[ThePhysicist]

A lot of the work that is done to become and stay compliant with the GDPR is invisible from the outside, but I can assure you that most large companies and a lot of the smaller ones are taking it serious.

The GDPR also has a "pull-in" effect on companies outside the EU that (often illegally) sell personal data because their clients in the EU (the data controllers) have to prove that these companies (their data processors) adhere to the GDPR if they want to do business with them. If a EU company buys personal data from a company outside the EU or sends personal data to that company they are liable if this data gets abused or if the personal data was not acquired in accordance with the GDPR. The whole "privacy shield" mess was about the question whether EU companies can still send personal to the US based on a self-certification process US companies go through (turns out they can't).

Some of the data brokers already feel this pressure and will be forced to change their business models unless they want to lose their clients within the EU. Sure there are still EU companies that do business with these data brokers today, but most of them know that they're exposing themselves to considerable risk and are already looking for alternatives.