|     | Advanced search

You are here:Home > ICT Business Environment > State-Of-The-Art Infrastructures > Business-efficient data protection
Print this page | Send this page

Business-efficient data protection

Protecting sensitive data, whether personal or business-related, is essential when it comes to electronic business. Data requires protection both physically (redundancy, resilience, emergency recovery…) and legally. In Luxembourg, both layers of protection are strongly rooted in the legal system, while ensuring a high degree of business efficiency.

Physical data protection

Luxembourg has a very high level of resiliency with an overall hosting surface of some 30,000 m2 (323.000 square feet) in 16 data centers at different locations around the country. That is without taking into account companies and institutions with their own in-house data centers.

The offsite data centers in Luxembourg have maximum security access controls. Thus, they can guarantee the highest level of data protection. Not least, they offer closed-loop control systems through their bandwidth suppliers: P&T Luxembourg, Verizon Business, BT Global Services, Groupe Artelis/Cegecom and Luxconnect. Thanks to these key actors, Luxembourg is connected to all the major European hubs (Frankfurt, Amsterdam, London, Paris and Brussels).

Companies who are looking for a provider to host their data often receive offers for Disaster Recovery  that are not only based on two but on three levels of redundancy. This a the result either of cooperation agreements between key actors in the market place or offers from companies operating different data centers in different locations around the country. Some firms even provide several hundred emergency workplaces allowing for employees to be relocated within two hours. Such centers benefit from data virtualization that make it possible to uncouple disks and servers  ensuring further security and mobility.

In addition to financial institutions companies with large data banks require such hosting facilities in data centers located in Luxembourg.

The legislator, safeguard for data protection

Data protection in the financial sector

Luxembourg is a financial center with more than 150 banks and 250 financial sector players .

Non-financial companies wishing to gain access to the world of finance have to qualify as Professional of the Financial Sector (PFS). The PFS status was originally created by law in 1993 and was then revised in 2007 to include all professionals being involved in activities connected or related to the financial sector. Its aim is to ensure high standards in the services on offer and guarantee the necessary level of confidentiality for the banking community. Individuals and companies that have obtained this certification are under the supervision of the regulating “Commission de surveillance du secteur financier” (www.cssf.lu) and agree to respect its organizational requirements and the code of conduct laid down in the Regulation of 13 July 2007.

In addition to fulfilling measures designed to ensure data protection and the high level of confidentiality required by the financial sector, each agent has to guarantee the physical and logical separation of all data originating from customers from the financial sector in order to obtain the PFS title. All major IT companies located in Luxembourg carry this label: Hewlett-Packard, IBM, Fujitsu, Atos Origin, Computacenter, Dimension Data Financial Services, EDS, Telindus, Getronics, Econocom…

Personal data protection

Data protection also means adhering to certain good practices.

The development of information technology has accelerated the phenomenon of personal data collection and processing making it necessary to legislate.

The growth of privacy regulation across the globe has been strongly influenced by the implementation of the European Data Protection Directive (Directive 95/46/CE of 24 October 1995). The text imposes wide-ranging obligations regarding the collection, storage and use of personal information relating to employees and customers. Its regulations are transposed in the modified Luxembourg law of 2 August 2002 on the protection of individuals.

Corporations with entities in Europe collecting and using personal data of their employees or customers may be required to register details of their data protrection practices with the  Luxembourg National Data Protection Commission (CNDP). The CNDP is an independent body set up by the modified law of 2 August 2002 and the law of 30 May 2005 which deals with the specific requirements in the field of electronic communications.

Under certain conditions some activities may be carried out without prior notification to the CNDP, such as activities related to salaries, job applications, personnel and client management, bookkeeping, and network and IT systems management. Thus, the legal framework achieves a good balance between the free flow of data and the protection of individuals.

The protection of electronic transactions

The development of electronic commerce and online administration requires a high level of confidence in the system which transmits data. It also has to ensure data circulation under secure conditions and guarantee the authenticity of the author and the recipient of such information. Luxembourg introduced an electronic signature (called LuxTrust certificate) in 2007.

The LuxTrust certificates operate on the basis of a Public Key Infrastructure (PKI) corresponding to a collection of hardware, software and cryptographic components designed to maintain confidence during an exchange between several parties: authentication of all partners, message confidentiality and integrity, non-repudiation of messages.

Because confidence is essential in electronic exchanges, the Luxembourg Government was clear-sighted enough to create a public institution to accredit all certificate-issuing bodies: the Luxembourg Institute for Standardization, Accreditation, Security and Quality of Products and Services (ILNAS)(www.ilnas.public.lu).

Its mission is to increase trust in digital security, especially through the following activities:

  • accreditation, notification and surveillance of all certification service providers (distributing and managing certificates or supplying services related to the electronic signature) and electronic archiving systems,
  • monitoring and developingthe Public Key Infrastructure.

In addition, a Luxembourg consortium comprising several public and private institutions and research units is actively involved in developing standards in the field of information technology on an international level. Luxembourg is a member of the Joint Technical Committee 1/ISO/IEC, an initiative of the International Organization for Standardization, whose research domain lies particularly in the field of information technology. As a permanent member Luxembourg is particularly active in the sub-committees Software Engineering (sub-committee JTC1/SC7) and ICT Security Technologies (sub-committee SC27). The country is also project editor covering several technical standards related to information security management systems (the “27001 series”).

Furthermore, in 2009 ILNAS launched a research and innovation project based on digital confidence in close collaboration with the Public Research Centre Henri Tudor. The Luxembourg Government also plays a major role in strengthening user confidence through its CASES awareness campaigns (Cyberworld Awareness and Security Enhancement Structure).

Finally, the Luxembourg context requires multidisciplinary experts which led the University of Luxembourg to introduce a Master course in Management of IT Systems Security.


Top

 
Top