New EU-wide data protection laws are still at least two to three years away, but are likely to mandate data breach notifications for all organisations, according to the deputy information commissioner David Smith.
Speaking at the Infosecurity Europe event in London today, Smith explained that the Data Protection Directive is currently under review by the European Commission, which will announce a set of initial proposals in the summer.
"However, this is a sensitive and difficult area so don't hold your breath," he added. "It could be two or three years before the final proposals come out, but we will see changes."
One of these changes is likely to be data breach notification laws "across the board", according to Smith.
From May this year notification will become mandatory for service providers under UK law, but the European proposals would stretch to all firms in a similar way to those enforced in the US.
"We're keen to ensure its proportionality ... so only the ones which are significant [are notified]," said Smith.
Other areas likely to be included in the forthcoming update include data minimisation rules, privacy by design and the ‘right to be forgotten', i.e. the deletion of personal data from social networking and other sites.
Smith also defended the £500,000 cap on fines that the ICO is allowed to levy on organsations found to be in serious breach of the Data Protection Act.
"I don't think that any company would see a £500,000 fine as a bit of a joke, although for multinational businesses it would not necessarily have a huge financial impact," he argued.
"But there's always the trust, confidence and reputation damage which is a key driver for businesses. What we've got is proportionate and if [the fines] fail to deliver improved data protection we will be knocking on the door of government."
Darktrace pushes machine learning to take some of the pressure off of IT and security teams
Google also gets its hands on HTC's IP in a non-exclusive deal
Microsoft, Google and Samsung all targeted as Avast admits to the scale of the CCleaner compromise
Not all loose ends tied yet, admits Bain backer SK Hynix