The Information Commissioner's Office (ICO) is expected to grow its staff by 40 percent in the next few years to bear the weight of incoming European regulation.
The ICO, which governs data protection in the UK, will add 200 people to its staff of 500 who are already said to be buckling under the pressure. The office may battle with skill shortages for as long as two years as it attempts to hire all the lawyers, investigators and specialists it requires.
Elizabeth Denham, the information commissioner, appeared before the House of Lords on 8 March to discuss the implication of the EU's General Data Protection Regulation (GDPR) and the added resources her office would require.
Helping UK firms comply with the GDPR appears to be at the heart of this new employment drive.
Though the UK is set to leave the EU by 2019, the ICO has been focused on ensuring that UK firms are compliant with the regulation. Denham told parliament last week that the ICO's cooperation with EU member data protection authorities will also be ramped up as the office looks towards more long-standing data sharing agreements.
Not that Brexit is immediately relevant. The GDPR will take effect in May 2018 after a year long clemency period, leaving UK businesses working under GDPR for the better part of a year before the UK could conceivably leave the EU.
Indeed, the watchdog has adopted a more active posture recently. It has been less shy about bringing out the heavy hand of enforcement which it has been reluctant to use previously. Its most notable case of late has been a £400,000 fine handed to TalkTalk for its failure to protect customer information in the breach of October 2015.
That may seem paltry compared to the weight that GDPR will bring to bear. The regulation sets out concrete data protection policy for firms working within the EU. By late next year, any business that wants to do business within European borders will have to comply with a variety of regulations including disclosing data breaches and establishing data protection officer roles within firms.
Failure to do so will be painful for the non-compliant. The regulations threatens to take four percent of global revenue or 20 million euros, whichever is higher, for those who do not abide by the rules.
The addition of 200 more staff at the ICO may be welcomed by many as it becomes clear that UK firms have little idea what to do, how to comply or what the GDPR even is.
A recent survey by the Direct Marketing Association showed that only 68 percent of respondents thought their companies would be compliant in time for May 2018.
An ICO spokesperson said, “In May 2018 new laws come into force to better protect people's privacy in the digital age and ensure organisations who handle personal information get it right. That brings significant additional responsibilities for the ICO as the UK's data protection regulator.”