>GDPR only comes into effect when the data is stored locally right?
It applies to EU citizens globally. If you store data on EU citizens -- you're expected to comply with GDPR. This will be ineffective for small companies in the US or China but nearly all large companies will have a presence in the EU.
The GDPR has absolutely nothing to do with citizenship, I don't know why this myth won't die.
It applies when you process data about people physically in the EU (whether they're citizens, residents, on holiday or just transiting through) or if the person/company doing the processing is based in the EU.
It applies to companies who store data on EU citizens and have any legal basis requiring them to comply with EU law. (No country should be able to say its law applies globally to people or companies not under their jurisdiction. And even if you're a fan of GDPR, there are plenty of countries whose jurisdictions you wouldn't want to be under.)
"The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data."
It applies to EU citizens globally. If you store data on EU citizens -- you're expected to comply with GDPR. This will be ineffective for small companies in the US or China but nearly all large companies will have a presence in the EU.