I'm wondering this too actually, I run a small business, we collect only the bare minimum of information from our customers but we do have some European customers. I'm ignoring GDPR completely, is there any downside for me? Will they block customers from using my service? Will they sieze my European cloud servers? Or can I safely do nothing as I currently am because I don't reside or have a registered business in Europe?
EU has a history of moralistic bullshit proposals like that stupid cookie law.
Which looked good in the eye of the law-makers (career politicians I should call them) but doesn't really work in the real world.
People get used to accepting the stupid cookie law and it becomes a habit, and in a couple of years the law lost it's meaning (people blindly accept cookie law) and no-one cares about "the great privacy laws of the EU".
This is probably how GDPR will end up, no sane person would have the time to read all the privacy notices and the crappy opt-ins to just order food as fast as possible.
Hey I'm starving I need that food ordered now, here's my location so you can deliver food here, I don't give a rat's ass about your privacy statement and clickady clack are there any more opt-ins to check before I can finally order my food?
Nobody just doing ordinary business things is going to get caught up in the GDPR. The EU are going to go after the local companies first and/or the worst offenders. Just sit back and wait for the case law and best practices to settle down and then decide what to do.
My feeling is it is going to end up like the cookie law, but who knows at this stage.
1: ignore GDPR, you'll probably fly under. And if you dont, fine are scaled for business and people affected, as well as privacy infraction. Encrypt your backups, encrypt PII if you can do it effortlessly, and you're good. If you are not using emails except for checking double inscription, encrypt them too, the entropy is low BUT this is better than nothing .
2: If you have some time and money to spend to try to improve your services: self-report. A public agent will point you the weakness of your data processing.
How? I'm not in their country, their laws don't apply to me or my business in any way, shape or form. They could perhaps argue I do business there, but that still doesn't give them anything to press charges against. Best they could do is block my site as far as I can guess...
I'm going to call bullshit unless you can provide a source that any overseas government can levy a fine for whatever reason and then "trash my credit".
If you have a lawful basis for collecting the information, you're only passing it along to others as necessary to provide your service to your customers, the customers have clearly consented, and you employ reasonable protection of that data... it's extremely unlikely that you're in violation.
And if you were, they'd come to you first with a warning (at least based on past behavior). They're not going to seize assets unless you seriously provoke them.
Why can't I ignore it? I have european customers but they chose to sign up with a business in a foreign jurisdiction where their laws don't apply. If it's a problem, the EU can feel free to block my sites, but I can't see how it's negligent to not comply with laws that don't apply in my country.
I don't comply with laws from many other jurisdictions either. Should I start applying censorship laws for China and Saudi Arabia too? Why should the EU be special?
There are thousands of laws on the books where nothing happens when you ignore them. Sure it is possible that the EU will pick some obscure small company doing boring business things outside of the EU to make a test case out of, but how likely is this?
Anyone not up to shady activity can afford to wait for the case law and best practices to settle before doing anything.
