GDPR is about data protection, particularly for people's personal data. The law has caused significant confusion and additional workload, e.g. with data cleansing. It has also introduced at least one scary risk: most people don't realise they (not the business) are personally accountable for what they do with other people's data, and yet some organisations provide no, or very little training and support to their staff.
Marketing and sales teams have also been left wondering whether they can use the legitimate interests principle to contact customers. Customers can then become irate if they don't expect to be contacted because they haven't explicitly accepted such contact.