The GDPR wasn't written from scratch, we previously had the Data Protection Act which offered many of the same rights as the GDPR like the protection of personal information and prevention of disclosure to third parties, the right to access data a company holds on you (both of which date back to 1984), the right to opt-out of direct marketing, the right to removal of data that may cause distress, etc, which while a little dated is still far ahead of what most of the US has today.
The trouble with the DPA was fines capped out at £500k and international enforcement was limited so large international companies like Google and Facebook could treat the law as an optional slap on the wrist while smaller international businesses effectively flew under the radar, the GDPR largely rectified both of these issues while modernising the laws in response to issues that generally didn't exist prior to the mid 2000s.
The trouble with the DPA was fines capped out at £500k and international enforcement was limited so large international companies like Google and Facebook could treat the law as an optional slap on the wrist while smaller international businesses effectively flew under the radar, the GDPR largely rectified both of these issues while modernising the laws in response to issues that generally didn't exist prior to the mid 2000s.