In 2012, the European Commission began a process to reform Europe's existing data protection laws by proposing a new data protection regulation to replace the current Data Protection Directive. The GDPR implements a number of security and data privacy regulations for ANY organisation who handles personal data related to people in the EU.

What does GDPR change?

The GDPR requires a number of significant organisational changes, but it is a great opportunities for companies to evaluate their current data processing activities and ensure they're protecting customer data appropriately. Below are the top 3 significant changes with the GDPR.

  • Demonstrable compliance. GDPR requires organisations to document and be able to show how they comply with data protection requirements. This means additional documentation of systems, processes and procedures.
  • Enhanced rights. The GDPR introduces new data protection rights for individuals such as the right to obtain and reuse personal data across different services, and the right of erasure.
  • Privacy by design. The GDPR requires organisations to implement technical and organisational measure to demonstrate they have considered and integrated data compliance measures into their data processing activities.

Our commitment to the GDPR

At Orah, we understand the importance of data security and privacy and take our responsibilities under GDPR very seriously. We pride ourselves on being a trusted partner to our schools and are fully-committed to delivering a secure, enterprise service that's GDPR compliant. Here's a quick summary of what we have done:

  • We have teamed up with security experts to help us achieve internationally recognised security certifications for ISO 27001(information security management system) in alignment with ISO 27017(cloud security) and ISO 27018(for protecting personal data in the cloud).
  • We have conducted a comprehensive risk assessment and developed an internal risk treatment plan to work towards ISO certification and GDPR compliance.
  • We have conducted a comprehensive data-mapping exercise that tracks personal data flows throughout our systems and services.
  • We have implemented procedures to handle key data subject rights, like subject access requests and the right to request deletion.
  • We have produced a GDPR compliant Data Processing Agreement (to request a DPA, please email
  • We've updated our Privacy Policy to be GDPR compliant as well as more clear, concise and transparent about how we process personal data.
  • We've implemented incident response procedures that align with GDPR.
  • We've conducted company wide data security and training sessions for all Orah personnel.
  • We've implemented a secure development policy which integrates a privacy risk assessment and data protection impact assessments from the start.
  • We've obtained third-party vendor arrangements to make sure we have the appropriate contractual protections in place that satisfy GDPR requirements.
  • We've created a Whitepaper that explains our methods and plans to achieve GDPR compliance, both for ourselves and for our customers.

Download GDPR Whitepaper