It has already been established that most businesses process and store at least some sensitive data. The type and volume of sensitive data used vary according to industry and business size. If your business interacts with large amounts of sensitive data that is accessed by a variety of different employees throughout its lifecycle, then it is probably a good idea to get the employees’ sworn word to ensure the security of the data is upheld.
By requiring employees to sign a Non-Disclosure Agreement during the onboarding process, you can uphold non-repudiation. Essentially, there can be no way that the employee can argue that they did not agree to uphold data confidentiality. Combining NDAs with other non-repudiation tools, such as session monitoring and logging, can help reduce the risk of insider threats to your business.
Not all NDAs are created equal, and if you have various roles that interact with sensitive data in your organization, you should create a different NDA for each role. Furthermore, there are two ways an NDA can function: one-way, which means only one party needs to adhere to the agreement, or two-way, meaning the terms are respected by both parties.
The NDA should clearly state the scope and the included parties. Usually, the NDA will be between your organization and the individual employee. The agreement text should also give a clear definition of sensitive/confidential information, including any nuances specific to the role and data being addressed. Also, ensure that you include any pieces of data that are excluded from the NDA. For example, a database may be designated for confidential data but may have some pieces of public data included for any number of reasons. It is important to document these nuances to make the responsibilities as clear as possible to the employee.
Finally, the agreement should contain the duration of the agreement and the expectations of the receiving party (employee). For example, the agreement may be in effect for the entire duration of the data’s lifecycle and require that the employee only access the data for employment purposes and refrain from any illegal operations.
This is the basic skeleton of an NDA between the business management and an employee. However, NDAs may also be necessary in transactions involving third parties who need to access sensitive internal data to perform their services. In these cases, the same basic outline of an NDA applies, but the text will need to be written to fit the appropriate context.
Finally, always make sure NDAs are signed by both parties and stored in secure environments with backups and controls for data at rest.