Consult Hyperion, as commissioned by All Clear ID (experts in data breach solutions), has published a new report focussing on the effect of the GDPR on banks. The report states that the highest risk item for banks is the breach notification requirement, which requires data controllers to notify a supervisory authority of a personal data breach no later than 72 hours after becoming aware of it. They must also provide detailed information regarding the breach, such as the approximate number of data subjects and records affected and the nature of the personal data breach. The penalty for noncompliance with this requirement under the GDPR can be up to 10 million or 2% of global annual revenues. Further, the report forecasts that European banks can expect fines in the region of 4,662 million in the first three years after the introduction of the GDPR (excluding compensation claims, costs associated with lost customers, damaged reputations and senior executive resignations). One reason for this identified by the report is that the chances of a breach occurring will likely increase due to the requirements of other European financial service regulations simultaneously coming into force and increasing the scope and longevity of personal data (the ePrivacy Regulation, the Anti-Money Laundering Directives and the Second Payment Services Directive).