Come 25 May 2018, organisations operating within the EU, regardless of whether they are established in the union, must comply with the General Data Protection Act (GDPR) or face fines of up to €20 million, or 4% of global turnover—whichever is higher.
But this is an oft-repeated headline that fails to underline the importance of ‘up to’, and that the worrying figures that follow it are the maximums in a scale of penalties, the issuance of which is at the discretion of the member state in question.
As James Castro-Edwards points out on p100 of EU General Data Protection Regulation: A Guide To The New Law: “The substantial penalties available to supervisory authorities for breaches of GDPR have been the subject of widespread discussion.”
“These penalties were included in the draft legislation as a deliberate measure by the European Commission to escalate the significance of data protection to a corporate board level concern.”
“Given the widespread publicity the GDPR has generated even before its provisions take effect, this aim has been at least partially effective.”
Castro-Edwards, head of data protection law at Wedlake Bell, spends the 11 well-executed chapters of this legislation guide disabusing the reader of this and other notions about GDPR, while providing practical advice about what each part of the regulation will mean for organisations.
His extensive coverage of the regulation includes its subject matter, as well as its somewhat controversial territorial scope, as well as the rights of data subjects and the role of independent supervisory authorities.