taken at the Cebit show, the sample was only 145 people but the fact that around half worked in European banking is still an interesting clue to the sector’s insecurity over the issue.
Thirty percent thought the first bank fined would most likely be German, just ahead of the 28 percent suggesting a US institution and 22 percent pointing to a bank from another European country.
It's not clear whether the belief that banks will be first on the block is to do with worries over their data protection standards or just the desire of EU regulators to make an example of a large institution - banks represent a relatively popular target.
Only a third said they had a plan that would allow compliance with the GDPR and more than two thirds weren’t sure what their organisation had to do in order to meets its demands.
Only one in five were aware of the maximum fine of up to 100 million Euros of two percent of turnover although to be fair this hasn’t always been a nailed-down certainty in a long and confusing process that has still to conclude.
What most assume is that the Regulation will cut its teeth by making examples of offenders to serve as a warning.
“Fines are expected to be 2 percent of annual income for failing to protect EU citizens' personal data, there could also be a significant number of individual claims in addition to fines, so the sums involved could be a substantial cost, even to a large enterprise.
“The new law will also mark a shift from a self-regulated environment to an enforcement regime, which will affect any organisation storing personal identifying information on European citizens,” he said.
“Organisations need to be prepared to protect customer data and prove that they are doing so to an appropriate degree of care, report any breaches and remove any data at the request of EU citizens."
Just under half thought their organisation would be able to report a breach to a local information commissioner within the generous 72-hour deadline.