Non-Disclosure Agreements (NDAs): Protecting your business data and IP

Why use an NDA?

Non-disclosure agreements (NDAs), or confidentiality agreements, can be a useful mechanism to enable businesses to explore new commercial opportunities and potential relationships, before entering into a comprehensive commercial or transactional agreement. Under an NDA, the parties agree to share certain information on a confidential basis and for a defined purpose, and agree not to make any unauthorised, onward disclosure of that information. This can be particularly valuable in the context of commercial collaborations and R&D, where parties may need to understand each other’s operations and/or intellectual property to identify synergies. NDAs are also commonly used in RFPs and scoping exercises, where suppliers may need access to sensitive or valuable commercial information such as trade secrets, business finances, and operations to define the scope of services and related proposals.

NDAs work in tandem with and can be used to enhance the protections under the common law duty of confidence and the Trade Secrets (Enforcement, etc.) Regulations 2018, which protect trade secrets.

Defining your NDA: Key considerations

If you are sharing confidential information with a third-party pre-contract, an NDA should, wherever possible, be agreed and signed before any information is exchanged to provide the best protection. The prompts below are a quick guide to scoping your NDA requirements:

What information is being shared?

The starting point should always be a practical consideration of what types of information will be shared and whether it can be limited or redacted. Internally, you want to be clear about who within your business will be sharing data, by what means (e.g. secure transfer), and how you will keep a record of what has been shared. The information exchange could be mutual or one-way, and the NDA should reflect this.

Does the information include personal data?

If information disclosed includes personal data, the parties must establish whether use made of the data is done as controller or processor and abide by relevant data protection law security measures they want the recipients to carry out.

How (and for how long) can it be used?

The specific, permitted use(s) and users of the information should be clearly defined. This may include limitations or requirements for access, storage, and copying. Given the rise of gen-AI, incorporating restrictions on introducing the information into AI programmes may also be appropriate. The right of use should also be stated to end at a precise point in time, or event (e.g. if the parties cease negotiations).

How will information be protected?

It is advisable to understand the recipient’s existing information security infrastructure and whether this is sufficient to protect your information. The NDA can prescribe either specific requirements or that the recipient must apply at least as stringent protections for your information as those applied to its own confidential information.

(When) can that information be disclosed?

If your counterparty is likely to need to share information you provide with other parties (e.g. directors, employees, consultants, professional advisors), these parties should be defined. You may also want to require the counterparty to ensure those parties are contractually bound by equivalent obligations to those under the NDA. It is also common to make express provision for disclosures required by law and regulation, and how any such disclosure process should be managed.

When (or how) does the confidentiality period end?

Maintaining information in confidence indefinitely can be onerous and hard to administrate. As such, it may be appropriate to limit the confidentiality period by reference to the nature of information and how long it will retain its commercial value (for example, technical know-how may hold value longer than business performance data). In addition, it is typical to provide for circumstances in which protection no longer applies, for example, if the information becomes public knowledge as a result of any act other than a breach of the recipient’s obligations of confidence.

Who owns the information?

Typically, the disclosing party should reserve rights of ownership in any information shared (including intellectual property rights within it). Ownership of any information or IPR derived from the information disclosed should be addressed.

What is the consideration?

Legally, for the NDA to be enforceable, there must be a value exchange. Because NDAs are often entered into as part of pre-commercial arrangements, this is unlikely to take the form of money. In mutual NDAs, the consideration could be the parties’ reciprocal promises to protect each other’s confidential information. In other circumstances, such as a one-way NDA, nominal consideration may be necessary, or the contract should be executed as a deed.

What happens if there is a breach?

If commercially sensitive information is leaked, as such, rapid remedies such as injunctions and specific performance are often more effective in mitigating the commercial impact than (only) claiming damages. As above, if the information includes personal data, consideration should also be given to potential regulatory risk action.

What happens after the NDA?

If the parties’ negotiations lead to a formal commercial arrangement, the NDA is typically superseded by confidentiality provisions in the commercial agreement. If not, then the recipient should be required to return or destroy the confidential information.

The limits of an NDA

If well-drafted and executed correctly, NDAs are legally enforceable and provide your business with recourse if your information is leaked. It is in the nature of confidential information, however, that once disclosed, it may not be possible to ‘undo’ the breach or truly compensate for the damage caused by the disclosure. As a result, NDAs should not be considered a substitute for appropriate counterparty diligence and internal controls on how and how much information is shared with third parties.

Next steps

When well-managed and effectively communicated, NDAs can be a useful tool in defining parties’ expectations and help build and maintain trust in commercial relationships.

If you need advice on safeguarding your business’ commercial information and IP, and using NDAs in your business, please get in touch with our Commercial and Technology lawyers at [email protected].