Short Answer 
The GDPR regulates organizations that process personal data of EU residents, regardless of their location, including both EU-based and non-EU organizations. It applies to data controllers, who decide how personal data is processed, and data processors, who handle the data on behalf of controllers.
Step 1: Understand GDPR’s Reach
The General Data Protection Regulation (GDPR) applies to organizations both within and outside the European Union (EU). This regulation aims to protect the personal data of individuals known as data subjects in the EU, regardless of where the organization is based. Organizations that fall under GDPR must comply with its regulations if they process any data of EU residents.
Step 2: Identify Relevant Organizations
Several types of organizations are affected by GDPR, including:
- EU-based organizations: Any organization located in the EU that processes personal data of individuals in the EU.
- Non-EU organizations: Organizations outside the EU that handle personal data of EU residents, triggering GDPR compliance.
- Monitoring organizations: Those that track the online behavior of individuals within the EU, even if they don’t directly process that data.
Step 3: Recognize the Role of Data Processors and Controllers
GDPR applies to all entities that process personal data of EU residents, including:
- Data controllers: Organizations that determine the purposes and means of processing personal data.
- Data processors: Entities that process personal data on behalf of the data controller.
Any organization, regardless of location, that handles personal data of individuals in the EU must adhere to these regulations.