The world has gone mad 
We all had to have a meeting at work and sign papers about personal data 
And what we could do and couldn't
But because I've been doing it the old way for years I keep forgetting
I'll be fined before long
Lots of hogwash going around about GDPR Shelly, but, it is complicated.
Two parts to it. The new stuff is how organisations use (and pass on/sell) your data.
Most businesses only use your data in the course of operating their business and services, but, some of that may be passed to their own service providers eg accounting systems. You have a right to prevent that data from being used to send you unsolicited sales stuff. The big issue is when your data is used for any reason other than which it was provided and agreed. Permission has to be explicit.
There is lots of confusion over this though. Some schools have stopped using biometric data (fingerprint) data for payment systems in the mistaken belief that cannot hold that data. Of course they can - it is agreed as part of the provision of service. The problem comes there when it’s use is the only way to get school dinners if say a parent does want that data to be used. What they must do is protect that data and have processes to delete it when no longer in use or on request. Not that they would (although in these cash strapped days some Academies might think about exploiting data) they’re not allowed to pass on any such data without permission. Also, how does the school stand if say the police want that data for solving crime. Should they have access to everyone’s data they hold to find one person. It’s a mine field.
Schools (and the NHS) uses masses of personal data. They couldn’t function without it. Schools use lots of software and service providers for various aspects of teaching. GDPR is a massive overhead for them. Focus has been on the functionality of those services not where the data might go beyond that. Every vendor has to be checked. Hard work!
Data processes, for example, parent emergency contact data has to be documented. Reality is that that is actually no bad thing anyway.
It is also affecting things that are provided for good reason. Where I am a governor, the school has details of children with special medical needs such as allergies and conditions that may need immediate intervention posted in clear view for staff in the school offices. We now have to record that and get specific approval from parents and guardians. But, it makes sense that agreement is sought so that this data can be maintained and updated - something that can easily be overlooked.
The other part is about data security - that already existed in the old data protection legislation. Loosing personal data was a serious issue before GDPR.
The big problem on the internet now though is understanding just what you are agreeing to.
