In the first post of this series, we explored what trade secrets are, what kinds of information can qualify for protection, and why trade secrets matter as business assets. That foundation is essential, but understanding what deserves protection is only the first step. In this second instalment, we turn to the practical question of how employers can protect their trade secrets across the full employee lifecycle: before employment begins, during the employment relationship, when investigating suspected misuse, and when an employee departs.
Recruitment and Onboarding: Managing the Inbound Risk
The lifecycle of a trade secret starts before the employment begins. When recruiting employees from competitors or from roles involving sensitive information, employers should be alert to “inbound risk”: the possibility that a new hire may bring, disclose or use confidential information belonging to a previous employer, and that the new employer may itself be exposed as a result. This can happen deliberately, but it can also happen through poor habits, misplaced enthusiasm or a misunderstanding of what may be used in the new role. In Finland, a new employer may itself face serious consequences, including criminal liability and civil remedies such as injunctions and damages, if it uses or benefits from information that was unlawfully obtained or disclosed by a former employee. Managing inbound risk is therefore not only good practice but also a matter of legal self-protection.
The interview process should be managed with that risk in mind. Interviewers should focus on the candidate’s general skills, experience and suitability for the role, not on confidential details about a former employer’s business. In particular, candidates should not be asked to disclose:
- Non-public pricing strategies or discount structures,
- Future product features or technical solutions,
- Customer lists or supplier terms, or
- Internal processes or strategic plans.
It is good practice to tell candidates at the start of the process that the company does not want to receive third-party confidential information. The aim is not to prevent candidates from drawing on their general skills and experience, which is both inevitable and legitimate, but to keep a clear boundary between portable professional know-how and information that remains the property of the former employer.
Before a job offer is finalised, employers should ask whether the candidate is subject to any continuing obligations that could affect the new role, such as confidentiality obligations, non-solicitation restrictions or non-compete clauses. If such obligations exist, they should be reviewed carefully as the nature of the obligation matters. A genuine non-compete clause may prohibit the employment itself or the competitive activity as a whole; in that situation, role-structuring does not remove the legal risk, and the employer faces a substantive decision about whether to proceed. Where the obligations are of a narrower kind such as confidentiality undertakings or non-solicitation restrictions, it may be possible to reduce risk through practical steps such as:
- Limiting the employee’s involvement in certain projects,
- Assigning them to different customers or territories, or
- Documenting why the new role does not require the use of former employer information.
Onboarding is also an opportunity to set expectations. It is good practice to obtain a written confirmation from the incoming employee that they have returned or deleted material belonging to their former employer and that they will not bring third-party confidential information into their new role. In practice, this confirmation is often incorporated directly into the employment contract, rather than handled as a separate onboarding document. Either approach achieves the same purpose. In Finland, this confirmation has practical legal significance: an employer that uses or benefits from a trade secret knowing that the information was originally obtained unlawfully may itself face liability. A written confirmation, combined with the steps taken during recruitment, helps demonstrate that the employer acted in good faith. It also sends a clear message that the organisation expects the same respect for others’ confidential information that it expects for its own.
Active Employment: Building a Culture of Confidentiality
During employment, trade secret protection has both a legal and a practical dimension. Employees are under a legal obligation not to misuse or disclose their employer’s trade secrets, and that obligation covers the full employment relationship including any notice period. Importantly, a statutory obligation of confidentiality can survive the end of employment even without a contractual clause. The scope of that residual protection depends in part on whether the employer took reasonable steps to treat the information as confidential in the first place. Where the employer wants post-employment obligations to be clear and enforceable beyond the statutory baseline, they should be set out expressly in the employment contract or a separate confidentiality undertaking. Contractual wording alone is not enough: employers should also be able to show that the information was identified, access was appropriately limited, and employees understood how sensitive material should be handled.
Practical safeguards will vary depending on the business and the information involved. Common measures include:
- Physical controls such as access restrictions, visitor procedures and secure storage for sensitive documents, and
- Digital controls such as multi-factor authentication, encryption, restricted database access, logging and regular permission reviews.
The key principle is need-to-know access: employees should have access to the information they need for their work, but not to sensitive material unrelated to their role. In practice, this principle is harder to apply than it sounds. In many organisations, employees at all levels handle sensitive information as part of their ordinary work, and collaborative working models mean that information often needs to be accessible across functions, project teams and seniority levels. Need-to-know access therefore cannot be managed by a blanket policy alone. Employers also need to make sure that employees in different roles understand what is confidential, why it matters and how they are expected to handle it.
Employers should also be clear about what they consider especially sensitive. It is unrealistic to label every document, but companies can identify categories of information that call for caution, for example:
- Source code and technical designs,
- Strategic roadmaps and business plans,
- Pricing models and customer information, or research and development material.
