For example, you can't store data and people - unless you do so for a "legitimate purpose".
The actual effect of GDPR is to scare companies who don't know what it says. If you actually read it, you find that your still allowed to do whatever you want. You do, however, need a written policy saying "we do whatever we want" - except for when you don't need one.
One of the reasons companies (especially in marketing) were scared, is that this "legitimate purpose" does NOT include making a profit. As a company, you need to prove that a) what you're doing is in the interest of the consumer ("better ads" doesn't count), b) that you cannot do this in a less privacy damaging way, and c) that between the privacy invasion and going without your service, the privacy invasion is the lesser evil for almost anyone (i.e. for the consumer it's worth it).
If you cannot do that, you need consent.
And even if you are allowed to process the data for a particular purpose, you still cannot do whatever you want. You cannot use the data for something else (that's a different purpose), you must allow consumers to opt out of automated profiling (yes, even with consent to use the data, consumers can force you to have a human process the data), and of course there's still the need to alter/remove the data afterwards due to the right to be forgotten and the right to correct incorrect data.