The Data Protection Commissioner (DPC) has handed Bank of Ireland a fine of €463,000 and reprimanded it for a number of breaches of GDPR data-privacy rules.
Bank of Ireland had notified the watchdog of 22 incidents linked to information provided to the Central Credit Register (CCR) – a centralised system that collects and securely stores information about loans.
The incidents, which took place in 2018 and 2019, included unauthorised disclosures of customers' personal data to the CCR, and accidental alterations of customers’ personal data.
A DPC investigation found that 19 of the incidents amounted to a ‘personal data breach’ under GDPR rules.
BoI to make changes
In 17 cases, the bank failed to report the breaches “without undue delay”, or without sufficient detail.
In 14 incidents, the watchdog found that Bank of Ireland had failed to contact individuals quickly enough, in circumstances where the breaches were likely to result in a high risk to the data subjects’ rights and freedoms.
The DPC also found that the bank had failed to implement appropriate measures to ensure a level of security appropriate to the risk presented by its processing of customer data in transferring information to the CCR.
The watchdog has ordered Bank of Ireland to make a number of changes to its technical and organisational measures.
Bank of Ireland said it fully acknowledged and sincerely apologised for the breaches.
"The bank takes its regulatory and compliance obligations very seriously, and regrets that it has fallen short in this way," the bank said in a statement.