I am currently taking a course at Future Learning and this is an explanation in their course.
"Companies and others who deal with personal data can be based outside the EU but, when they process personal data of EU citizens or residents, they are expected to organise their activities in line with the GDPR. The regulation is also applicable to those who have an establishment in the EU and are involved in the processing of personal data. It means that a large number of individuals, corporations, public authorities and others are significantly affected by the GDPR and need to be aware of its complexities and requirements."
https://www.futurelearn.com/courses/general-data-protection-regulation/3/steps/313702