GDPR would be a lot more impressive if it applied to governments as well as other organizations. As it is, it solidifies governments monopoly on our data. GDPR bothers me on two levels.
First, it sounds good on the surface that someone finally cares about the little guy and his data. Except that it doesn't really protect us. It is creating millions of dollars of infrastructure changes to comply with a law that wasn't even passed in our country. It's an EU law. This is setting a precedent that could be used for other future laws that may night appear as palatable as this one was made to look.
Second, it doesn't apply to government organizations, only private organizations. So those massive server farms collecting data for the government is exempt from complying.