The penalties for noncompliance are supposed to be “effective, proportionate and dissuasive”, and can start off with warnings. The law only has the headline figures as upper limits (plus damages, IIUC).
This doesn’t feel particularly onerous, especially as any good business plan will include getting public liability insurance for inevitable occasional serious mistakes.
In my businesses case, EU revenue was <1% of gross.
Even though we never resell, mine nor monetize data, the increased risk of legal action was not acceptable to us.
Have you ever filed a claim on an insurance policy? Your premium will certainly go up next time that policy is up for renewal.
It’s unfortunate for our users. They’re quite upset that we’ve decided to drop all EU customers. But, we’re not willing to take on any additional risk for such a small revenue source.
Your call. IIUC, it covers EU citizens not just residents. I only mention this because way you phrased that sounds like you’re dropping the region not just the nationalities.
1. A Data Subject under GDPR is anyone within the borders of the EU at the time of processing of their personal data. However, they can also be anyone and anywhere in the context of EU established Data Controllers an Data Processors.
2. If the Data Subject, moves out of the EU border and say becomes an expat, or goes on holiday then their personal data processed under these circumstances is not covered by the GDPR and they are no longer a Data Subject in the context of the GDPR, unless their data is still processed by an organisation “established” in the EU.
Luckily, my organization is not “established” in the EU.
This doesn’t feel particularly onerous, especially as any good business plan will include getting public liability insurance for inevitable occasional serious mistakes.