Greetings from Brussels!

ICO Chief Elizabeth Denham has said she needs more staff on better compensation to ready the U.K. watchdog for the "tougher" new GDPR data protection rules and alleviate a growing citizen and consumer "crisis of trust" in government and companies' use of personal data. Somehow, I don’t think she is alone in that combat; I have heard similar remarks coming from regulatory circles across the EU. The competitive privacy labor market is not a new phenomenon, but it appears to be reaching new heights, with organizations across both the public and private sector scrambling for adequate staffing solutions. 

On the state of play in the U.K., Denham says she was "optimistic" about GDPR readiness, as she feels many companies are clearly taking the forthcoming rules seriously. Regardless of the Brexit outcome and its immeasurable impact, the ICO chief said that maintaining close ties with fellow European regulators is a must because of the ever-present need for cooperative enforcement. She is not wrong there. Companies and business transcend borders and political disruptions. We will all need to evolve with the changes that come. U.K. business will not stop trading with the EU and beyond — and vice versa. We can only hope that the inevitable fallout will be limited.

The Confederation of British Industry, probably the largest U.K. business organization speaking on behalf of more than 190,000 businesses, is also evaluating the impact of Brexit on cross-border data transfers and putting GDPR awareness at the top of its priority list. Their position is clear: Cross-border data flows are critical to the U.K.’s digital economy, innovation, and ability to trade. According to the CBI, the U.K., as a global leader in cross-border data flows, accounts for 11.5 percent of all data transferred globally, of which three-quarters is with the EU. This is not insignificant.

Notably with Brexit, a major question lies largely in obtaining adequacy for the U.K. to continue to benefit from the free flow of data to and from the EU. Once again, the CBI position is crystal in that the U.K. government must seek as a priority early on in Brexit negotiations continuous free flow of data with the EU, through any transition accords, and in advance of a final deal. The knock-on effects of not achieving data flows (adequacy) will also invariably impact the EU-U.S. Privacy Shield data-sharing framework. In a word: havoc. Which is not to mention the potential and substantial new costs of and legal complexities in doing business — for all parties concerned, U.K. and non-U.K. based. Failure to obtain adequacy could manifest itself in a number of ways. That said, the CBI stated that there may well be the risk of accentuated "data flight" as U.K. companies might seek to relocate data-enabled products and services to an EU jurisdiction.

As part of its ongoing strategy, the CBI is committed to using its resources to help ready the wider business community to GDPR reality come 2018. To that end and in partnership with Irwin Mitchell and in association with the IAPP, the CBI will be hosting GDPR workshops in London, Birmingham and Glasgow in late September and October to reinforce organizational governance around compliance. The sessions will be practical in nature and look to equip the attendees responsible for data protection with the tools and action plans to effect change in their organizations. We are delighted to have been invited to participate in this initiative, and IAPP training faculty members Mark Thompson, CIPP/E, CIPM, CIPT, FIP, and Ewan Donald, CIPP/E, CIPM, CIPT, of KPMG will be part of the delivery team.

As Elizabeth Denham of the ICO rightly surmised, data protection “underlies everything we do, in our personal lives, as consumers, as well as policing and law enforcement, criminal justice, everything relies on data. That’s why this is such a critical issue at a critical time.”

We need to get it right from the outset.