The data that is protected under GDPR (as with the DPA) is data concerning individuals (not companies). However, the definition is wider under GDPR and “Personal Data” extends to any information pertaining to an individual, whether it relates to their private, professional or public life. It can be anything from a name, to a home address, photo, email address, bank account details, posts on social networking websites, medical information, a computer’s IP address and more. In other words, if in the course of running your business you collect and use any data about anyone that identifies them, this will be Personal Data and you are required to follow the law in the way it is handled, accessed, stored or transferred. The individual is called the Data Subject.
Here is a link to an overview of the GDPR by the ICO: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr.