Security Policy – Compliance
Comply with Legislation
Non-compliance with information technology legislation may put the organisation in a delicate situation (impacts) concerning its customers (brand image). It can also result in financial (fines) or penal (liability of legal persons) consequences. The organisation must, therefore, respect the law about:
- intellectual property and copyright
- protection of mandatory operational data and personal data (SMEs: see Regulatory requirements and Lack of traceability of operations).
Intellectual Property
The organisation must also ensure the respect of copyright and licences. Sanctions for non-compliance with these laws may threaten the organisation (SMEs: see Invalid or non-existent licence). This particularly applies to copyright on original literary and artistic works, which includes databases and computer programs, as set out in the Law of 18 April 2001.
The IT team is expected to check the requirements for both programs used and data owned by the organisation. In case of doubt, they can consult Luxembourg law at https://meco.gouvernement.lu/fr/le-ministere/domaines-activite/propriete-intellectuelle.html (in French), or contact a legal expert.
The basic principles in this matter are as follows:
- any reproduction, public broadcasting or distribution must be authorised by the author;
- this also applies to online distribution;
- software licences must be respected;
- patents must be respected;
- brands, designs and models must be respected;
Protection of Operational Data
Depending on the nature of the data processed, the organisation is bound by the General Data Protection Regulation (GDPR) to implement appropriate measures to prevent any unauthorised person from accessing the data processing facilities (see legal aspects).
Data corresponding to commercial activity must be kept, in one form or another, for ten years from the end of the financial year to which it applies.
Applying Security Measures To:
- All vital or important data processing systems.
Behavioural Measures:
Directly Associated Organisational Measures:
- Organisation of Security
- Classification and monitoring of resources
- Operational and communications aspects
- Access control
- Management of security incidents
- Managing business continuity
- Compliance
Technical Measures:
Personal Data Protection
Any files or databases created must comply with the General Data Protection Regulation (GDPR). The same applies to processing both newly created and pre-existing data (SMEs: see Unauthorised processing of personal data – Employee monitoring).
In order to work within the confines of the laws, the IT manager and the legal manager, having obtained the applicable texts from the National Commission for Data Protection (hereinafter the Commission) ensure the adequacy of the structure in the following areas:
- declaration of data and processing to the Commission;
- obtaining authorisation from the Commission whenever necessary;
- data quality and the legitimacy of processing;
- the rights of the individuals involved to receive information and submit objections;
- potentially discriminatory data (racial, ethnic, political, religious, philosophical, union membership) or health-related data.
Applying Security Measures To:
- all vital or important data processing systems
- See also legal aspects
Behavioural Measures:
Directly Associated Organisational Measures:
- Organisation of security
- Classification and monitoring of resources
- Operational and communications aspects
- Access control
- Management of security incidents
- Managing business continuity
- Compliance