There are no computing or online requirements specified in the GDPR. If the data is stored on pieces of paper in a filing cabinet it is still covered and there is no requirement to change this for any reason.
The GDPR covers data of all EU citizens when processed by an organisation that either operates within the EU or provides services to EU citizens while they are in the EU. Protection is also extended to the personal data of all individuals by organisations that operate within the EU. What this means is:
An EU citizen travelling outside the EU providing personal data to an organisation that is also outside the EU is not covered. For example, an EU citizen travelling in the US and providing personal data to a car hire company has no protection from the GDPR (and being the US, has no data protection whatsoever).
Any individual, regardless of the nationality, within the EU providing data to an organisation within the EU is covered. For example, a US citizen travelling within the EU providing personal data to a car hire company has the same protection within the GDPR as an EU citizen.
If an organisation outside the EU provides services to an EU citizen while this citizen is in the EU is bound by the GDPR. It does not matter where this organisation is located, or operating from, the EU's citizen must be covered by the GDPR. This is the scenario that has caused the most panic among organisations that are based in a regime with no data protections, such as the US. If such an organisation wants to do business with EU citizens then they must follow the rules. While some take great upset at this reality, in essence it is no different to the trade in physical objects. For example, if an object is illegal to trade in the EU but legal in the originating organistion's country, this doe not make it legal in the EU - e.g., do not try and sell ivory or firearms to individual in the EU (these are just two obvious examples).