The UK's ICO also has a good structured summary: https://ico.org.uk/for-organisations/guide-to-the-general-da...
In general I agree with the sentiments in this article. I've probably spent a total of three to four days reading around the GDPR and I don't really see what's special about this law other than it's imposing decent standards on what was in effect a wildly unregulated industry in people's personal data. If you have a broad distrust of any government activity then I suppose any new laws with "fines up to €X" might feel like "I run a small site on a Digital Ocean droplet and I'm at risk of a €2m fine out of the blue." But that doesn't make it true.
People are being forced to sign agreements which jeopardise the natural rights to their data which they would otherwise have.
One example: a friend who has a very pretty daughter was asked by her school to give them the right to film her and to use any and all such recordings as they see fit for 50 years even after she leaves the school.
This feels very wrong on just about all the conceivable levels.
Consent could be withdrawn before or after GDPR. My guess is that the school have realised they're at risk of having to reprint all their promotional materials if consent is withdrawn.
So they need a contract, a model release. They needed that before GDPR. If you don't like the terms, don't sign it.