GDPR Made Easy: GDPR Compliance Checklist, Summary and Plan 2018

Chris McCarron

I'm Chris McCarron also known as The Alpha Chimp at GoGoChimp.

Struggling with GDPR? You’re in luck. This GDPR summary, GDPR plan and GDPR compliance checklist are written by experts and Cyber Essentials accreditors with the singular goal: GDPR made easy.

Watch this video on YouTube here: The Ultimate GDPR Compliance Guide


Here’s What You’ll Learn

1What is GDPR compliance?
2What is “personal data” under GDPR?
3How does GDPR affect marketing and the data you collect?
4What about GDPR and email marketing?
5How will GDPR affect schools?
6What is a data breach and what does it mean for GDPR?
7GDPR made easy
8Where can I get my free GDPR compliance checklist?
9What makes this GDPR compliance checklist so different?

You’re probably wondering “why do I need a GDPR compliance checklist?” Or you may have questioned if there’s any justification for the hype surrounding the General Protection Data Regulation.

Look, I get it…

You already have a to-do list. And even when you finish everything on it, you still feel like you haven’t accomplished anything meaningful.

So the idea of wasting your time on yet another “useful”, “profound” or “GDPR made easy” checklist will most likely give you the willies.

In business, time is a commodity and a valuable one at that. Everyone wants more of it and sometimes managing the time you do have is overwhelming.

Between the responsibilities of running a business, managing relationships with clients and personal well-being, there seems to be very little time to do anything else.

So when you first heard about GDPR compliance, you can be forgiven for having the initial reaction of “it sounds too technical for me”, “I don’t have time for it” or “maybe I’ll get around to GDPR someday”.

You might be delighted to learn that you’re not alone. It’s expected that more than 81% of all businesses in the UK will not be GDPR compliant in time for the legislation being enforced in May 2018.

This statistic may appear to be justification for delaying GDPR compliance. However, have you ever considered that perhaps the reason you’re stalling is that you’re a little confused about GDPR and the consequences it may have for your business?

gdpr fine penalty

After all, one of the hottest topics circling GDPR is that if EU citizen data is breached online, then your business may be fined 20-million Euros or 4% of your global turnover (whichever happens to be more).

Therefore, it’s easy for you to surmise that GDPR equals the “death of your business” and ultimately the death of one of the most important things in your life.

Nobody has time for that.

But if GDPR exists to protect EU-citizens from cyber criminals or businesses mistreating their personal identifiable information, then is GDPR a bad thing?

Imagine for a moment that your personal information was stolen and abused by others. How would you feel? Would you feel angry, victimised and perhaps a little scared about what a stranger may or may not be doing with it?

Therefore, if you hold the general opinion that data protection matters and is a positive step towards creating lasting change to benefit an online society then your customers and clients must also have the same opinion as you do.

And when your business is GDPR compliant, customer satisfaction will be at an all-time high.

Best of all, 81% of your competitors will not be GDPR compliant by May 2018. This means that GDPR compliance gives you the unique selling point that other companies can’t offer their customers.

Therefore, if your company is General Data Protection Regulation compliant, then you’ll have a penalty-free business that retains customers and attracts new business.

So, the only question you really need to ask yourself is this: “how much is GDPR compliance worth to me?”

Stop procrastinating and start achieving more with the General Data Protection Regulation.

GDPR Summary: Lesson#1 What is GDPR compliance?


So what is GDPR compliance? Well, GDPR (General Data Protection Regulation) is new legislation that replaces the Data Protection Directive. It becomes enforceable by May 25th 2018 and is developed by the Council of the European Union, the European Parliament, and the European Commission with the aim to:

  • Strengthen and unify data protection for all EU citizens
  • Give back control over personal data to EU citizens and residents
  • Create new “digital rights” for EU citizens
  • Simplify and unify regulation within the EU
  • Make it easier for non-EU countries to comply with their regulations
  • Unlike a directive, the General Data Protection Regulation does not require national governments to pass any enabling legislation and thus is directly binding and applicable to any business that stores EU citizen data (even if the data is not collected or stored on a server located in the EU).

