Nine steps to complying with the 2018 trade secrets regulations

Earlier this year, the European Union introduced a new directive to protect trade secrets and confidential information. Charlotte Marshall of law firm Blake Morgan explains what employers need to do to prevent staff from misusing commercially sensitive information.

In June an EU Directive protecting companies' trade secrets against unlawful acquisition, use and disclosure was brought into UK law via the Trade Secrets (Enforcement, etc.) Regulations 2018.

The aim of the directive is to standardise the treatment of confidential information and the protections available to businesses across the EU, although additional levels of protection can be granted by each country.

The UK's position

The UK's pre-existing stance on the protection of confidential information emerged through case law. For confidential information to be protected during employment it must:

  • have the necessary quality of confidence - this excludes anything which is public knowledge;
  • be shared with an obligation of confidence; and
  • be used without permission and, as a result of this, the owner has suffered a detriment.

The remedies available for breach of confidence include interim and final injunctions, "delivery up" of goods/services for destruction, and an account for profits.

But this meant confidential information could only be protected during employment, not afterwards, unless there was a specific clause in the contract. This is unlike the much narrower pre-existing UK category of "trade secrets" (e.g. the secret recipe for Coca-Cola).

What's new?

The Trade Secrets (Enforcement, etc.) Regulations 2018 bring into UK law a new, common definition of "trade secrets" that applies across the EU:

  • the information is considered secret because it is not generally known among, or readily accessible to, parties that normally deal with the kind of information in question;
  • it has commercial value because it is secret; and
  • the party lawfully in control of the information has taken reasonable steps to keep it secret.

The regulations state that the acquisition, use or disclosure of a "trade secret" is unlawful when it is in breach of the law of confidence. They also cover the use, acquisition or disclosure of a trade secret by third parties, when the party knew or ought to have known that it was obtained unlawfully.

The penalties are similar to those set out for breach of confidence above, but the breach of confidence remedies will apply to trade secrets disclosure where they are wider than those offered under trade secrets law.

What do the changes mean for employers?

Employers now have the opportunity to ensure confidential information is considered a "trade secret" under the regulations to take advantage of wider enforcement powers. This means establishing that the information has commercial value because it is secret and taking reasonable steps to keep it secret.

"Reasonable steps" have yet to be clarified but we would suggest employers take the following nine steps:

  1. identify and label documents containing trade secrets as confidential;
  2. encrypt trade secret documents and use passwords to protect them;
  3. limit the distribution of trade secret documents strictly to those who need to know;
  4. review employment contracts to ensure they contain appropriate post-employment restrictions around confidentiality;
  5. update confidentiality and security policies to ensure these demonstrate the steps taken to protect trade secrets;
  6. provide employees with training and guidance on the protection of trade secrets;
  7. update non-disclosure agreements and make sure these are always in place when trade secrets are passed on to a third party;
  8. consider whether additional protections should be inserted into client/supplier contracts; and
  9. assess their approach across the EU and be aware that protection may vary across member states.

As the Trade Secrets (Enforcement, etc.) Regulations 2018 have brought the EU regulations into UK law, these will continue to apply after Brexit. Additionally, businesses with an EU presence will receive the minimal level of protection and be able to enforce their rights in the other EU member states.

Organisations should make sure their policies and procedures are updated to cover themselves if an employee unlawfully reveals or uses their confidential information.