There is some enforcement, but the GDPR is widely flouted, most conspicuously with the cookie "consent" banners - they're supposed to give equal choices (to meet the standard of informed consent and not "consent bundling") but they're riddled with dark patterns.
Then there's the Irish who "oversee" Facebook and Google and do SFA.
So the GDPR is not enforced [to a level anywhere near what the legislation is supposed to do].
If I understand it correctly, the recent CJEU ruling on GDPR [0] should improve the Irish DPC limitations by allowing enforcement in other member states where violations have occurred (under certain specific conditions).
Then there's the Irish who "oversee" Facebook and Google and do SFA.
So the GDPR is not enforced [to a level anywhere near what the legislation is supposed to do].