You did, because what you described is a directive. GDPR is not a directive. It does not require EU member states to do anything. Only country that needs to do something is the UK, since they're leaving the EU and want to convince the other member states that they're not naughty and they want to play in the same digital ballpark as the rest.