For instance, I run a small community website (~30 people). I receive no income, and I know everyone involved. Everyone is in the United States. Is it open to the world? Yes, technically. What happens when an EU resident signs up? Well, I'll continue to do exactly the way things are currently set up.
How does this situation play out long term? First, I'll tell whomever contacts me that I am in compliance with US law, and I'm a US citizen. I do not have to follow their laws because it's not within my jurisdiction. Second, they will order me to block EU citizens from my site, which I will not do because it's a mandate of work on me for no reason by a foreign country.
So what happens in this situation? The only recourse for the EU is the internet version of "sanctions", to block my website from the EU.
Now they've set a really interesting precedent. How do they now enforce these blocks? Technical issues aside, are they going to do a whitelist or a blacklist? Regardless, they are setting up the equivalent of the Great Firewall for the purposes of maintaining the GDPR.
So why does this matter? It's only an isolated incident that will likely never occur, right?
Wrong. One community website like mine with one EU citizen that decides to file a GDPR complaint means that somehow this situation occurs. It can even be an intentional, "sign up, file complaint" immediately to trigger this legal situation. Think there aren't any foreign governments that wouldn't flood a system like this to censor the EU citizens in various mild ways? Think some random anarchist activist will not decide to monkey with the system by finding and reporting all the small violators?
The end product is a curation of the internet for EU citizens by EU government. Hopefully your leaders are benevolent, and nothing crazy happens in the democratic process. I remember being told during the Bush and Obama administrations that my views against government surveillance due to potential for abuse were unjustified because we could never have a horrible president and that our presidents will always be benevolent, so the policy would never change toward the worse. How did that play out? How do people think democracy functions, honestly?
Again, I really don't care too much. They can self censor if they want, but it really seems like GDPR is a win for Russian and Chinese meddling.
You may be able to ignore GDPR compliance in your situation, as per article 2:
> This Regulation does not apply to the processing of personal data: [...] by a natural person in the course of a purely personal or household activity; [...]
There is some more information in recital 18, that says
> This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity.
So if you're not making money, and you're not established as a business you should be okay.
If you have any doubts or concerns, become compliant or ban all EU/EEA users.
I've got a shared hosting service where I run WordPress for a blog. As such I have no direct control over the web server, nor what my hosting provider might decide to record of information, nor do I have time to audit what WordPress changes for each update.
Since I'm a programmer by trade, and my blog deals with programming, it's reasonable to assume someone might consider my blog "professional or commercial activity". Maybe I'm saved by some hard criteria defining "professional or commercial activity", but to be frank, it's not worth my time going through the entire GDPR to find that out.
As such I'm not going to take the risk of being in violation and will be shutting down my blog. Instead I'll likely be reverting to posting on Google+ or Facebook, if I bother posting more at all.