What can be read out of GDPR right now, an organization can not just disclose a new purpose. Changing the purpose means you've got to get the explicit consent from every person that is involved in the data processing that is to be done. And also: the purpose has to be very clear.
Working with the data in the way that was originally agreed upon is of course no problem, nor dealing with other aspects of the GDPR, such as erasing data when it gets too old or upon request.
I agree with your first sentence! And my belief is that the GDPR will get so stretched and bent in some years, that there is not much left of it.