As John Mitchell says there is a lot of misinformation out there. The guidance from the ICO in the UK is pretty straight forward. The act itself isn't unreadable legalese. It puts informed, voluntary consent and privacy at the heart of everything.
There are a couple of situations where you are likely to fall foul of GDPR.
This is not a s%^tstorm. This is a piece of regulation that has taken a long time to formulate, gain agreement from 27 member countries and has had a long running in period.
If you are doing things that cause your customers to complain to the supervisory authority then perhaps you need to look at your processes and the way you handle your customers. Surely that makes good business sense.
Should the supervisory authority choose to audit you then you need to show that you can respond to a customer requesting their data, corrections, erasures etc. You also need to demonstrate that you are taking sufficient steps to ensure that you take reasonable care in protecting your customer's data.
Brent Ozar's case is a bit of an oddity in that clients send him data sometimes unsolicited. In such a case Brent would be a Data Processor and the sender would be the Data Controller. The Data Controller should not be sending Brent personally identifiable without Brent being under contract, having representation in the EU and being sure that Brent has the facilities to ensure that the data is kept safe etc. Incidentally, if PII data is being sent to Brent in the US then existing laws are already being broken.
It is sad that Brent has decided not to continue to service the EU & UK but entirely understandable. I commend him for his politeness and professionalism in responding to responses to his article where those responses fall a long way short of both politeness and professionalism.