Enforcing data protection regulation in data centres with traceable time

Enforcing data protection regulation in data centres with traceable time

Simon Kenny, CEO of Hoptroff London, details how traceable time can be used to enforce data protection regulation in data centres. 

In the virtual world, before computing became distributed, absolute accuracy didn’t matter. A computer only referenced its own clock, and errors between two timestamps would be equal and thus cancel each other out. But with distributed computing, automated events flow through many devices that reference different clocks. Timestamps from a rapid sequence of events occurring between devices will make no sense if the clocks are not synchronised. Events will appear to occur out of sequence, all at once, or not at all. Highly accurate timing will become essential to diverse sectors as we depend even more heavily on computing to run our world, and so the pressure will increase on data centres and colocation hosting providers to deliver accurate timestamps to their clients.

As recording data becomes more important to compliance and regulation, so does trust. Being confident that our time is correct and being able to prove it to others is important when virtual events have physical impacts for which someone must be held accountable. Knowing data records have the correct sequence and interval creates that trust. Blockchain, data validation, and GDPR regulation are just some use-cases that require the level of trust that highly accurate timestamps provide. Data privacy regulations require a new class of data that can be verified and trusted.

Regulation has been building up around personal data, particularly with the EU’s General Data Protection Regulation (GDPR), the Privacy and Electronic Communications Regulations (PECR), and the California Consumer Privacy Act (CCPA) in the USA, which tightly control and monitor how personal data is used. Permission and consent are central in this new framework, requiring an individual’s approval of the specific ways in which the data is used and barring any use beyond those explicitly specified and approved. Regulation such as this is only set to increase in scope in the next few years as regulators scramble to create an orderly framework to understand the recent explosion in data. Policy makers and the public are piling on the pressure to enforce control and maintain privacy in the age of big data.

Privacy regulation is not well understood; Comvault claims only 12% of global IT organisations understand how GDPR will affect their cloud services in the coming years. It is clear that current practices need to be improved upon, because as the task of compliance records becomes better understood, it is likely the regulation will become more strictly enforced.

Traceable time offers a solution to this data minefield. For GDPR and other regulations, timestamps are increasingly crucial to tracking data origins. Being able to prove the exact time and place of a digital event, such as sharing personal data, can be achieved by uniting three components: traceable time, traceable place and data immutability. For time to become traceable it simply needs to be known to be correct by way of an unbroken chain of comparisons back to the national standards institutes who maintain Universal Time. With traceable place the distance between two servers communicating about an event can be calculated by the latency involved in the communication. For data immutability, the integration of a verifiable timestamp into blockchain adds a new dimension of security and traceability. Hashing ensures that the sequence of events in a ledger cannot have happened in a different order; an entire ledger cannot be fabricated because it is interwoven with other ledgers. 

When traceable time, place and immutability are effectively combined, the key identifiers in data of when it was created, by whom, and where are all verified. This allows users to comply with data protection regulations like GDPR and PECR. Proving that private data was used as agreed is vital. Timestamps can confirm how personal data has been shared or used by telling us when.

Creating a data trail that can be trusted is crucial to good data management. And for the facilities that host the companies which handle our sensitive data, traceable timing presents an opportunity to implement good practices. Time is a constantly changing physical entity, requiring regular attention and maintenance. Traditionally, a data centre would install several grandmaster clocks with GPS antennas on the roof which distribute time in the data centre using Precision Time Protocol (PTP) to the servers needing synchronisation. This incurs significant costs to install and manage, requiring specialist skills. In addition to this, in many cases, antennas are impractical. Software-based timing solutions can provide the same level of synchronisation with software that delivers time directly from a global network of atomic clocks into the data centre.

Accurate timing will become increasingly important not only as data protection regulations become tighter, and data centre customers will need to prove that data was used and shared as agreed under privacy regulations. Together with traceable time, data centres can help lead the way in best practice and make complying with data regulations easier for their customers if they make traceable time a standard utility.