GDPR is already active. It's just the punishment section that is not yet active. On May 25th, if a company has (still) data about you, they have to comply or (now) face the consequences.

That's a really pedantic interpretation :) It has been adopted and published, but enforcement starts May 25. Because nothing can actually happen until May 25, I think that is a more reasonable date to say that it is "active".