55 comments

[ 5.4 ms ] story [ 371 ms ] thread
>> The scope of this protection extends to any natural person in the EU which can mean users, employees, vendors, partners, customers or even members of the general public.

I hadn’t considered GDPR from the perspective of a company collecting/maintaining data about employees (as opposed to clients, prospects, website visitors etc.). Do the same rules apply inside a company for an employee as they do for a user of a web service? Can I, for example, request a copy of all identifiable data collected and maintained about me by my company in the same way I might request it of Facebook or Twitter?

Yes. You can request a copy of any personal information held by any company. This is a pre-GDPR right too.
I was not aware of this - thanks for the reply.
For a non-creepy company, an employee request can be more concerning than a customer.

They might know the systems in detail, and have information spread around all of them.

Former employees can also make a request.

(This is not a new right, it was in the earlier Data Protection Regulation.)

As a solo founder with already too much to do. I simply looked at the GDPR and decided to kick that can down the road for 12 months after launch of my start up.

Although a UK Citizen, will be bootstrapping the startup in the US and simply blocking EU buyers from accessing the site.

Why you may ask?

- I don't have the funds to hire a DPO.

- I don't have the funds to hire out an expensive company to go through the platform in minute details and prepare it for GDPR.

- I don't have the resources to deal with inquiries to that nightmare letter or any questions for that matter.

- I don't have the resources to monitor the 3rd parties privacy policies that I send data to use their service and constantly update my own.

From my perspective this is just burdens my company with more costs in doing business with the EU. I'm more than happy to concentrate on the US and the rest of the world.

One issue that I'd like to point out as well. Some commentators mention that the EU is ~22-25% of the worlds GDP to be accessed. Well, that's a complete fallacy.

The EU unlike the US isn't a contiguous block. There are 28 nations and 24 languages to deal with. You simply can't launch in the EU like you would in the US. Each country has it's own idiosyncrasies to deal with. Which is why some companies just launch in France, Germany, UK and then push out the other smaller markets years down the line and in some cases not at all. There may be other local regulations to deal with.

My opinion is that the GDPR over the long term, will hamper the ability of EU companies to do business on the world stage, even more than currently. But that's a completely different topic for another time.

If it helps any, I read that a DPO is only needed for companies larger than X number of employees. I think X was like 50 or 100. And that the DPO "role" could be fulfilled by anyone.
As far as I know it's only required for companies whose core activity is large-scale monitoring of users.
Which is why I think the OP is spreading a load of FUD.
it seems like it.

In the "Steps to take" section they write > 2) Identify/review your legal basis for processing, ideally with a legal professional.

where legal professional links to the author companie's info email, and linking to their own site about 30 times in the article.

This looks like "you're violating the law, but we'll help you fix it" kind of deal.

Seems like the GDPR is working as expected. If your company can't be bothered to apply some common sense to handling user data (which is what the GDPR is mostly about, if you take a couple of hours to actually read it), then we're better off without it. I'm sure if what you're doing is relevant, some other company will happily take your place.
If your company can't be bothered to apply some common sense to handling user data

Which of the specific points the GP mentioned do you think is about how they handle user data? As far as I can see, every one of them is administrative in nature.

They're not saying they're going to be tracking everyone in shady ways. They're not saying they're going to be storing unencrypted details and unhashed passwords. They're not saying they're going to be forwarding your every secret to a Sith lord.

They are saying they don't have time to respond to a legal DoS if someone sends them a letter obviously written in bad faith, and they are saying they don't have the resources for their startup to police every major service they depend on. I imagine almost any startup would be in the same position.

As it happens, this person also seems to have some common misunderstandings about their obligations and may be over-estimating the actual risks. That also happens when you write this kind of law, and as we see here, the chilling effect is real.

Well, for example, one of the mentioned points is about sending PII to a 3rd party where the startup didn't read the 3rd party's privacy policy. So how would the startup be able to accurately present me with information on how my data will be used if they don't even know? I think having an accurate and updated privacy policy is common sense handling of data, wouldn't you agree?
That's a reasonable point, but it's also reasonable to observe that businesses rely on other businesses all the time. As a small business, you usually have little meaningful oversight of the internal processes of outside services you use. You don't get to audit your bank's finances to make sure they're safe to trust with your money. You don't get to review your lawyer's office security arrangements to make sure no-one can break in and steal confidential data about your contracts. You don't get to review which products your office cleaning firm uses. At some point, you just have to trust that they do a decent job, and you change who you work with if you have reason to believe they aren't doing that.

