In June 2016, the EU adopted the so-called Trade Secrets Directive which harmonises and raises the standards for the protection of know-how across the EU. As two of the last EU Member States, Spain and Germany passed national laws implementing this Directive in February/April 2019. One of the core messages of the Directive is that information will only be protected as “trade secret” if it has been subject to reasonable security measures. Companies should, thus, assess their situation and take adequate steps so they can take advantage of the legal protection of their know-how in the future:
In a first step, companies should commence a “gap” analysis to understand what information they hold and how it is protected. They should get an overview of:
In a second step, companies should critically review the existing protection measures based on the identified status quo and – if necessary – take appropriate additional measures.
When evaluating these measures, companies should also take into account obligations under other EU laws, such as obligations under data protection law (Art. 32 GDPR) and IT security law, which holds specific obligations in particular for so-called critical infrastructures. Synergy effects can be taken advantage of.
Depending on the value of the know-how, the following organisational, technical and legal protection measures should be considered:
Companies should establish an adequate organisational environment for an effective know-how protection by:
In the light of a rapidly increasing number of cyber-attacks such as “WannaCry” and “NotPetya”, the importance of IT security is clearly increasing in the area of information protection. Thus, companies should also implement adequate technical measures with regard to their know-how, such as:
In addition, companies should take adequate legal measures, such as:
In a last step, it is recommendable for companies to continuously evaluate and – if necessary – adapt measures they have taken.