DSGVO data protection cabinet

The EU Data Protection Ordinance, or EU DSGVO for short, has been in force since May 2018 and will fundamentally change the Federal Data Protection Act. This presents companies with a major challenge, as non-compliance with these regulations could result in fines in the millions. Not only obvious aspects such as the clear consent to receive e-mails have to be taken into account, but also the physical IT security has to be improved. But what does physical IT security have to do with data protection according to the EU DSGVO?

The EU DSGVO and its impact on provisions on physical IT security in enterprises

The basic EU data protection regulation (EU DSGVO), which will come into force on 25 May 2018, will have a major influence on the provisions on physical IT security in companies, because this too is jointly responsible for the reliable protection of data. This regulation affects not only large corporations such as social media Internet giants, but also small and medium-sized enterprises, practices and law firms.

The EU DSGVO harmonises European data protection law and strengthens data protection authorities. It now requires all companies to carefully check their data protection and physical IT security, to reorganize it and often to tackle it much more comprehensively.

The safety requirements are described in Article 32 of the EU DSGVO:

"Taking into account the "state of the art", implementation costs and the nature, scope, circumstances and purposes of processing, as well as the different likelihood and severity of risk to the rights and freedoms of natural persons, the manager and processor shall take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk".

Current status:
In the German middle class, i.e. in small and medium-sized enterprises, this has only partially arrived so far. Many companies that have already dealt with this topic find that they are not prepared for it when it comes to physical IT security.

State of the art:
However, companies are obliged to check their technical measures for physical IT security in accordance with the state of the art. The exact "state of the art" is not specified.

Extract from Article 32 of the EU DSGVO:

"[...] the ability to ensure the long-term confidentiality, integrity, availability and resilience of the systems and services associated with the processing".

Companies must therefore ensure that the data they collect is safe from unauthorised access by third parties. Furthermore, care must also be taken to ensure that the IT systems run stably and that they are protected against attacks and physical hazards.

This protection includes:
1. protection against intentional acts
2. protection against negligent acts and force majeure.

A uniform view of data, processes, IT/ITK systems and human behavior must therefore be carried out.

Which guidelines and laws must companies adhere to and which must they apply?

In this context, many data protection officers recommend guidelines and guidelines in accordance with the requirements for protecting the confidentiality, availability and integrity of the IT and/or ITC systems of the EU DSGVO, Art. 32.

Specifications and recommendations for the selection of technical and organisational measures can be found both in ISO 27xxx and in the BSI IT-Grundschutz-Katalog.

Guidelines and guidelines must be introduced for:

- IT safety
- ITC usage (user authorizations)
- Internet and e-mail use (also BYOD)
- Outsourcing (if applicable)
- Safety instructions for IT users
- Security Advisories IT Administrators
- modification concept
- virus protection concept
- data backup concept
- Emergency Preparedness Concept (Emergency Plan)
- archiving concept

IT security policies

To stay with physical IT security, we use the BSI's IT-Grundschutz catalogues. Basic IT protection for data centers (B2.9) describes potential physical hazards such as failure of IT systems, lightning, fire, water, cable fire, temperature, humidity, unauthorized access, power failure, theft, vandalism, etc..

ISO 27001 also contains a sub-item on physical IT security:
ISO 27001 also contains a sub-item on physical IT security:

A.11 Physical and environmental security - controls, security areas, access controls, threat protection, device security, safe disposal, etc.

Building a bridge between physical IT security and data protection

The risk of data theft by cyber criminals is a topical issue - but what use is the best network security if an unauthorized person enters the company premises without being noticed or data is lost because a server is going down?

50% of IT failures have physical causes!

In contrast to failures caused by software errors, downtime for physical defects is usually longer and more expensive.

Common threats in the server room and IT rack are:
- excessive temperature
- Power failure or UPS defects
- Braising and fire
- water leaks
- Burglary and theft
- Human misconduct

upshot

Small and medium-sized enterprises should not see the new regulation as a bureaucratic hurdle, but as an opportunity - the chance to bring their own physical IT security up to the latest state of the art and to gain a competitive advantage to address new target markets that have high data protection requirements.