Good question and there is no simple answer, to be honest! First let me tell you that I am not a lawyer, this is not legal advice, and is for educational purposes. Thus by reading this page you realise that this is my interpretation and not legal advice.
GDPR stands for General Data Protection Regulation. It is a new law that comes into effect on the 25th May 2018. It adds to and changes many elements of existing privacy laws.
It deals with the rights of European Individuals and how their data is handled by companies. The law is quite clear that there can be substantial fines if you are in breach of the law. In Spain the fines can be 600k or 4% of your global income.
The first myth to be dismissed is – “I don't reside in the EU, neither does my company – there's nothing I need to do” My understanding is that this in incorrect. If you hold data about an EU citizen you must comply with GDPR regulations regardless of where you are based.
Myth number two is “The companies who provide me with services (that I sell on) are based in the USA so no problems” Again if you deal with customers in the USA and you provide services that are provided to EU customers, you need to be compliant and also the service should be compliant – again it depends on how much info is held and what type.