If a privacy regime is going to have any value in practice, it has to work on the same basis. The emphasis has to be ensuring that each individual or organisation who actually knows about the way data is being processed and has the ability to influence that processing is behaving reasonably. Then you can have some sort of trust framework that can actually mean something, from the data subject to their direct contacts and right on through to the indirect service providers however far the chain goes. The rest is just CYA and box-ticking, no matter how many laws you write or what penalties you threaten.

> You don't get to review which products your office cleaning firm uses.

Seems a bad analogy, do you make a contract with them but not read it? I mean in the contract you will specify what cleaning products can or should be used(like in some hospitals strong cleaning products must be supplied and you ask for those in the contract if the supplier gives you bad quality ones then sure it is not your fault but it is your fault if you don't even want to read the contract terms)

I imagine the OP was thinking that he wants to embed in his pages some analytics or similar scripts, maybe some advertising scripts, use a few third party APIs and it seems a lot of work for him.

At least his US customers can now know that their data are could be shared with many third parties that could have weird terms like those third parties could sell it further.

Okay, but do you ensure the manufacturer of those cleaning supplies is making them correctly? Do you test the products coming from that facility to ensure they are of sufficent quality before allowing them to be used by your office cleaning firm? And do you vet the ingredients that the manufacturing facility uses to ensure they are pure and safe?

Because the commenter above makes a fantastic point that I hadn't thought about before, the GDPR requires that kind of knowledge and verification of user data. Not just in your company, not just in the companies you work with, but the companies they work with, and the ones that they work with, and so on.

It's akin to requiring the gas station to post legal notices that the computers it uses for the POS system are manufactured by a company which has verified that the parts that it uses were sourced from a place which was able to check that the materials used were mined by a company that treats their employees safely.

(i'm not against something like the GDPR, but I do feel it goes a bit too far in a handful of areas)

No, my point was about the OP that said he does not have the time to read the TOS of the third parties he uses.

About the cleaning example if you had a contract that asked for a certain level of quality and they sent you bad product or did a bad job then it is your duty to stop this if you are aware the contract requirements are not respected.

I would also do some tests on the quality of the cleaning products just because people are greedy and they could send me bad products and cost me later.

But again, this isn't the core aspect of your business. You might do this for the cleaning products, but will you do the same diligence for the lightbulbs you use? The paint on your walls? The apps on the phones of your employees?

That's a LOT to ask.

I shut down a side project that stored some cookies on the browser for some small settings, and allowed users to upload images of stuff they made in the browser to imgur if they wanted. After looking at the GDPR, I decided to shut it off. I don't have the time or ability to properly vet all of the possible places a users information could end up (user's information in this case is possibly an IP address which the hosting provider might have, but i don't know or have a way of knowing, and the image that they created in the browser which can optionally go to imgur), and the project made me a total of $11 of profit, and from a lawyer I talked to at my main employer, just blocking EU users isn't enough.

I agree that is a lot of extra work if you want to delegate part of your work to a third party, but in present you don't send credit cards info, secret api keys to any third party, so it is fair to try protect the other kind of data(not only credit card or medical data)

What I hope is that this third party services will advertise the fact they respect GDPR or put documentation on how to properly use this APIs and respect GDPR.

As a user when I get the GDPR prompt that has only the Accept button I just close that page or if I really want to see the content I use a private window, accept the popup .

If i would build my own product SPA I would avoid the third parties crap, if I can't because I really need the third party I would make sure to read the TOS since at my work I seen how much it sucks getting screwed by a third party.

At least his US customers can now know that their data are could be shared with many third parties that could have weird terms like those third parties could sell it further.

I guess my point is that just knowing of the possibilities isn't particularly helpful on its own. If we're interested in actual privacy and data protection, instead of merely paying lip service to them, what matters is not just what a data subject knows but what control they have and what protections against harm they automatically enjoy. So much of the discussion around the GDPR and privacy policies and this whole subject more generally is only about telling people how they're being exploited instead of just exploiting them quietly without them knowing as happened before. That might be a step in the right direction, but it's far from where I would like the emphasis to be.

(comment deleted)
You don't have to hire a DPO. You do have to appoint someone within your company to be resposible for data protection, which seems like good practice anyway.

