At the end of April, the German Trade Secrets Act went into effect. It obligates companies with operations in Germany to take appropriate confidentiality measures to effectively protect their know-how. Organizations that fail to quickly adapt technically and organizationally to the requirements of the Trade Secrets Act will have a bad hand when it comes to any disputes in court. To introduce a comprehensive protection policy for trade secrets, we recommend companies take a five-step approach.

On April 26 the Trade Secrets Act, passed by the German Bundestag, went into effect. It implements the know-how directive of the EU dated June 8, 2016. The European guideline aims to ensure, “the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure.” In brief: As companies increasingly share digital content across borders, it is critical to uniformly protect business know-how in the EU against unwanted access.

Due to the above EU directive and the German Trade Secrets Act, the legal situation has changed dramatically. Previously in German law, the concept of trade secrecy was not defined legally. If you wanted to protect your company’s know-how, you simply declared it a trade secret. So, in the language of the law, a "subjective secrecy will” applied.

The new Trade Secrets Act redefines the concept: According to this, information is a trade secret, if it is secret and therefore has economic value. Additionally, the lawful owner of the information must also ensure that he or she has implemented "appropriate confidentiality measures." In other words: A trade secret is only legally worthy of protection, if its owner also demonstrably protects it adequately – a mere expression of will is no longer sufficient. However, the text of the law remains unclear as to what exactly is meant by "appropriate confidentiality measures."

The owner of a trade secret is "any natural or legal person who has the legitimate control over a trade secret." Those who want to effectively protect against access to trade secrets by unauthorized third parties, need to implement monitoring mechanisms and documentation similar to the requirements for other legal regulations such as "Principles of orderly computerized accounting systems (GoBD)” and EU General Data Protection Regulation (EU GDPR).

Companies will have to come up with an appropriate protection policy. If you cannot provide evidence of any organizational, technical and legal measures taken to ensure secrecy, then you cannot invoke the protection afforded by the Trade Secrets Act. First, companies should understand what information and data should be classified as secret. In addition to balances and the data of customers and suppliers, information and data considered confidential can include, in particular, prototypes, business or construction plans, recipes, algorithms, programming code and documentation.

It is also important to ensure that unauthorized persons cannot access sensitive and critical data on the company’s intranet servers. In addition, employment contracts with persons with security clearance must include the corresponding confidentiality agreements and non-competition clauses. Likewise, a company should contractually prohibit reverse engineering, i.e. the ability to analyze an existing system, successively copy it and develop it further on this basis.

Experts recommend a five-step process for setting up a protection policy.*
 
Step 1: Take stock
First, a company should check which know-how is worthy of protection and to what extent.

Step 2: Plan 
At this stage, the company defines, based on a risk analysis, the organizational, technical and legal measures necessary to ensure trade secrecy.

Step 3: Implement
The designated employees and departments implement all of the agreed measures.

Step 4: Test 
The company now checks to see how effective the measures implemented have been, and identifies potential weaknesses.

Step 5: Optimize
Finally, it is important to correct any identified weaknesses and analyze, continuously review and, if necessary, further improve the costs and benefits of the protection policy you have implemented.

To protect information classified as secret, IT-related measures are necessary. However, companies have to decide on a case-by-case basis what counts as an appropriate measure under the new Trade Secrets Act, because the law does not specify any concrete measures. For orientation, Article 32 of the EU GDPR is helpful; it provides information about how to protect personal data in accordance with the law. If you have already done your EU GDPR homework, you’ll be able to apply these experiences to the IT-related implementation of the provisions in the Trade Secrets Act. If you have not yet been active in this area, you must start implementing a protection policy without delay – the law has been in force since the end of April 2019.

A state-of-the-art, innovative enterprise content management (ECM) system can help your company comply with the IT security requirements for trade secrecy. For example, the multi-certified Doxis ECM system enables companies to meet the legally relevant compliance requirements and regulations such as EU GDPR and GoBD, as well as internal compliance requirements.

Data and information can be protected by multi-tier authorization concepts that use metadata to classify the data according to the security level. With Doxis, companies can specify who can view, edit or delete information in documents, directories, electronic records and processes. This provides companies with documented access protection for documents, data and processes. In addition, the Doxis audit trail seamlessly logs all access and changes to information – and can serve as proof that information has not been tampered with.

Additionally, the Doxis safeLock compliance solution can be used to protect sensitive information from theft, loss and modifications; it can also be used to document compliance in an audit-proof manner and in accordance with the relevant retention periods. For particularly sensitive documents, companies can set deletion locks for an unlimited period of time. In addition, Doxis safeLock provides the highest level of security with WORM-based write protection (write once, read multiple) that prevents any change during the retention period. Doxis provides a bundle of features, functions and measures to ensure your trade secrets remain confidential.

*https://www.pt-magazin.de/de/gesellschaft/recht/das-neue-geschäftsgeheimnisgesetz-blinder-fleck-im_jv3sn5hs.html