GDPR has much higher punishments for breaking it than previous EU privacy laws. Many companies are taking the legislation seriously due to this. I expect GDPR to be actually useful in moving the line for privacy.
For these kinds of violations, fines can be "up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher"
That's why people only start caring now, at the very last minute. There's a difference between a law on paper, and a law with attached consequences, so I still expect meaningful change after May 25th.
Which authority specifically? My experience is with two Portuguese regulators (one of Data Protection, other of Telecommunications). The first was pretty good, the second required a bit of insistence to prevent them from closing the matter after the company sent a reply that said nothing, but both worked out with nothing more than a few emails.