Training should be practical and role-specific. Sales teams, developers and executives typically handle information that falls squarely within the scope of trade secret protection. HR personnel often work with sensitive information of a different kind such as salary data, performance records, and personal employee information, which may be confidential under employment or data protection law rather than the Trade Secrets Act. The legal basis differs, but the practical culture being described here applies equally: understanding what is sensitive, handling it with care and knowing when not to share. Regular reminders and visible enforcement help show that confidentiality is part of how the business operates, not just wording in a contract.
Remote work and personal devices create additional risks. If employees are allowed to use personal phones, laptops or cloud services for work, the employer should have a clear policy covering:
- What is permitted and what is not,
- How company data must be stored,
- When access may be restricted or removed, and
- How employee privacy will be respected.
The policy should be realistic. Policies set at an unrealistic standard tend to be disregarded in practice.
Confidentiality policies must also recognise that some disclosures are legally protected regardless of their content. Under EU law, trade secret protection cannot be used to prevent or penalise employees who report wrongdoing to competent authorities in good faith. A well-drafted policy protects genuine trade secrets while making clear that confidentiality obligations do not restrict employees’ right to report legitimate concerns.
Monitoring and Investigations
Employers have a legitimate interest in monitoring their systems and investigating suspected misuse of confidential information, but any such activity must respect both privacy and employment law. The rules should be set before a problem arises, and the basis for any monitoring documented clearly.
Technical monitoring such as logging access, detecting unusual downloads or flagging large data transfers can form a useful part of trade secret protection, provided that information collected for security purposes is used only for those purposes and that monitoring does not become general surveillance of performance or behaviour.
Communications access requires particular care. Even where an account or device belongs to the employer, employees retain privacy rights in their communications, and access is subject to specific legal preconditions. In Finland, an employer must first have offered each employee practical mechanisms for managing emails during absences (an automatic reply, forwarding, or a designated colleague) before it can acquire the right to access a mailbox at all. Even then, access is only permitted if the employee’s consent cannot be obtained within a reasonable time and the matter cannot be delayed. Access to a mailbox should be treated as an exceptional step, and the process, when genuinely necessary, should be narrow and documented: limited to relevant dates, senders or keywords; involving only those who need to participate; and accompanied by a written record provided to the employee without undue delay.
In higher-risk situations, legal advice should be taken before acting, particularly where the matter may lead to disciplinary action or litigation. Prevention and well-designed access controls will generally do more than enforcement after the fact.
Exit and Post-Employment: Securing the Outbound Risk
Employee departures are one of the highest-risk moments for trade secret protection, especially where the employee is moving to a competitor, joining a customer or supplier, or starting a competing business. The risk is not limited to deliberate theft. Employees may keep copies of files out of habit, retain data in personal cloud storage, or wrongly assume that material they helped create is theirs to reuse.
A structured exit process helps reduce that risk. The exit interview should be used to:
- Remind the employee of continuing confidentiality obligations,
- Identify any outstanding company property, and
- Address practical questions about documents, devices and access rights.
The tone should remain professional. The purpose is to protect the business and create a clear record, not to turn every departure into a dispute. The employee should be asked to return company property and confirm that company information has been returned or deleted from personal devices, private email accounts and cloud storage. Access to company systems should be removed promptly and in a coordinated way, covering:
- Remote access and VPN connections,
- Shared drives and collaboration tools, and any role-specific platforms or databases.
For senior employees or those with access to highly sensitive information, a tailored exit checklist is worth considering.
Where the circumstances indicate a heightened risk, the employer may also consider preserving relevant electronic evidence before devices are wiped or reissued. This should be done carefully and proportionately, with attention to privacy and data protection requirements. The aim is to preserve a reliable record in case later evidence suggests that confidential information was copied, transferred or used.
Post-employment restrictions also deserve careful attention. Non-compete and non-solicitation clauses may be relevant where an employee has had access to highly sensitive information, but they are usually subject to scrutiny and should not be treated as standard wording for every employee. A non-compete clause can help protect the business during a limited transition period after a key employee’s departure, particularly where the employee has had access to information whose competitive value is likely to diminish over time. That said, such restrictions should go no further than what is needed to protect the employer’s legitimate interests and should be assessed in light of the employee’s role, the information involved, the duration of the restriction and the applicable legal requirements.
In Finland, non-compete restrictions carry direct financial consequences. An employer that restricts a departing employee from competing work must pay compensation throughout the restricted period, at least 40% of the employee’s salary for restrictions up to six months, and at least 60% for longer restrictions. This makes selective and carefully drafted use of non-competes especially important. Employers should focus them on roles where a genuine trade secret risk cannot be managed through confidentiality obligations or access controls alone.
For many departures, a concise reminder letter is a proportionate and effective protective step. It confirms on the record that the employee is aware of their continuing obligations, which apply by operation of law regardless of whether they are restated in a letter. Where the departure is amicable and the risk is moderate, this will often be sufficient.
Conclusion
The measures described in this post form the practical backbone of trade secret protection across the employment lifecycle. They are, however, only as strong as the internal framework behind them: the policies, processes and organisational structures that determine how confidential information is identified, managed and shared. In the third and final instalment of this series, we look at how employers can build that framework through a coherent trade secret policy.
