Security Measures for Small and Medium-Sized Enterprises – Legal Aspects

Specific legal and regulatory provisions must be respected by organisations. These provisions cover respect for privacy, copyright, and regulatory provisions specific to each activity sector (See also legal aspects).

Unauthorised Processing of Personal Data – Employee Monitoring

The Luxembourg Law of 2 August 2002 on the protection of individuals in respect of the processing of personal data aims to: ‘protect the fundamental freedoms and rights of physical persons […] with regard to the processing of data of a personal nature’.

It also establishes the National Commission for Data Protection (Commission nationale à la protection des données ou CNPD – https://www.cnpd.lu) ‘responsible for ensuring […] that the data subject to processing […] complies with […] this Law’. All organisations in Luxembourg are subject to this law and must respect it.

For example, the processing of personal data must, in certain cases, receive prior authorisation from the CNPD.

Furthermore, since the introduction of the GDPR in Luxembourg, it is important to be even more careful when handling personal data.You should, therefore, ensure that:

• the processing of personal data is inventoried
• the CNPD is notified of the processing of personal data
• the processing is secure (Art. 22 of the above-mentioned law)
• you stop any unauthorised processing or request authorisation (Draft and enforce a sectoral policy on compliance – Protection of personal data).

Invalid or Non-Existent Licence

The Law of 18 April 2004 on copyright, related rights, databases and patents includes ‘computer programs’ and ‘databases’ within its framework. To be able to use these legally, an end-user licence agreement must be provided with the software. This user licence must be valid for the period of use. Different types of licence exist: postal, global, rental, free, etc.

You, therefore, need to:

• review the organisation’s software licences
• assess the organisation’s software needs
• make an inventory of all current software (including their versions)
• acquire new licences or uninstall unlicensed or inappropriate software
• introduce a software restriction policy for users’ workstations
• securely safeguard all software-containing media (e.g. in a locked cabinet)
• ensure that the administrators are the only ones to install new software (Draft and enforce a Sectoral policy on compliance – Intellectual property).

Lack of Traceability of Operations

An organisation may be asked, by its partners or by the legal system, to prove or disprove its actions. This particularly concerns email communications and those with commercial or legal pertinence (e-business transactions, financial orders, etc.).

It is, therefore, important to:

• save emails containing formal decisions
• establish a list of the organisation’s activities and services involving the governance of the company and/or its commercial activity
• establish a backup procedure for these operations, such as saving them in a database (in accordance, of course, with legislation on personal data and the regulations).

Regulatory Requirements

Depending on its nature, an organisation may be subject to specific regulations that require to take special security measures. Examples of regulations:

• Sarbanes-Oxley Act
• HIPAA
• Basel II
• Schengen Agreement

It is, therefore, important to

• be aware of and adhere to these regulations and ensure the organisation’s compliance

Draft and enforce a Sectoral policy on compliance – Identification of applicable legislation and Intellectual property and Protection of operational data and Protection of personal data.