You are discussing administrative fines (which go to the DPC) and damages (which go to the data subject) in the same post. This might confuse people unfamiliar with this fairly dense topic. I also think your damages figures are high if you look to the U.K. where they’ve had non-material damages for years.This is the problem. There is no case law to provide guidance as to the amount of compensation that should be paid. GDPR suggests that the Data Protection Commissioner could look for fines of "€10M or 2% of global turnover, which ever is greater" for "less serious breaches". And this is a serious breach. OP's solicitor is best placed to advise. Having said that, compensation in the low six figures may be appropriate given:
1) seriousness of the breach.
2) the new GDPR environment in which banks, and the rest of us, operate.
3) the possibility of systemic failings within BOI in relation to "data protection by design".
Ultimately, it will be up to the courts to decide on compensation. I suspect that if the OP were to instruct his/her solicitor to issue proceedings then BOI will fold before this gets publicly aired in court. BOI will not want to be a party to the establishment of case law on this one.