It's one thing to say something is illegal but if you don't enforce that these firms will be able to operate with impunity.
It's starting to.
https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2...
There are 7-8 figure fines already this year, and two 9 figure ones that the UK regulator has given notice on.
The major difference between the two in terms of how the EU makes laws is that directives are the indirect one: individual member states are required to incorporate the provisions into their own legal systems to give them force of law. An EU regulation is the direct equivalent: it carries force of law across all member states immediately. In the case of the GDPR, the UK government has also stated that its provisions will continue here after Brexit and the related transition arrangements.
However, you're right that enforcement will normally be done by an individual member state, because it is typically the national data protection or privacy authority in each state that acts as regulator and has enforcement powers under the GDPR. In theory, there's supposed to be some coordination so one of those regulators will take the lead on any given investigation or enforcement action instead of 28 different organisations all diving in at once, but it doesn't seem to be clear yet how that aspect will work post-Brexit.
And there's no recourse besides filing a complaint. Even if I'm legally right, what damage was caused to me that I can seek compensation for? (assuming I go and try to take them to court directly).
As mentioned in my other comment near here, the regulators have started issuing some reasonably substantial fines already.
