How to keep your company’s information secret

Research by the Dutch Data Protection Authority shows that 67% of all data breaches(in Dutch) are due to someone sending sensitive personal data to the wrong recipient. A data breach can result in a cyber incident which can be both bad for your company’s reputation and cost you time and money. So, make agreements with your employees on how they handle sensitive information. Draw up rules of conduct or set up agreements in a confidentiality agreement. Doing so means, for example, that you can get compensation if an employee passes on business information to a competitor.

Working safely with data

Prevent business risks such as data breaches by securing your systems. Also, make agreements with your employees to ensure they handle company and personal data with care.

1. Establish rules of conduct and protocols

Use a staff handbook. This contains all the company rules and agreements you make with your employees. For example, behaviour in the workplace and how you deal with sensitive company information. You can also include a clean desk policy. This states that staff must always put confidential documents or privacy-sensitive information in a safe place after use. Regularly discuss the sharing of sensitive information during a work meeting or performance review. This keeps your staff alert to the risks.

Another option to protect your company information is to draw up protocols according to a certain standard, such as ISO 27001. You set out the processes you use to secure and protect personal and company data. For example, you state that personal data should not be sent by email, but only encrypted in a secure environment.

2. Confidentiality agreement: you decide what it says

Does your business have trade secrets, or work with specialist knowledge or other special company data? Then draw up a confidentiality agreement stating that it is forbidden to share this information. This is also known as a confidentiality clause. A confidentiality agreement is often part of an employment contract, but can also be drawn up separately at a later stage.

What exactly the declaration contains is up to you as an employer to decide. “Confidentiality is not explicitly regulated by law,” explains legal adviser Marieke van Leeuwen. “Usually, you specify who the parties involved are, what information must be kept secret, and what happens if the employee does not comply with the agreements. It depends on the type of organisation and the work whether you agree on a confidentiality clause with your employee. For example, are you developing innovative, high-performance microchips or are you a lawyer working with sensitive client data? Map out what business risks you run if certain information gets into the wrong hands. Based on this, you then state which information is confidential and to whom. For example, information may be shared with certain colleagues, but not with third parties.” A confidentiality agreement remains valid when an employee leaves your company.

3. Good employee conduct

A separate confidentiality agreement is not always necessary, according to Van Leeuwen. “With a confidentiality agreement, you give more weight to keeping company information secret and set out what the consequences are if a breach occurs. You can attach a fine to that, for example. It makes sense in terms of evidence to record this, because it makes it easier to prove that a specific agreement has been breached. But in principle, it is not necessary, because confidentiality is part of the standard of good employee conduct (in Dutch), which is enshrined in law. This means that every employee with an employment contract is obliged to behave properly. For example, you must not harm your employer. Sharing sensitive company data is part of that.”

4. Report mistakes made

What if an employee has shared sensitive company information? Jacqueline Steeneveld of Ruitenburg adviseurs & accountants says: “It is important that colleagues report a mistake or possible data breach to their supervisor immediately, because then you can take the necessary actions and prevent the problem from getting bigger. It is not bad if people make mistakes, but it is bad if they do not do anything about it.” If you are faced with a serious data leak of personal data, then in some cases you are obliged to report it to the data subjects and to the Dutch Data Protection Authority (in Dutch).  

5. Sanctions: from warning to dismissal

If an employee accidentally sends confidential files to the wrong customer, this is different from when they knowingly sell confidential business knowledge to a competitor. So, how you deal with your employee's mistakes depends on the nature of the situation. “Make sure the measure is proportionate to the breach of confidentiality,” says Van Leeuwen. “There are various sanctions you can impose as an employer, such as giving a warning or imposing a fine. Suspending or dismissing an employee is a far-reaching measure. Remember that in case of suspension, you must continue paying the employee’s wages.”

Encourage an open corporate culture

Prevention is better than cure, according to Van Leeuwen. “If you turn a violation into a lawsuit, the judge will assess how the provisions of the confidentiality agreement are interpreted, what agreements the employee failed to honour, and what specific damage you suffered as a business owner. It is difficult to prove that a confidentiality clause has been breached. There may be a ‘presumption of breach’, but this does not immediately count as proof. The (former) employer must provide proof that there has been a breach. This takes time. Encourage an open company culture in which safety and trust are central.”