It's that, plus a whole lot of unreasonable demands. Just take the requirement to have an EU representative[0]...even a 1-person US startup that processes data now needs to hire someone in the EU and designate a qualified DPO, which they'll likely need to hire as well. That's way more than not being a dick, it's a huge jobs program that will cost companies millions. One estimate I saw indicated that they expected there would be a need for more than 30,000 DPOs in the EU (and it's that low because a single person can act as a DPO for more than one company).
There's a lot in the GDPR that I like, but having just been through a massive compliance effort, there's a lot in there that overreaches and is just there to leech money out of the companies that make an effort to comply.
They won't, but they'll levy fines that will be in effect should you ever want to expand into Europe. And they might be able to prevent you from doing business with any company that has an EU presence. If you're making a profit off of EU citizens, there are ways to target that revenue.
Look at the ways that the US targeted online poker sites. None of them are in the US and subject to US law. But lots of banks are, and US lawmakers made it illegal for those banks to transfer money into or out of the poker sites and that basically worked.
Except it's now codified law, with real punishments based off the ambiguous "don't be a dick" directive. There are serious ambiguities here, and unfortunately no one knows how they'll be handled.
