The GDPR doesn't have any exceptions for existing systems, so any company which operates on that principle is going to be in for a very rude awakening. (This is why there's been an entire two years to transition to the new reality, so companies would've had enough time to change existing systems to comply.)
And yes, as others have said, setting defaults to "everyone" or "only friends" rather than "only me" on first glance appears to very much be against the "privacy by design" requirement from the GDPR, which is a requirement entirely separate from needing a legal basis to even process personal data at all (legitimate need or informed consent or ...)
Still, kudos for gog to at least announce this in this manner before rolling it out.
My understanding of GDPR is the same as Gersen. So this doesn't seem like it would apply? Not a lawyer though and I'm sure GOG's lawyers have been over all of this already.
It has been some time since I read/discuss the GDPR but IIRC only "sensitive personal data" requires mandatory explicit "opt-in", as in if Gog want to release you real name, etc... then it's opt in only.
For non-sensitive data (and the game in you collection is definitely non-sensitive data) you only need to be unambiguously informed (could be via a mail or a new EULA to accept when you connect to the site) and have the possibility to opt-in / opt-out at will.
It doesn't seem as "clear cut" as some superficial reading of article 25 can make you believe, standard interpretation and lawyer interpretation seems to differ quite a lot. I suspect Gog probably checked with their lawyer what they could and couldn't do.
What Gersen says is not entirely incorrect: explicit informed opt-in is not the only possible basis for processing personal data - if you need (regular, non-sensitive) personal data in order to be able to perform a core function of your company, or otherwise have a legitimate interest for using that personal data, or you need it to adhere to another legal requirement or ... - then that's just as valid. That phrasing, "legitimate interests", is however not a catch-all get-out-of-jail-for-free card. When that's your basis for processing, you need to make an explicit impartial assessment of your own interests versus the privacy-interests of your users/visitors, where the latter weigh quite heavily.
However, all of that is completely besides the point here. We're not discussing the basis on which gog is processing our personal data (most of what they have, they need to have simply to be able to give us a games library and such, and I can see the legitimate interests for the rest), but rather their privacy choices with how they then make that personal data visible to others in the upcoming profile feature. There, the GDPR has other requirements, with "privacy by design" and "privacy by default" being the important ones that gog seems to not interpret the way I would expect them to interpret them.
(I'm very much aware that in my day job I only discuss these issues in Dutch, and am unaware of the exact English terminology (and that despite originally reading the law in English), so my apologies there to anyone who's stumbling over my incorrect usage of terms with specific meanings.)
As an aside: Is anyone else as happily amazed as I am by just how much mindshare
the GDPR has gotten? Who'd ever have thunk that a privacy-law would be so widely discussed, (mostly) understood and generally looked forward to?! Score one for the EU!