The EU General Data Protection Regulation, in short EU-GDPR, comes into force in May 2018 and will fundamentally change the Federal Data Protection Act. This poses a major challenge for companies, as non-compliance can result in millions in fines. It is not only important to observe the clear consent to receive e-mails, but also physical IT security must be brought to fruition. But what does physical IT security have to do with data protection according to EU GDPR?

The EU GDPR and its impact on physical IT security regulations in companies

The EU General Data Protection Regulation (EU GDPR), which will apply from 25 May 2018, will have a major impact on the provisions on physical IT security in companies, as this is also responsible for the reliable protection of data. This regulation hits not only large corporations like social media Internet giants, but also small and medium-sized businesses.

The EU GDPR harmonises European data protection law and strengthens data protection authorities. It now demands that all companies carefully check, reorganize and often more comprehensively address their privacy and physical IT security.

The requirements for security are described in Article 32 of the EU GDPR:

„Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”

State of the art:

In the German middle class, so in the small and medium-sized companies, this has only partially arrived. Many companies that have already dealt with the issue find that they are not prepared for physical IT security.

This is also confirmed by a recent study by the Ponemon Institute, in which more than 4,000 IT and IT security experts in 14 countries were asked about the current state of affairs:

  • 38% of respondents think they’re well prepared of the situation

  • 74% of respondents consider their security architecture urgently in need of renewal

  • 63% of respondents say that they use legacy security solutions

State of the art:

Companies are required to check their physical IT security measures according to the state of the art today. However, the exact “state of the art” is not specified.

Excerpt from Article 32 of the EU GDPR:

„[…]the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.“

Companies must therefore ensure that the data they collect is secure against unauthorized access by third parties. In addition, care must be taken to ensure that the IT systems are stable and protected against attacks and physical hazards.

This protection includes:

1. protection against intentional action

2. against negligent action and force majeure

It is therefore necessary to carry out a uniform analysis of data, processes, IT / ITC systems and human behavior.

What policies and laws must companies adhere to and / or apply?

In this context, many data protection officers recommend guidelines and guidelines in accordance with the requirements for protecting the confidentiality, availability and integrity of the IT and ITC systems of the EU GDPR, Art. 32. To fulfill these requirements it lends itself to use the classical certification tools.

Specifications and recommendations for the selection of technical and organizational measures can be found both in the ISO 27xxx and in the IT-Grundschutz Catalog of the BSI.

Guidelines are to be introduced for:

  • IT safety

  • ICT usage (user permissions)

  • internet and e-mail usage (also BYOD)

  • outsourcing (if applicable)

  • safety instructions IT user

  • safety instructions IT admins

  • change concept

  • virus safety concept

  • data safety concept

  • Emergency preparedness concept (emergency plan)

  • archiving concept

IT security policies

To stay with the physical IT security, we use the IT-Grundschutz Catalogs of the BSI. The IT Baseline Protection for Data Center (B2.9) describes potential physical hazards as failure of IT systems, lightning, fire, water, cable fire, temperature, humidity, unauthorized access, power failure, theft, vandalism, etc.

ISO 27001 does also include a subsection on physical IT security:

A.11 Physical and Environmental Security – Controls, Security Areas, Access Control, Threat Protection, Device Security, Safe Disposal, etc.

The bridge between physical IT security and data protection

The threat of data theft by cyber criminals is a hot topic – but what good is the best network security when an unauthorized person walks unnoticed into company premises or data is lost as a server prostrates?

50% of all IT failures have physical causes!

Unlike failures caused by software failures, downtime caused by physical defects is usually longer and more expensive.

Common threats in the server room and IT rack are:

  • overtemperature

  • power failure or UPS defects

  • smoldering and fire

  • water leaks

  • burglary and theft

  • human error


Small and medium-sized businesses should not see the new regulation as a bureaucratic hurdle, but as an opportunity – the opportunity to bring their own physical IT security to the state of the art and to gain a competitive advantage to address new target markets, having high safety requirements.