Maybe not today, but who knows how this law will be used in the future. This could be used shut political website by slapping it with fine for non compliance. Vague law means any company can be found non compliant. By the time you appeal you'll be bankrupt.
You really don't think it's possible that one of the 28 member nations of the EU will pass down an absurdly large fine for some minor infraction? This happens all the time...
The fact is, if I am not GDPR compliant in any way there is no mechanism built into the law to limit the amount I am fined and some judge that is in a bad mood or hates the idea of my business can simply fine me 20 million to kill my business and still be abiding by the letter of the law.
For signing a guestbook or something similarly trivial? No.
If you truly believe that (if it really escalated) the European Commission, and then the European parliament, and then ultimately the European Court of Justice is going to put up with 20-million-fine-for-a-guestbook shenanigans, I don't know what to tell you, except that I think your definition of "reasonable" is not reasonable.
Maybe I'm not jaded enough, and I can believe in a single bad actor, but all of them? Including an entire institution that has direct public accountability?
As an aside, I think it would be helpful if participants in GDPR discussions would indicate if they approach it from a USA or EU angle (or even a non-EU and non-USA perspective. I've haven't really noticed any specific opinions from outside the USA/EU).
"You really don't think it's possible that one of the 28 member nations of the EU will pass down an absurdly large fine for some minor infraction?"
For the infraction of having a guestbook? Absolutely not.
"The fact is, if I am not GDPR compliant in any way there is no mechanism built into the law to limit the amount I am fined"
I don't see that as a problem.
" some judge that is in a bad mood or hates the idea of my business can simply fine me 20 million to kill my business and still be abiding by the letter of the law."
Then you appeal. You're acting like there's no recourse or appeals mechanism for you.
> The fact is, if I am not GDPR compliant in any way there is no mechanism built into the law to limit the amount I am fined
The law specifies the maximum fine, so you can't go over that. It also specifies that fines have to be proportionate. If you think the fine is disproportionate you have the right to appeal - that is also built into the law. If you think the appeal erred in law you get further rights of appeal. If your country hasn't made these legal routes available to you then you can take your country to the European courts.