You don't have to hire an expensive company to go through your systems. There is no such thing as GDPR "compliant" it is a series of steps for which a company can self-certify based upon the data they collect and the way that data is used. These steps are again good practice e.g. only collect the data you really need, database encryption, access controls and so on.

In terms of "nightmare letters" - your company should have a privacy policy which answers a user's generic concerns, again this is good practice. If a user requests a copy of their data or to have data removed this is a simple reapeatable process that you should design into your system from day one. Remember, the key premise of GDPR is "privacy by design". If you take that into consideration when designing and building your solution, you are 90% of the way there.

You don't have to constantly monitor 3rd parties privacy policies and update your own. Your privacy policy, which I think we all agree every company which collects personal data should have, can link to the privacy policies of the companies you send data to.

We had all these debates ad nauseam in the time leading up to 25 May. The basic concerns haven't changed. There's still little clarity about the main ambiguities. Just linking from your privacy policy to each of your suppliers' is still as useful to data subjects as a clause saying "We can change our terms unilaterally at any time" in a contract, and in any sane world it would carry a similar amount of legal weight.
(comment deleted)
My opinion is that the GDPR over the long term, will hamper the ability of EU companies to do business on the world stage, even more than currently. But that's a completely different topic for another time.

I would argue the opposite. Most of the laws laid out in the GDPR were already laws in EU countries such as Germany and the Netherlands. Creating a single EU law should reduce the effort needed to launch a company that is compliant in multiple countries within the EU.

Also, you wont need a DPO if you don't process large quantities of PII. (https://gdpr-info.eu/art-37-gdpr/)

And you don't need to hire an expensive company to 'prepare' for gdpr. A conversation with a lawyer should suffice where you lay out how you (plan to) use or process PII.

- I don't have the funds to hire a DPO.

Just appoint yourself as DPO. It's a role, not a qualification.

> - I don't have the funds to hire out an expensive company to go through the platform in minute details and prepare it for GDPR.

Just go through your database and work out what data can be associated with an individual. Do you have a good reason to keep that data? If yes, cool, you're golden. If not, delete it and you're golden. The only thing that GDPR changes about data is (rightly) turning it from an asset into a liability.

> - I don't have the resources to deal with inquiries to that nightmare letter or any questions for that matter.

These are your customers. If you don't have the time or resources to talk to your customers, then your business is going to fail anyway.

> - I don't have the resources to monitor the 3rd parties privacy policies that I send data to use their service and constantly update my own.

You don't have to monitor them, you just need to read them. If you don't have time to read contracts that you're singing, then your business is going to fail anyway.

Pretty much everything in GDPR was already covered by existing UK Data Protection legislation. Under UK law you already had to appoint someone in your organisation to deal with Data Privacy, you already needed to have a good reason to collect personally identifiable information, and an obligation to ensure it wasn't disclosed to third parties.

I suggest you start taking all of this a bit more seriously than your comment suggests, not because of the legal implications, but the moral ones. Your customers are trusting you with their personal information. It's a serious responsibility that you need to take seriously. If you can't be bothered making sure that your customer's data is safe, then you shouldn't be trusted with it.

You actually can't appoint yourself as DPO since it would be a conflict of interest. But you only need a DPO if your core business is large scale user tracking, which it probably isn't (especially if you're a small startup).

https://www.pensar.co.uk/blog/data-protection-officer

> The following companies need to appoint a data protection officer under Article 37:

* Public authorities or bodies, except for courts acting in their judicial capacity.

* Companies who process data requiring ‘regular and systematic monitoring of data subjects on a large scale.’

* Companies who process, on a large scale, any special category of personal data. This includes data which reveals racial or ethnic origin; political opinions; religious or philosophical beliefs and other such information.

* Companies who process, on a large scale, personal data relating to criminal convictions and offences

there's nothing in the document you linked to, or the guidance that it links to (http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_...) that says the DPO can't have any role in the organisation. There's no "conflict of interest" clause I can see... but I'd welcome any clarification.
Check out §38 6

> 1The data protection officer may fulfil other tasks and duties. 2The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.

It's difficult to ensure that there is no conflict of interests if the CEO === DPO.

That seems really vauge. I'd argue anyone working for the company and getting paid could have a conflict of interest.
Don't you think one could (contractually) minimize (probably not remove) conflicts of interest?

