I think the way GDPR could be consider retroactive is that the data you hold now is subject to the same test for explicit consent etc. as the data you collect now. So if you hold data now that was not collected in a way that is in line with GDPR you are in breach.
However if hypothetically FB sold CA some data in 2015 without their users consent then it is CA that has the problem now as it has no consent to the data, not FB
However if hypothetically FB sold CA some data in 2015 without their users consent then it is CA that has the problem now as it has no consent to the data, not FB