On January 25th, 2012, the EU proposed a comprehensive new General Data Protection Regulation.
Data Security is covered in Section 2 which includes Articles 30, 31 and 32 which begins on page 59 of the proposed regulation
Here is the main security text from article 30:
"The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected,having regard to the state of the art and the costs of their implementation.
The controller and the processor shall, following an evaluation of the risks, take theIt also talks about "solutions for privacy by design and data protection by default", so implying that you should think about security from an early stage.
measures referred to in paragraph 1 to protect personal data against accidental or
unlawful destruction or accidental loss and to prevent any unlawful forms of
processing, in particular any unauthorised disclosure, dissemination or access, or
alteration of personal data."
Article 31 covers notification of a personal data breach - and gives 24 hours for a breach to be notified.
Article 32 gives more details on communication of a personal breach.
At this stage this is only a proposal which may or may not become law in the fullness of time.