The GDPR applies to companies outside the EU because of its extra-territorial in scope, as explained in Article 3, "Territorial scope." One thing to keep in mind is that GDPR is not 'data privacy' or a refined version: the law is designed to protect the data subjects’ rights, while data privacy, broadly and mostly, regulates and protects businesses. If you think your 'data privacy' organization is de-facto making you compliant with the GDPR, we have news for you: you're not.

A “data subject” is any person in the EU, including citizens, residents, and even visitors. The personal data, scope of the GDPR, are personal identifiable information that can be used, directly or indirectly, to identify a unique data subject.

In practice, this translates to the fact that if you collect personal data of a data subject, you are required to comply with the GDPR no matter where you are in the world (see what is considered personal data under the GDPR from the gdpr.eu project.)

The European Union can enforce a law beyond its borders through mutual assistance treaties and other mechanisms all the time. GDPR Article 50 addresses exactly this. Other countries should not test EU’s reach, and EU data protection authorities are already active on that respect.