Many small businesses believe that they are too small to get the attention of the EU supervisory authorities, but they are wrong.
In fact, EU authorities have fined businesses as small as local stores. In one extraordinary case, an individual was fined $11,000 for a GDPR violation. The FTC in the US and the EU established a cooperative agreement, so even if you and your company are solely in the US, the GDPR can be enforced against you.
GDPR is new in the grand scheme of things, and the fines are only beginning. Over the coming years, we will see more frequent and more substantial penalties. We will see fines for failure to disclose breaches, for failing to have basic best practices in place, and yes, for failing to have an EU representative while collecting personal data from EU visitors.
But what counts as personal data? The IP address of a website visitor, the most fundamental part of the Internet, is considered personal data. If your website uses any analytics, has log files, and stores the IP address for even one single European visitor, you're required to abide by the GDPR.
If you could easily reduce your risk of being targeted for enforcement actions, why wouldn't you?