The decisive factor for GDPR is whether you offer your service in the EU, not where users are (technically) accessing your service from. Think of a EU resident using a US VPN, thus having a US ip address.
What about a company which offers a worldwide service, but whose market is 99.99% outside europe?
I run a site targeted at north americans. However, each year I usually get 1-2 sales within Europe (mostly UK), and a very small number of visitors from EU countries.
If you are processing data of EU residents that you are offering business to, then they can hold you accountable for GDPR violations. This also applies to the UK, as the UK is (still) part of the European Union.
I see. I'm assuming "processing" includes stuff like including it in google analytics reports or having a database of EU users who signed up for a free account.
EU is basically inconsequential revenue for me. What would be the minimum required?
1. Shut off sales to EU, or
2. Shut off free account creation and/or email list signup to EU + shut off google analytics for EU, or
3. Block all EU IPs
It's not worth figuring out how to comply. I make less than $500 from the EU each year.
"Ignore it" doesn't seem like a good move as the fine is very large.
It’s hard to give general advice without knowing your specific situation. Ignoring GDPR has serious risks, though, as you already said.
In my company (Germany) we work together with an external data protection officer, who was of great help for us dealing with the GDPR requirements. So maybe you find it worth talking to one, just to get a better understanding of the matter.
Would it suffice to post a popup in your UI, "This website is not certified for the EU. If you are in the EU, you MSUT NOT use this website. Click HERE to certify that you are not in the EU" ?
Or are website operators responsible even if unauthorized attackers hack in to their system and leave a "personal data" trail?