In order to determine the legislation that must be observed, first find out whether your activity is subject to a specific law.
When it comes to GDPR, it is difficult to imagine a company, especially in European Union, which will not be the focus of this law. However, not all that the company does with the data will be considered the processing of personal data.
Definitely, any information relating to the identified person is personal data. Questions may arise with information that relates to a person who can be identified (identifiable person). Indeed, even pseudonymised data fall under this category.
It is necessary to properly classify data that can form only individual attributes, but not be personal data, and this is the identifier and factor (s). The law gives a general idea of these attributes. But it determines the critical mass of these attributes after the accumulation of which the data becomes personalized.
In the preamble to the law, it is asked for a rational approach in the possibility of transferring data to the category of personal data. So be rational indeed!