What does Trump and Brexit mean for EU GDPR?

Well, the last few months have been quite interesting to say the least on the political front, with the UK deciding married life no longer suits them and getting a divorce from their beloved European Union, whilst the US decide to “build that wall!” and elect Donald Trump.
Literally, as this blog is being written, a raft of Executive Orders are flying off the Oval Office desk with the ink still wet. We are witnessing a fundamental shift in superpower politics being initiated with unprecedented haste and vigour.
Yes, some of these decisions may have seemed fanciful at best to downright ridiculous some twelve months ago, but the reality is starting to dawn and a new world order is starting to take effect.
So as the dust settles regarding these monumental decisions, those of us involved in the wonderful world of regulation are being asked what it means for EU GDPR?
Now if this article seems to have taken a Tarantino’esq right turn and you are asking the question:
“What on earth is EU GDPR?” then you have some catching up to do. Put simply, it is the biggest single change to data protection since the introduction of the Data Protection Act of 1998 and the scope of it is global!
So in true streaming binge-viewing mode, here is what happened in series 1:
The vision of EU GDPR was to create one digital economy for the then 28 member states of the European Union, with one set of rules and regulations for handling the 500 million-plus citizen’s personal data. Essentially its central premise is to better protect the rights of those whose data is powering the digital highway on which we now all navigate.
In October 2016 TalkTalk were fined a record £400,000 for the theft of 157,000 of their customer’s records. Under the new regulations that fine could have been in excess of £70 million!
So from a 10,000 feet view the EU GDPR offers:
- Rights to the EU Citizen on how their personal data is used. (Citizens must be informed and give their explicit consent on how their data may be shared/utilised). Therefore, this has significant repercussions for data traversing country borders, made all the more difficult by President Trumps Executive Order that puts in question the long term future of the Privacy Shield agreement.
- Punitive punishments for those who do not protect this data (fines of up to 4% of global turnover or 20M Euros, whichever is the greater, can be levied).
- Citizens having the right to be forgotten – no more holding on to personal data for no reason.
- The requirement for organisations to declare, in detail, data breaches or loss within 72 hours (bear in mind many security experts claim most aren’t found for months currently).
- The responsibility of data owners to deploy “state of the art” systems to protect data (aged systems and technologies will not be an excuse).
- Organisations to create the role of Data Protection Officer, this role is new and must understand both the regulation and how their organisation is complying and policing the data of the citizens.
It’s a significant regulation and the above just scratches the surface, but at least gives some sort of scale to the change. BUT, what does all of this mean with the UK about to exit the EU? Well at first glance, it is simple and falls into two distinct camps:
- Organisations who will have EU Citizens personal data after we exit the EU.
- Those who will not.
If you’re in the first camp and would potentially hold any personal data from an EU Citizen, then you’re absolutely still required to comply to the regulation. The regulation was always designed to be a global requirement when dealing with EU Citizens personal data. It also comes from the perspective of protecting the EU Citizens data, wherever it may reside.
So if all the above has you now thinking “ok, it sounds like I should be doing something about it” your next should be “how do I start?” Well, you are probably best to identify an organisation that understands the regulation and critically can assist you in mapping out how to specifically align your organisation to it.
- Do we have this type of data?
- If we do then where is it located?
- What controls exist and what conditions under which it is kept?
A simple mantra is true, you cannot control what you cannot see. Therefore, you must build an accurate data map to even begin to implement the processes under which compliance can be achieved.


