[orwin]

You have two solution:

1: ignore GDPR, you'll probably fly under. And if you dont, fine are scaled for business and people affected, as well as privacy infraction. Encrypt your backups, encrypt PII if you can do it effortlessly, and you're good. If you are not using emails except for checking double inscription, encrypt them too, the entropy is low BUT this is better than nothing .

2: If you have some time and money to spend to try to improve your services: self-report. A public agent will point you the weakness of your data processing.

[rightos]

Is there some way they can fine me with me being in a country completely and totally unrelated to the EU?

[_rpd]

Yes, they can fine you, and if you don't pay it they can trash your credit. Don't ignore this.

[rightos]

How? I'm not in their country, their laws don't apply to me or my business in any way, shape or form. They could perhaps argue I do business there, but that still doesn't give them anything to press charges against. Best they could do is block my site as far as I can guess...

[ryanwaggoner]

I'm going to call bullshit unless you can provide a source that any overseas government can levy a fine for whatever reason and then "trash my credit".