The regulation is not merely for the 28 EU-member states (27 after Brexit). It is for the 31-member states of the European Economic Area (EEA), which includes the 28 EU member states plus Iceland, Norway, and Lichtenstein. GDPR is being integrated into the 1992 EEA Agreement.
And not only does it affect EEA nations, but any organisation across the globe offering goods or services to European data subjects OR, organisations controlling, processing, or holding personal data of European nationals are also captured.
While GDPR will bring harmonisation across the 31 EEA nations, the new provisions make European data protection law even more different from the laws of 'third countries', presenting a big challenge for international business and litigation.
For example, US courts have interpreted certain privacy rights from amendments to the Constitution, including the first 10 amendments, known commonly as the Bill of Rights. By comparison, Europe places a greater importance on privacy, and is a fundamental right under article 8 ECHR.