We all know those NDA’s they make you sign before sharing important and sensitive data. As a consultant I’ve always got one on hand and I hope it shows the potential client that I take their privacy serious. Weirdly enough, not everybody sees the need. Quite often I hear a potential client say “Oh no, I trust you. It’s fine”. But is it? I’m not saying I can’t be trusted, but as an organization you’ve got your due diligence to take care of. And getting people to sign an NDA is a large part of that. Here’s why.
What is an NDA and what types are there?
An NDA, Non-Disclosure Agreement, is an affidavit where a party states that they shall keep certain information confidential. There are a few different types:
- Unilateral - a one way NDA – this is what I use as a consultant since I’m working for them and not sharing my data with them. We’d also have a processing agreement which will specify more about my intellectual rights regarding documents I’ve written and such.
- Bilateral – meant for a two-way NDA. Some people/organizations prefer to use a bilateral NDA even if the information sharing will go one way. Otherwise you’d use this when you’re thinking about a partnership for instance, or in any other case where information sharing goes both ways.
- Multilateral – when you’ve got 3 or more parties that will either share or receive information that needs to be protected.
What are some common topics in a Non-Disclosure Agreement?
- First and foremost, you should mention who the party is or parties are.
- It’s then important to define what parties see as confidential and what type of information is considered confidential. For instance, information that is public knowledge or information gained by a different source is not considered confidential.
- Often, you’ll see a further explanation on how the confidential information will be coded, for instance by color or name.
- The duration of the agreement. My NDA’s are lifelong confidential. Information that was considered confidential that has become public is then not seen as confidential any more. It’s good practice to mention this in the NDA too.
- You’d want to have written down what needs to be done with the received information once the agreement period has ended. And how will you prove it or how will you ask the other party to prove it.
- How the confidential information may be used (e.g. not for own gain)
- Who the data can be shared with if needs be and if permission is needed and how this request to share must be done. For instance, in writing.
- Appropriate measures parties must take to protect the information. Don’t mistake this for the processing agreement. A processing agreement has a fixed period, and even if you have both a processing agreement and a Non-Disclosure Agreement, still request parties involved to have appropriate measures in place, and specify what this means.
- Any sanctions by not adhering to the agreement.
GDPR & NDA’s
In the list above you’ll have noticed the term ‘appropriate measures’ and ‘processing agreements’. The GDPR requires organizations who process personal data to have appropriate measures in place. One of those measures is making sure your employees, partners and whomever else you share data with, has signed an NDA. For more information about NDA and employees, see my H is for Human Factor Security blog