Quite obviously one will not be able to completely remove conflicts of interest as long as there is another (monetary) dependency. Which is the reason for a state owned regulatory agency in the first place.

What duties would you have that would cause a conflict of interest that aren't already against the GDPR? It seems that's the only situation where there would be an issue.
These are your customers. If you don't have the time or resources to talk to your customers, then your business is going to fail anyway.

This point isn't about your customers. It's about the bitter ex-customer who decides to take revenge through legal means by exploiting the rights they have under the GDPR to waste your time and money. And if you think this is a hypothetical risk, read the news today about kids lining up to damage exam boards in exactly this way if they didn't get the grades they wanted, and explain to me how that isn't a threat to the integrity of the examination system.

You don't have to monitor them, you just need to read them. If you don't have time to read contracts that you're singing, then your business is going to fail anyway.

The fact that you have read the privacy policy of one of your suppliers does nothing to help the data subject. Unless they have meaningful information about how personal data about them is being processed and who is doing that processing, they haven't really gained any meaningful control or protection.

And no small business has the time to fully read all of the legal paperwork affecting them. Like consumer contracts, it's the great fiction of the legal community. Most new businesses won't even have had time to read the contract with their banks and other financial services before signing to open their account, and those often contain some very nasty and one-sided terms. But of course those contracts all tend to contain similarly nasty and one-sided terms, and you're going to need those services to do business anyway.

> It's about the bitter ex-customer who decides to take revenge through legal means by exploiting the rights they have under the GDPR to waste your time and money.

They don't have that power. They can write you a letter asking for their data.They can write a letter to the regulator asking the regulator to investigate a complaint. The regulator would maybe write you a letter asking for information, and provide some advice about best current practice.

Anyone in retail deals with nightmare customers who use social media to cause them untold pain and misery, and wastes huge amounts of time.

It's no different, except that in the GDPR case you can automate the response, and there's an actual regulator at the other end who can decide that the complaint was frivolous.

Dealing with customers is always nightmarish waste of time. But necessary.

I haven't heard about the examination board case, sounds interesting.

Again, if you don't understand how your customer's data is being used by a third party, then perhaps you shouldn't use that third party. I guess Google Analytics is the poster child for this. By using GA you are inviting Google to insert code into your web pages. This should give you the screaming heebie-jeebies.

Anyone in retail deals with nightmare customers who use social media to cause them untold pain and misery, and wastes huge amounts of time.

Of course. But they don't do it with the active blessing and support of the legal system.

Again, if you don't understand how your customer's data is being used by a third party, then perhaps you shouldn't use that third party.

Unfortunately, that's easier to say than to respect in practice.

For example, I run a business that allows customers to pay by credit card. There are many parties involved in a single card payment. Obviously at some point along the way there are various checks done to try to reduce instances of fraud. Those almost certainly include automatic decision-making processes that affect my customers.

And yet I don't even know -- and in fact can't know; I asked -- who is making those decisions that might prevent my customer from buying something from me today, nor what basis is used. There is no meaningful right of appeal if my customer or I don't like the decision. In fact, my business can have the money clawed back months after a payment went through apparently successfully and even be fined if one of those payment services up the chain that I still can't identify doesn't like anything for any reason, with no useful explanation given and again no meaningful right of appeal.

This whole arrangement is so totally against the spirit of contracts, money, privacy and data protection rules, and basic common sense that it defies belief. And yet it is absolutely routine: your only alternative as a merchant is not to accept card payments, and your only alternative as a customer is not to have a payment card at all.

I used to work for a payment processor, I know your pain.

The obscurity and lack of information that you complain about, though, is exactly the thing that the GDPR discovery clauses are trying to eradicate. Let's hope that the utterly arbitrary and opaque banking system is held to the same standard eventually.

> It's about the bitter ex-customer who decides to take revenge through legal means by exploiting the rights they have under the GDPR to waste your time and money.

Except you can't sue anyone under the GDPR. All you can do as a consumer/bitter ex-customer is file a complaint with your country's privacy watchdog. IF there really is a problem, they will just tell you to fix it, that's all. You only need to worry if you're doing shady things with personal data and don't intend to stop doing them even after being warned, in which case you deserve everything you get.

