Ok so you should take care of the data you posses now, but if you have shared the data with third party then I guess this is now their business to obey the law? I just don't see how you could possibly be forced to go and police everyone you have ever shared the data with.
Be interesting on this one. GDPR has explicitly called out legal obligations for the data controller and the data processor. Controller is the one you consent to data collection, processor is 3rd party carrying out processing on behalf of controller. If data sold then it is passed to another data controller.
In this case user has apparently given, some level of, consent to Cambridge Analytica. I don't know whether that would then make them a data controller in their own right or whether they still be treated as a data processor. If former then user would have to engage directly with CA for right to erasure or FB need to invoke T&C's. If later then it's down to FB T&Cs and then FB would have to inform CA of user invoking right to erasure.
GDPR will a minefield for consumers and organisations for at least another 2 years until we have some case law that backs it all up
I think the way GDPR could be consider retroactive is that the data you hold now is subject to the same test for explicit consent etc. as the data you collect now. So if you hold data now that was not collected in a way that is in line with GDPR you are in breach.
However if hypothetically FB sold CA some data in 2015 without their users consent then it is CA that has the problem now as it has no consent to the data, not FB
