Well, just in this thread, two people providing 4-point lists of _simple_ things that can be done to abide by the GDPR provide two different lists that they themselves are ambiguously defined.
So, perhaps it's not as _simple_ as you make it out to be.
I've noticed most people are not sure of what exactly they need to do to comply (me included). With the ambiguity, it seems the best way to cover yourself is to just be able to say you consulted a legal team in the past and did what they told you to comply. This has obvious costs associated with it.
Well, just in this thread, two people providing 4-point lists of _simple_ things that can be done to abide by the GDPR provide two different lists that they themselves are ambiguously defined.
So, perhaps it's not as _simple_ as you make it out to be.