GDPR has much higher punishments for breaking it than previous EU privacy laws. Many companies are taking the legislation seriously due to this. I expect GDPR to be actually useful in moving the line for privacy.
For these kinds of violations, fines can be "up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher"
https://www.gdpreu.org/compliance/fines-and-penalties/