Speaking at the BBA's Data Protection and Privacy Conference, Viviane Reding, vice-president of the European Commission, said new rules will be implemented in Europe forcing businesses to report security breaches.
"I intend to introduce a mandatory requirement to notify data security breaches, as I did for telecoms and internet access when I was telecoms commissioner, but this time for all sectors, including banking and financial services," she said.
Reding said some banks are concerned about the extra work that could be created. "I understand that some in the banking sector are concerned that a mandatory notification requirement would be an additional administrative burden. However, I believe that an obligation to notify incidents of serious data security breach is entirely proportionate and would enhance consumers' confidence in data security and oversight mechanisms."
- Read the full speech here.
But a spokesman from the BBA said this would not mean much change for UK banks: "This is pretty much what we do in the UK at the moment."
A BBA statement, in response to Reding's speech, said: "The UK's banks follow the highest standards of customer protection in their data management. If a customer's personal data may have been breached, banks already undertake to inform the Information Commissioner's Office, the Financial Services Authority and the customer, where appropriate.
"We understand that Commissioner Reding proposes to make similar practices mandatory across the EU. It is unlikely that such a step would affect the current practices of the UK's banks, except to make mandatory these existing voluntary practices."
The FSA said it expects financial services companies to inform the regulators of any breaches.
An ICO spokesperson said: "We would welcome an expansion of mandatory notification requirements to cover serious data breaches in all sectors." But the ICO said the rules must clarify which breaches need to be reported and "...any new requirements must be proportionate, setting out clear criteria and thresholds for reporting a breach".
In her speech, Reding described how EU legislation on data protection has fallen behind technology developments. "The current EU legal framework for protecting personal data is from 1995. In the meantime, rapid technological developments and globalisation have profoundly changed the world around us, and brought new challenges for data privacy. With social networking sites, cloud computing, location-based services and smartcards, we leave digital traces with every move we make."