“I intend to introduce a mandatory requirement to notify data security breaches”, Reding was quoted by the Telegraph as telling the British Bankers’ Association on Monday. She said that the new rules would also require businesses to conduct comprehensive data security risk assessments.
Reding admitted that she expects some resistance to the new requirement. “I understand that some in the banking sector are concerned that a mandatory notification requirement would be an additional administrative burden. However, I do believe that an obligation to notify incidents of serious data security breach is entirely proportionate and would enhance consumers' confidence in data security and oversight mechanisms”, she was quoted by the newspaper as saying.
Last week, Reding’s office released a survey that found three of four Europeans are worried about how companies use their personal information.
The surveyed found that 62% of Europeans give the minimum required information so as to protect their identity, while 75% want to be able to delete personal information online – the so-called right to be forgotten. There is also strong support for EU action on data security: 90% want to have the same data protection rights across Europe.
In releasing the survey, Reding said: “when I modernize the data protection rules, I want to explicitly clarify that people shall have the right – and not only the ‘possibility’ – to withdraw their consent to data processing."