GDPR (General Data Protection Regulation) is a privacy regulation passed by the European Union (EU) that becomes law on May 25, 2018.
GDPR has been written to protect the privacy of citizens of the EU. The regulation says that any citizen of the EU can request any organization that has information on them stored to get rid of tat information including their name. It can be any information that can be used to identify a person including their picture.
The regulation applies to any organization in the world who sales or provides services to any citizen of the EU. The organization does not have to actually operate in the EU or even realize the person is an EU citizen to become liable. If when they receive a request to remove the information and they do not remove it they are subject to a fine of 4% of their revenue up to a fine of 20 million Euros which is close to $20 million.
The USA protects some of our private data thru laws such as FERPA but some information is considered directory information such as your name and is not protected. The EU has chosen to protect any data collected about people and define as anything that identifies you as protected.
How does it affect us in the USA? You may sell a product or service to a person visiting the USA and need to get some information form them. For instance they may get sick in the USA and need to see a doctor who will get some identifying information. The doctor actually only practices in one county in the USA but if the doctor does not destroy all the information when requested, the doctor will be liable for damages, possibly having no idea of this law. It is entirely possible to see a foreign doctor when traveling. In 2005 when I was traveling in China I had to see a Chinese doctor (who interned in Boston surprisingly) for a respiratory infection.
There are questions of whether the regulation can be enforced on organizations outside the EU (like in previous example) that do not do business in the EU. However the EU is saying it applies everywhere although the USA for example is not part of the EU.