The UK's ICO also has a good structured summary: https://ico.org.uk/for-organisations/guide-to-the-general-da...
In general I agree with the sentiments in this article. I've probably spent a total of three to four days reading around the GDPR and I don't really see what's special about this law other than it's imposing decent standards on what was in effect a wildly unregulated industry in people's personal data. If you have a broad distrust of any government activity then I suppose any new laws with "fines up to €X" might feel like "I run a small site on a Digital Ocean droplet and I'm at risk of a €2m fine out of the blue." But that doesn't make it true.
Again, people are assuming that this is the first and only directive that has fines associated with it. It isn't. You don't hear a lot of people talking about the three month prison sentences possible for CE marking, for example - because very few of them have been handed out and only for egregious violations such as unsafe machinery that has caused injury.
Who's to say that 10% of the maximum for a minor violation isn't proportionate? Also, most small businesses do not have the resources to hire competent counsel on the other side of the planet to litigate these things.
A large body of case law, well-defined guidelines for evaluating harms and mapping them to fines, and the EU's general fear of stymieing economically productive activity (the motivation behind GDPR is to enable more data trading, not less, but within better-defined legal boundaries).
We have had laws with "open ended" sentencing guidelines since the very beginning of organised society. This is a solved problem.