GDPR replaces the current Data Protection Act as a legal requirement. It applies to every organization, small & large, that handles personally identifiable information (PII) of UK & EU citizens.