Journeyman PM

Here’s a checklist of things that will help you keep a confidential project within the safe borders of your team or company.

1. Train your people
2. Make confidentiality a topic
3. Talk with your HR department, create awareness
4. Tailor your briefing material

Here I explain each item in detail.

Train or coach your people

Let people know how to deal with sensitive information and how to deal with common online security risks (they don’t teach this in university). It’s very important to have clear rules about the use of social networks, people will talk about their day on Twitter and Facebook anyway, if it’s not at the office, it will be at home. Don’t try blocking social networks on your network, laying down any kind of hard local constraints like that is ultimately a waste of time for everyone.

Confidentiality is a cultural thing

We educate each other, just by working together. It certainly help to set an extreme example. One company I did consultancy for fired someone on the spot because he was overheard talking about a secret new product in a company cafetaria that was accessible for people outside the company too. Harsh but effective, news spread like wildfire. I do not recommend doing this without consideration.

At least make confidentiality a topic on kick offs, team meetings, one-on-one’s, … until it’s part of the team mindset.

Certainly if your project is the odd one out that requires (additional) confidentiality you’ll have to take precautions.

Talk with your HR department

Newcomers should be introduced immediately about security, confidentiality and data protection. We are animals of habit, anyone who’s used to broadcasting every bit of news will be inclined to do so.

If you have areas that are off-limits, make sure everyone in your team is cleared and has access before they need it. “Because they didn’t let me in so I used the previous model to run the tests.” is the last thing you want to hear when you come back from a holiday, trust me.

Let people know who in management is responsible for security and privacy. If you have a Data Protection Officer (DPO), introduce this person to your team.

Tailor your project templates

Add fields like “confidentiality level”, using these 3 degrees of confidentiality should cover most of your needs:

• confidential –> don’t talk about it outside the company
• secured –> confidential and everything needs to be on secured media
• secret –> secured and only talk about it with people also listed as working on the project

Make sure your briefing material instructs your team on the way data should be stored. This often includes:

• any personal data that was provided by users/customers (read up on GDPR and personal data if you have data stored in the EU or have EU citizen data for that matter)
• data encryption
• data retention
• geographical constraints (the EU and the US have a different regulation, for instance The EU-U.S. Privacy Shield)

Of course you and your management have to be a living examples. Nothing says it’s OK to break the rules like seeing a VP or the CEO breaking doing so.