This is not a law Q&A, but if questions are asked about a law, then I think answers should refer to paragraphs of that law or to legal commentaries. We are scientists, so let's refer to facts!
As a matter of fact, the GDPR contains a lot of research exemptions. These exemptions are so numerous and permissive that even commercial entities like LinkedIn try to justify their use of non-pseudonymized user data for market research with them. But I digress.
I am unable to summarize the already compressed article linked above, so let me just quote its conclusion:
Although the GDPR creates heightened obligations for entities that process personal data, it also creates new exemptions for research as part of its mandate to facilitate a Digital Single Market across the EU. Specifically, the GDPR exempts research from the principles of storage limitation and purpose limitation so as to allow researchers to further process personal data beyond the purposes for which they were first collected. Research may furnish a legitimate basis for processing without a data subject’s consent. The Regulation also allows researchers to process sensitive data and, in limited circumstances, to transfer personal data to third countries that do not provide an adequate level of protection. To benefit from these exemptions, researchers must implement appropriate safeguards, in keeping with recognized ethical standards, that lower the risks of research for the rights of individuals.
If you prefer slides, this deck is a nice intoduction to the GDPR for researchers and research data managers, with research-specific regulations starting on slide 13.
Overall, I think that the GDPR will not hinder Open Science in the long run. Those who have handled data correctly in the past will not have to learn a lot of new things. Ultimately, the GDPR will make sure that research can and will be done openly and fairly because its transparency rules make backroom research unviable.