All UK firms to face mandatory data breach notification regime

All businesses in the UK that store data on customers will soon have to disclose any breaches, as the European Commission looks to widen the scope of recent changes to data protection laws.

Speaking at the British Bankers' Association (BBA) Data Protection and Privacy Conference in London on Monday, European Union justice commissioner Viviane Reding said the move would ensure all businesses took data protection seriously.

"I intend to introduce a mandatory requirement to notify data security breaches – the same as I did for telecoms and internet access when I was telecoms commissioner, but this time for all sectors, including banking and financial services," she said.

"It would create a stronger incentive for business to conduct serious risk assessments to protect personal data and to implement the appropriate security measures protecting the confidentiality, the integrity and the availability of personal data."

Reding explained that the Commission's proposals to change data protection legislation would be revealed in the coming months and that she would meet with UK ministers to discuss the plans.

"We have consulted widely on this major reform and we've taken into account many suggestions and concerns of experts and stakeholders [and] during my visit to London I have the opportunity to discuss our proposals with justice secretary Kenneth Clarke," she added.

Telecoms firms and internet service providers are already subject to mandatory data breach disclosure after changes to the ePrivacy Directive, which came into force on 26 May.

Mobile operator Everything Everywhere recently slammed the law, claiming it will swamp the Information Commissioner's Office (ICO) with unnecessary reports of data breaches.