The GDPR - the General Data Protection Regulation - governs the processing of personal data of people in Europe. Personal data is more than just names and addresses!
The law says (we’re simplifying a bit):
“‘personal data” means any information relating to any “identified” person or “any identifiable person.” This is pretty much anyone who can be identified in any way - through a name, an ID Number, or a photo.
This does not include any information about companies, including trade secrets. It’s just about people (what the law calls “natural persons”).
“Personal data” includes obvious things like name, address, phone number but also much more, like:
Photos or likenesses,
Online identifiers, like usernames or aliases,
User behavior data,
Purchase history or customer data,
The GDPR distinguishes between personal data and special categories of data (which require enhanced protections).
Special categories of data include:
Racial and ethic origin,
Bottom line, the GDPR is very broad and covers pretty much everything that could be considered “personal data.”
So if your company collect any of this data (and you otherwise fall within the scope of the GDPR), you will be on the hook for following the GDPR’s rules.