    A single set of rules will apply to all EU member states. Each member state will establish an independent Supervisory Authority (SA) to listen to and investigate complaints, sanction and administrative offenses.


    Should a business have multiple establishments in the EU, it will have a single SA as its “lead authority”.

    While GDPR makes it easier for nations outwith the European Union to comply with the new legislation, there will be steeper financial consequences if a company’s online security is breached and has it’s data leaked online.

    This penalty will be up to 20-million Euros or 4% of global turnover (whichever is greater).

    GDPR Summary: Lesson #2 What is “personal data” under GDPR?

    gdpr personal identifiable data
    In accordance with GDPR, Personally Identifiable Information (also referred to as PII) is considered to be any information that can be associated with an individual. This means that PII will apply to any data pertaining to an EU citizen’s professional, public and private life.


    Some of the most obvious types of PII are:

  • A computer’s IP address
  • Banking information
  • Social media posts
  • Email addresses
  • Home addresses
  • First and last names
  • Medical information
  • GDPR Summary: Lesson #3 How does GDPR affect marketing and the data you collect?

    Freshers Festival Glasgow Image via Freshers Festivals

    For most small businesses, GDPR will only have a minor effect on day-to-day marketing or on how an individual’s private information is used for marketing purposes.

    The General Data Protection Regulation is predominantly designed to prevent personal information being traded or sold to a third-party. Therefore, there is a responsibility to protect and not misuse any data that you collect.

    An additional requirement of GDPR and the collection of data is that for most businesses, overly complicated Terms and Conditions pages on their website will have to be replaced with a more straightforward and easier to understand use of terminology and language.

    Furthermore, it is good practice to clearly state what a person is choosing to opt into and how their personal information will be used. A few examples are on popups, in checkouts or anywhere else that PII is collected.


    Data can only be processed by a business if there is at least one lawful basis to do so:

  • The data subject has given consent to the processing of his or her personal data for one or more specific purposes
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • Processing is vital for compliance with a legal obligation to which the controller is subject
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
  • GDPR Summary: Lesson #4 What about GDPR and email marketing?

    high Mailchimp stats

    One of the most common questions that we’re asked is the relationship between GDPR and email marketing.

    Why should a business care about email marketing?

    Well, email marketing is a big business because it’s easy to retain customers and encourage repeat business.

    These days, email addresses are like a currency and people don’t give away their email address to just anyone without a good reason.

    Yet the costs incurred to get each and every subscriber for a business is money well spent. This is because email marketing has an average 40x ROI.

    Marketers and conversion rate optimisation experts spend their professional working lives in pursuit of getting the maximum number of email subscribers from as few visitors to a website as they can (you’ll have noticed that we use popups ourselves).

    This is called conversion rate optimisation and most businesses don’t have a problem spending on things like conversion-optimised WordPress themes, landing page builders, copywriters and list-building plugins to offer the ultimate “mouth-watering” incentive that nudges their ideal subscriber one baby-step closer to solving a problem that keeps them awake at night.

    You may use something similar and now be questioning if GDPR will mean that you’ll have to abandon your super juicy incentive or that it may affect how you use email marketing.


    Well, the General Data Protection Regulation will have a minor impact on the way you use your website to collect contact details. Pop-ups, checkouts and other ways you collect PII will have to clearly state what it is that the user is signing up for and how your business intends to use their personal information.

    Additionally, subscribers and customers must be able to withdraw their consent at any time whilst being granted access to any data you have about them and allowed the right to be forgotten.

    An additional requirement is that all EU citizens must be able to “unsubscribe” from your email marketing at any time.

    GDPR Summary: Lesson #5 How will GDPR affect schools?

    How will GDPR affect schools

    When a school, charity or business collects a child’s personal data, consent must be given by the child’s parent or custodian. This consent must be verifiable and Data Controllers must be able to prove that explicit consent (opt-in) was given.