Unfortunately, the entire point of the "nightmare letter" was that much of what you just wrote isn't actually true. It wasn't about suing anyone. It was about wasting their time and potentially their money identifying which of the numerous points actually required a response (and a few traps among them that most certainly did not) and then gathering lots of obscure information they probably didn't just have as standard in their usual information management systems or published in their privacy policy, and highlighting the fact that the GDPR removed the small but non-zero fee that previous law allowed for exercising these rights that served as a practical barrier to this kind of abuse.
> It was about wasting their time and potentially their money identifying which of the numerous points actually required a response

I've seen the letter and it's all questions you should be able to easily answer anyway. If this letter would be a nightmare scenario for you you'd better get your shit in order, regardless of the GDPR.

I've seen the letter and it's all questions you should be able to easily answer anyway.

The very first point in that letter requires identifying every communication you have ever had with or about the data subject that is still stored anywhere in your organisation, among other actions. If you think that is easy, presumably you know how to automate that process, in which case I look forward to seeing the multi-billion-dollar business you have presumably built scanning unstructured data reliably in ways that no-one else has figured out how to do yet.

> The very first point in that letter requires identifying every communication you have ever had with or about the data subject that is still stored anywhere in your organisation, among other actions.

The magic words here are "still stored", PII is a liability so you never want to store it longer than absolutely necessary. Why are you hoarding this data when you can't even retrieve it easily, what is the point ?

Why are you hoarding this data when you can't even retrieve it easily, what is the point ?

Do you have a filing system for every email you ever wrote? Can you identify every backup copy, every forwarded message, every print-out, every excerpt copied and pasted into a Word document? Can you remember or look up every individual ever referenced in those messages?

Now, let's talk about letters. The paper kind. And faxes. Including unsolicited ones that aren't part of any formal process where a customer helpfully included their password so you knew it was from them. And mentioned that it's their mother's birthday, in case you were wondering.

Have you ever written down an address or phone number on a piece of paper because that was what you had to hand when someone read it out to you over the phone? Or opened up a quick text file to keep notes from a meeting?

If you're a director responsible for a company of 2,000 staff, do you think anyone else in your company has ever done any of those things, and would you like to bet your job that no-one ever kept a record other than as part of your comprehensive, perfectly-specified and loophole-free official processes?

If you're a director of a startup with 5 people, do you even have those processes, or is almost everything actually being done with text files and Post-It notes (or Slack channels and Google Docs, or...)?

This is not an easy problem. People have made very, very large amounts of money building businesses trying to solve this problem, and the first people who really nail it are going to make even more. You can't just hand-wave away the possibility of having personal data that is not immaculately organised, rigorously controlled and fully indexed in any organisation of significant size and lifetime. A law that makes such a requirement is like a law that says you can only ship software with no bugs, or a law that says all laws will be unambiguous and enforced with zero tolerance.

GDPR wasn't put in place to monitor people scribbling down phone numbers on pieces of paper. It was put in place to stop companies from hoarding vast amounts of personal data and using it to infringe on people's privacy (as well as making sure they looked after it properly).

If the regulator finds out that one of your staff scribbled down a customer's phone number once on a piece of paper while serving that customer, they won't care. If they find that your customer service process requires your customer service staff to scribble down phone numbers on scraps of paper that are then put out with the garbage, where they can be dumpster-dived, they will care (and so should you).

This is not some huge regulatory over-reach that will force you to go through every piece of paper in your organisation. It's a check on your data handling that forces you to acknowledge the trust placed in you by your customers.

GDPR wasn't put in place to monitor people scribbling down phone numbers on pieces of paper. It was put in place to stop companies from hoarding vast amounts of personal data and using it to infringe on people's privacy (as well as making sure they looked after it properly).

Sure. The intent of the GDPR has not received much criticism, at least not that I've seen. The concerns some of us have always had are more about ambiguity and interpretation, because on the one hand the law as actually written doesn't allow for much leeway in some cases, and yet on the other hand it has huge ambiguities in key areas hiding behind words like "reasonable" or "legitimate".

It's easy to look at extreme positions, such as the example I gave above for illustrative purposes, and say no regulator is ever going to expect all of that. Probably you'd be right. The difficulty is that somewhere between not doing much of anything to comply and the other extreme such as I described, you cross an invisible line from being sufficiently compliant in the regulator's view (or potentially a court's if it really came to that) to not being sufficiently compliant and no-one really knows where that line is.

