UK businesses may have to follow rules that dictate they have to come clean about data breaches straight away.
European Union justice commissioner Viviane Reding outlined her plans for compulsory data breach notification for UK businesses in her speech this week at the British Bankers' Association (BBA) Data Protection and Privacy Conference.
“I intend to introduce a mandatory requirement to notify data security breaches – the same as I did for telecoms and internet access when I was Telecoms Commissioner, but this time for all sectors, including banking and financial services,” she said.
Reding outlined the extent of consultancy work which has gone into the move. Initial public and targeted stakeholder consultations were carried out last year, during which the BBA and the European Banking Federation (EBF) were involved. These activities were followed by talks with the UK Ministry of Justice, the Information Commissioner's Office and the Bar Council of England and Wales.
“The consultations have confirmed that the underlying principles of the current EU data protection legislation are still very much valid and have stood the test of time. However, it became equally clear that the EU needs a more comprehensive and more coherent approach in its policy for the fundamental right to personal data protection,” said Reding.
A key area the new legislation seeks to address is concerns over the complexities and resulting cost and efficiency of administration across EU states.
"The upcoming data protection reform is an opportunity to streamline those rules," Reding said.
She described the diversity of rules across the EU as a “huge cost to citizens and businesses alike” and said there was a need for a “level playing field” which she believes would be in the interest of businesses.
“Companies handling personal data in several EU countries currently have to meet different requirements in different Member States. This creates legal uncertainty and extra costs. The new legislation will clarify which law applies, across the EU,” she said.
Reding made it clear, however, that while she was prepared to relieve some of the administrative pressure on businesses operating in the EU she expected organisations to “do their share” in providing “safe and transparent” services.
“People must know how their data is being used. Service providers have to increase transparency on how a service operates, what data is collected and further processed, for what purposes, and where and how it is stored,” she said.
“In light of recent data theft scandals, let me add that I expect companies to do more to keep their customers' personal data secure.”
“Without this confidence, business and the economy as a whole will suffer. We have to regain that trust,” she warned.