Europe’s General Data Protection Regulation (GDPR) kicks in on May 25, only less than a month ago. Most readers have probably already heard about it in the news, or seen mention of it in their email inbox, as companies worldwide scramble to be compliant with strict new laws that have an impact not just in Europe but worldwide.

So what is the GDPR?

The GDPR replaces a 20+ year old set of regulations called the “Data Protection Directive” by bringing in a sweeping set of strict data-related regulations enforceable across the EU without the need for individual nations to pass their own laws. Generally speaking, GDPR empowers individuals to demand that companies reveal exactly what personal data of theirs is being held, and to delete it upon request. Regulators can work easily across national borders and enforce very strict fines reaching as high as 20 million EUROS or 4% of a company’s global revenues. As one might infer, GDPR can and will apply not to just European companies but even to companies outside of Europe that happen to manage the data of European citizens. In effect, GDPR has worldwide consequences.

Although the GDPR encompasses many different requirements, the following are some of the most important ones:

Data Subject Access Request: a data subject (ie: individual) should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. In other words, every company managing data belonging to an individual is now required to provide the said individual with easy and reasonable access to all the data that belongs to them that is being held by the company. In most cases, this must be provided free of charge, without delay, and such requests must be serviceable electronically. Furthermore, in most cases, the individual can request for this information to be deleted (ie: the right to be forgotten), updated/corrected if incorrect, or even delivered to the individual in a suitable format. Data Protection by Design and by Default: This regulation requires companies to build the highest levels of protection measures of user data directly into all business processes, products, and services. The company must use all means necessary including encryption (pseudonumisation), minimimization of data collected, minimization on the extent of the use of that data, and minimization on the length of time of storage of said data.

As one can infer, these are strict requirements that will take some effort from companies in order to be fully compliant. The data subject access request in particular can be very difficult for companies to adhere to. Consider the fact that companies often have user data strewn across many different servers in all sorts of different formats. In many cases, companies are not even clear on what data they actually possess on individuals. Until now, companies have often operated under a “let’s get as much data as possible now” attitude, without much attention to tracking where and how this data is stored.

So how does Bluzelle address these challenges?

We will focus on the two key aspects of GDPR mentioned above to answer this question. Bluzelle’s quartet of scalability, reliability, consistent performance, and security provide the baseline it needs to meet these requirements head on. Bluzelle is architected to kickstart the data economy with a focus on data privacy and protection.

Bluzelle is designed from the ground up to give individuals a public/private keypair that cryptographically locks and unlocks access to their data. The protection provided here is guaranteed by industry-standard public-key cryptographic protocols that are already used by governments, banks, and even the military. By giving an individual a user-friendly interface that locks down their private key so only they have access to it, that individual is in complete control over the use of their data. The data by default can be encrypted the moment it leaves the person’s computer. The user is the only entity who can grant access to authorized companies to use the data by employing Bluzelle’s proxy re-encryption algorithms. Furthermore, the user can define how and where that data is being used, including timespans within which it can be used. The user can retract access to the data at will, and update it at will. The user can easily see who has access to their data, how it is being used, and assess how they want their data being used by taking actions around sharing and restricting access to it.

More succinctly, Bluzelle takes an extremely pro-active and effective approach to GDPR by pre-emptively giving the individual total and complete control over their data without ever handing over this control to companies. Bluzelle’s database empowers the individual from the get-go, and takes away much of the burden that companies would otherwise have to deal with, to be GDPR-compliant. Of course, companies are always advised to go through GDPR and meet all the requirements it entails, but Bluzelle has already tackled two of the biggest challenges GDPR brings to the table.

In summary, Bluzelle provides an extremely compelling solution to meet the challenges of GDPR and other forthcoming data privacy regulations. Companies that build their information systems, products, and services on top of Bluzelle and use it as their chief datastore will automatically benefit from a database that approaches privacy not as an afterthought but as a core design decision that guided the original architecture of the database itself.

As an engineer having worked since 2006 on Lufthansa aircraft systems, one of the largest European airlines, Neeraj Murarka has had the luxury of being aware of GDPR and has built in-flight entertainment systems that adhere to GDPR’s standards for many years already. Lufthansa has considered and planned for GDPR many years prior to it coming live in May of 2018. It is with this knowledge and expertise that Bluzelle’s focus on privacy was founded.