The new set of European Union laws regarding personal data security in organisations, the EU General Data Protection Regulation (GDPR), has passed and requires organisations be compliant by 2018. As organisations start taking action to comply with the GDPR within the deadline, one of the most difficult areas is the cloud.

One of the biggest problems that arises with the cloud is that personal data are processed in the cloud, with IT and security teams having no visibility or control into what is happening with the data. Employees are using unsanctioned, and possibly risky, cloud apps and services to get their jobs done. The trend of bring-your-own-device (BYOD) has only made the problem worse, with personal devices accessing personal data and syncing them outside the organisation, or worse still, using them for purposes other than those that the service purports to cover. Regardless, organisations are still on the hook for protecting personal data under the GDPR.

So how should security teams secure cloud usage without blocking everything and inhibiting employee productivity? Working with European data privacy compliance legal expert, Jeroen Terstegge, at Privacy Management Partners, we’ve created a white paper on the GDPR regulations, grouping them under six encompassing principles for the cloud with an extra consideration for BYOD. As you will see below, processors (the term used in the GDPR text) are the cloud apps and services. In this checklist, we have mapped a list of actions for organisations and processors back to each principle in order to help your organisation to be cloud-ready, secure, and compliant with the GDPR.