It’s the law of the EU but it has worldwide effect. The penalties include fines of up to €20 Million or 4% of annual global revenue whichever is the larger. The EU has drawn a major line in the sand on this in relation to the privacy of the data of its people and therefore will be using every means available to enforce, including international treaties. It would be a mistake to think that just because you are outside the border you can escape this.
Of course, in a connected world, the most likely first practical way that the EU are going to enforce this is via the internet service providers. Google and Facebook for instance are both based in in the EU, in Ireland (where we will be too as your EU representative as a matter of fact) and the EU can bring enforcement against them directly as they are located here. Do you think Google and Facebook are going to expose themselves to fines of €20M or 4% of their global turnover by letting you continue to use their services if you are not compliant? This is going to be mandatory to be able to continue to use the Internet for your business. (And if you’re operating online, we’re guessing this may be important to you.)
Don’t just take our word for this, if you use Infusionsoft, for instance, you’ll see that they’re already all over this. In your app just go to Admin > Settings > Privacy & Compliance. You have to insert details of your “Representative in the EU” in order to enable the GDPR settings. This is currently optional, but it’s likely only a question of time before it becomes mandatory. Don’t find yourself locked out of your app without a simple and easy solution when it does.
Apart from the fact that this is the law and subject to enforcement by stiff fines, and from the fact that from a practical standpoint the internet service providers are going to be making sure their customers are compliant, there is another important angle to this: the GDPR gives people on behalf of whom you hold data the right to sue you if you breach their rights. This is important.
You might think that some EU government somewhere has much better things to be doing then coming after you (don’t bet on that by the way). But even if that were a reasonable position to take, bear in mind that every individual in the EU on behalf of whom you hold data has legally enforceable rights as a result of the GDPR, rights that they can enforce by suing you. It only takes one to make your life an expensive misery. This happened to Facebook, a guy called Max Schrems sued them in relation to data protection rights and it brought down the hold system of transfer of data between the US and the EU. If this could happen to Facebook this could happen to you. Are you as well able as Facebook to afford it?