When you have not just the threat of fines but also potentially very significant costs in adapting your systems and processes, that sort of uncertainty is never good for anyone. That is particularly true in a case like GDPR, because many of those adaptations are more about being seen to comply than about fixing any actual security vulnerability or abuse of privacy or other tangible problem.

I get it. The best explanation I've heard is that this is a major difference between EU(and UK) regulation and US regulation. In US regulation, the letter of the law matters. In the EU the spirit matters.

The UK has had regulation like this for decades, and as loosely worded. The regulator rarely imposes fines, and then only when forced to because the infringer is refusing to change their processes. Almost always they give some advice, sometimes a warning. This is done in the context of a conversation with the regulator, like "hey, we've received a complaint, have you got any reason why this happened?" instead of "we received a complaint, you're fined $1000 for it".

It's not a revenue source for the government (which it would be in the US). The wording is loose deliberately so that the regulator has the power to enforce the spirit of the regulation without getting tied into knots by the letter of it.

So yeah, I get that it's freaking people out. And there are costs in adapting processes. But, to be honest, if those processes need adapting then they were probably doing the wrong thing in the first place. Also, the EU gave everyone years of warning, and nobody paid any attention to that.

This is really not a big deal. As has been mentioned you most likely don't need a DPO. Just sign up to Iubenda, it'll help you manage the compliance and make it as easy as humanly possible.
Well, prepare yourself to be surprised launching in the US as there are also state laws, like in California [0].

And US government is actually working on it too [1]

[0] https://www.cnet.com/news/californias-new-data-privacy-law-t...

[1] https://www.reuters.com/article/us-usa-internet-privacy/trum...

Its a funny reference to bring up California. So many responses to GDPR have been a blanket refusal and cutting EU users off from a nontrivial amount of content on the internet.

As a US citizen, I already know that everything on earth causes cancer to the citizens of CA, but its interesting how many product commercials where you see the products are not available in CA.

Frankley, I think alot of data privacy crusaders are going to be even more surprised by how easy it is for ditigal product offerings to cut out users by geolocation. If CA wants fo go down the road of making websites display notifications about this cancer causing data collection, well, I feel like I could make my living just by selling my digital products in Texas.

At some point the regulation makes the business unprofitable.

TBH it was a quick search on Google and I don’t know the details. What I wanted to point out was the parent thought that:

> The EU unlike the US isn't a contiguous block.

I recommend reading https://jacquesmattheij.com/gdpr-hysteria/ for a more detailed understanding of how you might be exposed, and what your obligations are.

Some of your notes have been addressed by other commenters in the thread, but overall many of your points directly contradict what is discussed by Jacques. You probably want to evaluate your risk of exposure with your current approach.

I'm surprised that the guide doesn't address automated decision making about users. In my day job, we are using a scheduling platform for short-notice, short-term work e.g. social care. A job is loaded on the sytem and pushed to x users for acceptance (fastest finger first).

The system has a ratings module (not active yet) whereby clients can rate the worker and vice versa. The system then makes decisions on future job releases based on the ratings. Part of the reason for not having the module active is due to the issue of communicating to the affected users how those decisions are being made and providing them with a right of manual review.

As organisations increasingly rely on AI or ML to make decisions affecting individuals, so the need for greater transparency into those decision making processes so they can be communicated to the people concerned.

> where your base of operations is in the EU; where you’re not established in the EU but you offer goods or services (even if the offer is for free) to people in the EU; or where you’re not established in the EU, but monitor the behavior of people who are in the EU (as long as that behavior takes place in the EU).

Question — IANAL, but I read a summary on a legal website (I’ll see if I can find a link) of GDPR that said it applies to non-EU companies not when you offer services to all people, some of whom might be in the EU, but when you specifically target and advertise to EU citizens. It sounded like a web app, for example, that is marketed generally toward anyone and allows connections from anywhere, would not be legally subject to GDPR, whereas if I, say, localized in German and had a campaign to get German teachers using my app, then GDPR applies.

Aside from whether adhering to GDPR is a good idea anyway, and I think it is, is that distinction correct? Can strict GDPR be avoided if I’m not targeting the EU specifically, and my customers aren’t primarily EU citizens?

EDIT: here's the link: https://ec.europa.eu/info/law/law-topic/data-protection/refo...

Here's the text:

"When the regulation does not apply

Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR."

That doesn't sound right to me.
Care to elaborate? Do you have law experience or some sources that clarify?