At the start, the web was purely stateless – every request was the beginning (and every response the end) of a new conversation. Then we got cookies, so that servers could remember clients, and SSL so we could share information with servers that wasn't seen by all the servers it passed through en route. These two technologies enabled e-commerce and are so foundational now it is hard to imagine the web without them. The problem is the way we've evolved the web has been down a path of increasingly aggressive data collection and reduced transparency for users.
We should have always been doing privacy by design, data portability, data transparency, and the right to be forgotten. We should not have become dependent on invasive ad tech and aggregated third-party data; we should not have handed over ownership of our own social graphs and connections so cheaply to private commercial interests.
While many (particularly in the US) may be uncomfortable with the legalistic and regulatory approach, preferring a more laissez-faire, self-governing model for virtually everything, the GDPR can be seen as an opportunity to start doing things right – applying the core principles of privacy by design not just where mandated by regulation but as a standard business practice.