Step Plan Trade Secrets Directive: Steps companies should take in order to protect their know-how

In June 2016, the EU adopted the so-called Trade Secrets Directive which harmonises and raises the standards for the protection of know-how across the EU. As two of the last EU Member States, Spain and Germany passed national laws implementing this Directive in February/April 2019. One of the core messages of the Directive is that information will only be protected as “trade secret” if it has been subject to reasonable security measures. Companies should, thus, assess their situation and take adequate steps so they can take advantage of the legal protection of their know-how in the future:

Step 1: Determination of the status quo

In a first step, companies should commence a “gap” analysis to understand what information they hold and how it is protected. They should get an overview of:

• Which of the company’s know-how is actually worthy of protection
• Where this know-how is located
• Which protection measures are currently taken with regard to the respective know-how

Step 2: Examination and implementation of adequate protection measures

In a second step, companies should critically review the existing protection measures based on the identified status quo and – if necessary – take appropriate additional measures.

When evaluating these measures, companies should also take into account obligations under other EU laws, such as obligations under data protection law (Art. 32 GDPR) and IT security law, which holds specific obligations in particular for so-called critical infrastructures. Synergy effects can be taken advantage of.

Depending on the value of the know-how, the following organisational, technical and legal protection measures should be considered:

2.1 Organisational protection measures

Companies should establish an adequate organisational environment for an effective know-how protection by:

• Creating clear responsibilities and determining which employees are responsible for managing the know-how
• Restricting the access to the information (access only on a need-to-know basis and based on specific authorisation concepts) and – to the extent permitted by data protection law – documenting when information is viewed or used
• Raising the employees’ awareness for know-how protection and
  training the employees in dealing with know-how

2.2 Technical protection measures

In the light of a rapidly increasing number of cyber-attacks such as “WannaCry” and “NotPetya”, the importance of IT security is clearly increasing in the area of information protection. Thus, companies should also implement adequate technical measures with regard to their know-how, such as:

• Personalized user IDs and password protection
• Two-factor authentication
• Secure user administration with active lock option for the administrator
• Sufficient encryption of data and connections
• Logging, monitoring, reporting and response management systems
• Virus and malware protection
• Blocking of external access to servers with sensitive know-how
• Technical separation of professionally and privately used equipment

2.3 Legal protection measures

In addition, companies should take adequate legal measures, such as:

• Implementing enforceable confidentiality clauses into contracts with employees and business partners
• Contractually prohibiting reverse engineering in contracts with licensees, suppliers or other business partners
• Obliging service providers who (i) may come into contact with the company’s trade secrets and/or (ii) provide services that are critical for the protection of know-how to comply with adequate security standards and to provide ongoing reporting

Step 3: Regular evaluation and adaptation of the protection measures

In a last step, it is recommendable for companies to continuously evaluate and – if necessary – adapt measures they have taken.