To some extent you are missing the point. GDPR hasn't legitimised something which previously wasn't legitimate.
In the first instance GDPR requires companies to be transparent as to their operations. Now you can make a valued choice as to whether to use a particular supplier or not based on the information they now have to provide. Before you had no idea how your data was being used. If they don't provide the information you expect, don't use that supplier.
Next, GDPR does fundamentally require companies to minimise the data they collect, how long it is kept for and to protect the confidentiality, integrity and availability of that data.
Next, companies that don't perform are (1) going to get wrist slapped then fined; (2) lose business as customers will start switching to suppliers who are more enlightened about the protection of their customer's data.
This problem was never going to be fixed like turning on a light switch, but it is a big step forwards.