Why should anyone who operates in the US, be concerned with GDPR?

The GDPR only applies if you are processing the data of somebody who’s in the EU. So, you only need to consider the GDPR if you’re dealing with EU based data subjects, people who are in the EU. And then if you are dealing with people who are based in the EU, then you have to comply with the GDPR because those people who are in the EU have GDPR rights so that’s an obligation that you are subject to if you deal with people in the EU.

The fines and sanctions that apply under the GDPR have international effect – they apply no matter where the business that is processing the data is located. What is important is whose data is being processed in the first place and if it’s EU data subjects, GDPR will apply to that no matter where the business is located.

The other way of thinking about this really is that, it’s about the respect for the rights of the people with whom you are doing business, and the data protection rights of EU based data subjects is guaranteed by the GDPR and if a business chooses to do business with those people, then it has an obligation to comply with the GDPR and will be subject to the penalties imposed by the GDPR if it fails to do so.