The EU General Data Protection Regulation (GDPR) applies equally to all EU member states, but that doesn’t mean each country will enforce its requirements equally. If history is any judge, Germany and Spain will be the toughest on data protection laws, whereas the Republic of Ireland, which has gathered a reputation for leniency, will be the softest.
Whether this will hold true after the GDPR takes effect is anybody’s guess, as no supervisory authority has commented on how it will handle enforcement. The only thing anybody knows for sure is that the Regulation’s strengthened requirements will make every country stricter.
Many people have expressed their frustration over the uncertain enforcement of the GDPR in each member state. Speaking to digital media company Digiday, Nathalie Moreno, a partner at the law firm Lewis Silkin, said: “When it comes to how the law is going to be enforced on foreign companies we are still awaiting guidance [from regulators].
“I’m often asked how the regulators are going to enforce [the GDPR], and my guidance is that there are some data-protection authorities that have a culture of fining and will continue to do so, while there are others that have more of a business-friendly approach, and they will carry on enforcing in that way.”
Organisations that want to know how strict each supervisory authority will be should probably plan for the worst. That said, it’s unlikely that the much-discussed massive fines for failing to comply with the GDPR will be levied regularly. Supervisory authorities have the power to issue fines of up to 4% of annual global turnover or €20 million – whichever is greater – but this will almost certainly only happen if an organisation blatantly disregards the Regulation’s requirements.
The best hint as to how strict each supervisory authority will enforce the GDPR be can be found in their respective guidance and advice. Most supervisory authorities have released some information on the GDPR, including:
|· Belgium||· Republic of Ireland|
|· Denmark||· The Netherlands|
|· France||· Poland|
|· Germany||· Spain|
|· Italy||· Sweden|
Become a GDPR expert
You might not be able to know how supervisory authorities will handle the GDPR, but that doesn’t mean you can’t become a GDPR expert.
Our Certified EU General Data Protection Regulation (GDPR) Foundation and Practitioner Combination Course provides a comprehensive introduction to the GDPR and gives you practical advice on planning, implementing and maintaining a GDPR compliance programme. It also helps you fulfil the data protection officer role.
The course is delivered by an experienced data protection practitioner, and is ideal for both managers who are already involved in data protection and individuals who want to get started in the field.