What's interesting is that I've had to meet many of those already for California's COPPA and previous privacy laws, so I'm quite confused at why people are acting like this is all brand new and never existed before...
As an aside that checklist is misleading. Some of the requirements they list expressly don't apply to small businesses, for example you don't need a DPO unless you're over 250 employees.
Are you a large scale data processor of special categories of data as defined in Article 9? That includes data that can be used to determine racial or ethnic origin, health data, and data about sexual activity and orientation.
Large scale is helpfully not defined anywhere.
So if you run a site around a health condition or that lets
people specify their sexual orientation some place you might need a DPO.
https://gdprchecklist.io/
https://blog.varonis.com/gdpr-requirements-list-in-plain-eng...
https://ico.org.uk/for-organisations/resources-and-support/d...