    GDPR Summary: Lesson #6 What is a data breach and what does it mean for GDPR?

    GDPR Made Easy
    As data breaches and cybercrime are somewhat hot topics, many people are confused by what a data breach is and what it means for the General Data Protection Regulation.

    The short answer is that there are a few changes to how your business handles data breaches in the future.

    When the General Data Protection Regulation finally takes full effect, the Data Controller will be legally obligated to notify the European Supervisory Authority. Reporting a data breach must be done within 72 hours of becoming aware that a data breach has happened.


    Should there be an adverse impact taking place, those who are affected will need to be notified immediately.

    On top of that, the data processor will also be responsible for notifying the data controller without any delay.

    All in all, GDPR will make sure that data controllers and data processors are held responsible for what takes place after a data breach.

    GDPR Summary: Lesson #7 GDPR made easy

    GDPR made easy

    One of the many advantages to GDPR is that it will make it easy for your business to be compliant when handling EU citizen data because there is only one set of rules that apply.

    Each individual member state will create an SA (Supervision Authority) to handle and investigate any complaints about your business breaking legislation.

    The Supervision Authority will also deal with sanctions related to administrative wrong-doings (as well as many other things).

    Should your company operate from multiple locations in Europe, it will be assigned a single SA that is geographically situated closest to your main office or place of business.

    The EDPB (European Data Protection Board) will be responsible for coordinating the Supervision Authority and, in some circumstances, different Supervision Authorities will work together and freely trade information with one another.

    GDPR Summary: Lesson #8 Where can I get my free GDPR compliance checklist?

    GDPR Checklist PDF

    If you aren’t completely prepared for the new era of data protection, then you’re trailing behind your competition.

    GDPR is a hot topic and if you’re not compliant by May 2018, then you’re missing out on an extremely cost-effective way to grow your business.

    Unlike other GDPR training programs, ebooks or resources, our GDPR compliance checklist is focused on time management.

    This GDPR checklist is a time mastery system — a results-focused, purpose-driven, massive action plan that will guide you towards achieving absolute data protection and GDPR compliance.

    It comes in a portable PDF format that helps you to identify your biggest weaknesses in online security quickly and explains how to fix them.

    By the end of the list, you’ll learn everything you need to know about GDPR and you’ll be in a position to stop focusing on what you have to do and start focusing on what you want to achieve with GDPR.

    As you transform your stress into a unique selling point, you will begin to see tangible results such as higher levels of productivity, deeper customer satisfaction and more effective decision-making.

    You can’t create more time, but with this checklist — The 25 Most Important Things Your Business Needs For GDPR Compliance in 2018 — you can start making time for what really matters.


  • How to vanquish patterns of customer dissatisfaction with patterns of growth and fulfillment
  • The power of being GDPR compliant and what it can do for you
  • Key strategies that allow you to achieve balance with online security and data protection
  • How to replace GDPR on your “to-do” list with a checklist that guarantees accomplishment
  • GDPR Summary: Lesson #9 What makes this GDPR compliance checklist so different from other GDPR tools?

    Most General Data Protection Regulation compliance checklists focus on fear – how non-compliance will result in crippling fines and financial ruin.

    Our General Data Protection Regulation compliance checklist first focuses on the results and outcomes you want, then connects you to why it’s important to achieve complete data security.

    When the inevitable challenges with General Data Protection Regulation compliance show up, this checklist gives you the drive to follow through and achieve the actions you want.

    gdpr timeline

    This is the same GDPR questionnaire and checklist experts charge businesses entrepreneurs and business leaders to successfully master their own busy schedules and start achieving greater goals with data protection and their online security.

    This comprehensive GDPR compliance checklist is a complete set of rules, questions and answers that are designed to help you redirect your focus and re-evaluate your current priorities with GDPR compliance.

    So here’s what you need to do:

  • Download The 25 Most Important Most Things Your Business Needs For GDPR Compliance in 2018
  • Leave a comment below telling me what the checklist helped you to achieve (I read each and every comment left on our blog)