You need to purge that 1% customer data though. If you're accepting EU citizens data through any channel - another business, them using a VPN, via smoke signals, you need to comply.
You need to comply with the laws of the jurisdiction you operate in. If you don't operate in the EU (and having a presence on a global communication network does not qualify), EU laws are not applicable.
The onus is on concerned EU citizens to stick to .eu domains with a feel-good GDPR-VERIFIED banner if they are so inclined, not on the rest of the world to bend over.
As a non-EU business, I will pay my GDPR "fines" right after I'm done paying my Iran and North Korea issued fines. Cheers!
Seriously though, I made no comment on the law itself so I'm not sure what your point is. Most reasonable people would agree it's a good law in spirit, and I wish I had some of those protections where I live.
But the notion that it can be enforced on non-EU entities is ludicrous.
You need to comply with the laws of the jurisdiction you operate in. If you don't operate in the EU (and having a presence on a global communication network does not qualify), EU laws are not applicable.
The onus is on concerned EU citizens to stick to .eu domains with a feel-good GDPR-VERIFIED banner if they are so inclined, not on the rest of the world to bend over.
As a non-EU business, I will pay my GDPR "fines" right after I'm done paying my Iran and North Korea issued fines. Cheers!