GDPR Compliance
The most significant change in data protection regulation in 20 years.
How we help you

The General Data Protection Regulation (GDPR)

The GDPR is the biggest change in data protection regulation in 20 years. It puts up to EUR20 million or 4% of global annual revenue at risk. If you cannot say for sure whether you manage European Union (EU) citizen data within your own databases or on behalf of clients, then you need to take action now even if you are not an EU company.

GDPR compliance starts with getting a hold of where your data across all of your services and ends with being able to control that data and prove that you are controlling it. Ohalo's Data X-Ray helps you establish a baseline of whether or not you have Personally Identifiable Information (PII) within your data sources and if you do, the Data Protection Router helps you maintain control of that data.

The principles

Lawfulness, fairness and transparency

The Data X-Ray provides a view over your data so that you can be completely transparent with clients, auditors, and partners about how you are managing your data over time.

Purpose limitation

The labeling features of the Data X-Ray make sure that you can keep track of why data is being used and establish the legal basis for the usage of data

Data minimisation

The Data X-Ray reveals data that you might not know that you have. If the data is no longer relevant, you can easily label the data for deletion. This also reduces risk during a data breach, if one should happen.


Data is dynamic. The Data X-Ray enables regular monitoring of your data with fast, easy, and rapid scanning as regularly as you choose. This makes it easy to keep track of your data over time so that you can know when data is out of date or should be deleted.

Storage limitation

The Data X-Ray keeps track of data rot over time and can inform you of when data last changed so that you can take necessary action against data that is no longer relevant or requires renewal.

Integrity and confidentiality (security)

While the Data X-Ray cannot prevent data breaches, it keeps track of where sensitive data is so that you can limit your attack surface to only that data that is necessary to run your business.


The Data X-Ray provides a beautiful UI to show to clients, auditors, and regulators. If you want to integrate the Data X-Ray output into your native visualization and reporting tools, you can easily do that through the API.

The articles

Special categories of data
(Article 9)

Do you know where all of your sensitive data is across all of the data sources that you control?

Ohalo helps identify special categories of data such as race, gender, religion, and more so that you can be sure to remove the data under GDPR. The Data X-Ray establishes a baseline of where sensitive data is on your systems in one click.

  • Find sensitive data immediately on cloud services that you use
  • Easily report on this to regulators, clients, and auditors
  • Integrates easily with the Data Protection Router
  • Right to access
    (Articles 13-15)

    Can you provide access to all of a data subject’s data upon request?

    You may hold PII data about customers in multiple databases and at multiple cloud services. This makes time-bound data access requests difficult to fulfill. With the Data Protection Router you know where your data is and can show that data upon request.

  • Queries to multiple datasources simultaneously
  • Easy to install
  • Map data lineage of PII across multiple databases
  • Right to rectification
    (Article 16)

    Can you update all of the data about a data subject when they ask?

    As with erasure requirements, rectification upon Data Subject request is very difficult even with a small company managing dozens of datasources. For large companies it is even harder. The Data Protection Router allows you to easily request data to be updated wherever it is.

  • Find where data is stored
  • Request data to be rectified through the Ohalo app or API
  • Prove it through a blockchain-backed immutable proof
  • Right to be forgotten
    (Article 17)

    Can you erase data across all of your systems and at third parties with assurance?

    After establishing a baseline of what PII data is where, you can trace where that data has gone with Ohalo's GDPR data lineage tool, the Data Protection Router and request various databases and cloud file storage services to delete that data on your behalf.

  • Hold data no longer or shorter than you should
  • Simultaneous erasure across multiple databases
  • Prove that you have erased data at a certain point in time
  • Records of Processing Activities
    (Article 30)

    Can you demonstrate how data is being managed inside and outside the organization?

    GDPR Article 30 is about maintaining a record of Data Subject processing activities. It is a requirement to maintain a record of data lineage across both internal and external systems where a Data Subject’s data may be. Such a record is important to demonstrate the state of data management.

  • Demonstrate exactly how data is being used on a granular level not only within your organization but also at data processors that you work with
  • Ensure that the correct metadata about any data relationship updated over time
  • Plug and play and avoid the need for lengthy negotiations or consortium establishment
  • Transferring data to third countries
    (Article 47)

    Can you consistently apply the same corporate rules across multiple entities and ensure that those rules are being applied?

    Modern businesses rely on sending data across borders. Unfortunately this got much more difficult with GDPR. Ohalo's Data Protection Router allows you to deploy access controls in a consistent manner and keep track of how data is flowing across different legal entities and third parties, even if they are in different jurisdictions.

  • Smart contract enforced identities linked to legal entities to ensure that you are interacting with the right data source under the right conditions
  • Automatically maintained log of when data was accessed and by who output through a UI or to your own business information (BI) systems
  • Secure from data request to data fulfillment