The UK's ICO also has a good structured summary: https://ico.org.uk/for-organisations/guide-to-the-general-da...
In general I agree with the sentiments in this article. I've probably spent a total of three to four days reading around the GDPR and I don't really see what's special about this law other than it's imposing decent standards on what was in effect a wildly unregulated industry in people's personal data. If you have a broad distrust of any government activity then I suppose any new laws with "fines up to €X" might feel like "I run a small site on a Digital Ocean droplet and I'm at risk of a €2m fine out of the blue." But that doesn't make it true.
In rules-based regulation, all the rules are spelled out in advance, and the regulator is basically an automaton once the rules are set. In principles-based regulation, the rules are extensive rather than complete and you expect the regulator to have some lattitude (and, if the system is well designed, a mechanism of recourse if they do something stupid).
An advocate of rules-based regulation would say this can make regulators unpredictable and capricious. An advocate of principles-based regulation would say it is an important safeguard against "rules-lawyering" and regulatory capture (especially the kind that ties new entrants up in check-box compliance that doesn't actually affect your business because all the rules have been worked around).
A classic example would be the time PayPal tried to tell the UK regulators they shouldn't be regulated like a financial institution (which is a claim they successfully made in the US). They pointed to chapter and verse of the relevant law, and said that according to subparagraph 2.b.c(iii)... and the relevant regulator essentially told them "shut up, you keep consumers' money for them and will be treated accordingly". As a result, the worst "PayPal took all my money and I can't get it back" stories generally do not come from the UK. (And when they do, they are accompanied by referrals to the Financial Conduct Authority, who have teeth.)
You can approve of this way of working or not, but the GDPR is a principles-based regulation, and you'll have to engage with it on those terms.
I think the unfortunate thing is that, when the previous/existing incarnations of these protection laws were/remain unenforced, many assumed it was because of lack of "teeth". But those of us familiar with how these principles-based regulatory bodies work know that it's more about confusion and regulator apathy. Nobody here is watching the watchers. Instead, there's a bunch of people foaming at the mouth with pitchforks asking for more laws and dismissing alternative concerns as hysteria or not understanding how laws work. We should be discussing how to solve the problem, yet we continually devolve to discussing the government-led solution presumably because we feel helpless and can't consider better options.
Every time these GDPR discussions come up, someone is always quick to say the US is worse, US is getting a taste of its own medicine, that dissenters must want surreptitious data collection, and on and on. Oddly enough, bringing it full circle, the tendencies for humans to argue in these directions instead of stay focused on the issue at hand make me glad to have more strict boundaries that are less subject to the whims of idle thought. Obviously this can't be absolute, so we should craft our rules to limit their scope at least from the outset. It's not about one country/continent vs another, it's about the goals and how they are achieved. Some believe and/or have experienced difficulties conforming to all sorts of government rules, it is a human thing not a location one. IMO, we need to stop deflecting and we need to stop being so absolute. People that are feeling pain of impending laws are not hysterical and laws are not magically OK because other forms/interpretations have downsides.
It's true, I do think that a more principles-based approach is usually preferable. (And I will happily marshal anecdata to that end!)
But it's naive to think that any approach comes without a cost. Even the PayPal example I mentioned above could be coloured the other way: A company makes a major investment in a foreign market, only to find the rules changed underneath them by a capricious government agency! (Someone brought up IR35 down-thread, and that's an excellent example too.) Is that an acceptable cost for the outcome? I'd look at the overall state of (eg) consumer financial protections in the US vs the UK and say "yes"; but I'm open to evidence-based disagreement.