Comment by toby-

My understanding is that a company's location is largely irrelevant; a company becomes subject to the GDPR when they handle EU citizens' data (or UK GDPR when it's UK citizens), and the EU/UK will still try to fine companies that aren't resident in the EU/UK - enforceability is a different question, although non-payment of fines opens the door to other remedies e.g. blocking access, seizing assets, etc.