Many companies have gotten their first fines already. Hundreds of millions of shareholder value down the drain because they blatantly ignored the rules.
No, most companies don't get a massive fine in the first round, but I already see enough have gotten then that even Google now allows me to opt out with a single click :-}
GDPR technically does have real teeth, to the extent that one really shouldn't want to raise the ire of an EU Data Protection Authority. Unfortunately, enforcement to date, and the resulting fines, have been lackluster at best. When will people learn that disincentives like fines and such have to actually hurt to be effective in changing the behavior of corporations?
This is like the firewall in windows 95: nice but useless.