Governance

Imagine discovering that you are listed as a director of a company you have never heard of, or worse, you are the director of a business used for criminal activity. From 18^th November 2025, Companies House will implement one of the most consequential reforms in recent years. Under the Economic Crime and Corporate Transparency Act 2023, every company director and every Person with Significant Control (PSC) must verify their identity before acting in that capacity.

While most commentary so far has focused on who needs to verify and how, the deeper story is about protection, protecting people from identity theft, misuse, and reputational harm, while strengthening the integrity of UK businesses.

Practical changes

The process for directors and PSCs will change fundamentally. New appointments must be verified before registration, and existing directors and PSCs will be required to complete verification by the date of their company’s next confirmation statement, within a 12-month transition period. Verification can be completed either through GOV.UK One Login or through an authorised corporate service provider, such as an accountant or solicitor.

Once verified, each individual will have a unique verified identity that serves as their secure identifier for all future filings. It will be an offence for an individual to act as a director, or for a company to permit an unverified individual to act, without verification once the new rules are in force. Together, these measures mark a shift from a passive registry to an active verification system, one that checks who people are, not just what they type.

How the reform protects individuals

For years, people have found themselves listed as directors of companies they had never heard of. Fraudsters could simply type in a name and file it. The new system stops identity theft before it starts by ensuring that every appointment is tied to a verified identity, confirmed through secure government channels. It prevents criminals from registering fake companies under someone else’s name or using an address to lend legitimacy to fraud.

The reforms also build trust in public records. The Companies House register shapes perceptions among banks, clients, and regulators. With verified identities, the names listed will correspond to real, consenting individuals, making each professional record more credible and resistant to impersonation or error.

Verification also puts individuals in control of their corporate identity. A director’s verified identity becomes the key to their official record, ensuring that no one can appoint them to a company or amend their details without consent. This change gives individuals confidence that their name cannot be used behind the scenes without their knowledge.

Another important aspect is protection from unwanted liability. Under the old system, it was possible for people to be framed as company officers, attracting tax demands, debt notices, or legal correspondence they did not deserve. The verification process closes that loophole, meaning individuals can no longer be held accountable for companies they never agreed to join.

How the reform protects personal information

These reforms don’t just verify who people are; they also reduce how much of their personal information is exposed. Verification relies on secure digital checks using documents such as a passport or driving licence, but those documents are not stored or made public. Companies House will retain only the minimum information needed to maintain an accurate register, ensuring that identification data never appears online or remains in long-term storage.

Only verified individuals and authorised agents will be allowed to file or amend details, which means a person’s name cannot be added, edited, or reused without their verified code. This creates a built-in safeguard against unauthorised or malicious submissions.

Another major improvement is that one verification replaces repeated exposure.

Previously, directors had to send ID documents multiple times for different incorporations or filings. Now, verification will typically happen once, using GOV.UK One Login or an authorised provider, after which the secure status can be reused. This reduces the number of data copies in circulation and lowers the risk of breaches or leaks.

Each submission to Companies House will now link to a verified individual or regulated service provider, creating a robust digital audit trail. If someone misuses another person’s information, it can be traced, making transparency itself a deterrent and ensuring that misuse becomes both detectable and punishable.

Companies House will also have stronger powers to remove false or outdated information and to suppress entries that pose a risk. Errors and outdated data can therefore be corrected more quickly, reducing long-term exposure. This aligns the new model with key data-protection principles, data minimisation, purpose limitation, and confidentiality, ensuring that corporate transparency finally coexists with personal privacy, something the UK register has long lacked.

Transparency, trust, and accountability

Every verified record will still be public, but every identity will be real, consent-based, and better protected. In a time when trust is fragile and information spreads instantly, this is not a minor upgrade. A verified register strengthens the system as a whole. It raises the bar for everyone, making it harder to create shell companies, curbing money-laundering, delivering better transparency, reinforcing accountability, and restoring trust. The reforms will help create a cleaner and more trustworthy business environment for all.

In most organisations today, data is one of the most valuable assets, yet it is also one of the most difficult to control. Even with well-managed official systems, a parallel world of untracked, unmanaged, and unmonitored data often exists, also known as shadow data. Previous articles of mine cover Shadow IT and Shadow AI. In contrast, shadow data is sensitive or business-critical data that has slipped outside approved processes and governance controls.

Shadow data exists outside sanctioned systems, controls, and oversight. It typically arises because people prioritise convenience, speed, or workarounds over policy. The problem is not that the data exists, but that it is often invisible to those responsible for protecting it.

Forms of shadow data

• Unapproved copies of sensitive data. An analyst downloads customer records into a spreadsheet. The official database is secure, but the spreadsheet is not.

• Data in unsanctioned apps, such as the use of personal cloud storage or messaging tools to share files instead of company-approved platforms.

• Orphaned backups or snapshots. Forgotten database snapshots or cloud storage remain open long after they are no longer needed, often with excessive access rights.

• Forgotten test and development data. Developers copy production data into test environments. These environments often lack the same protections as live systems, yet they still contain sensitive details.

Why shadow data matters

• Shadow data is often outside encryption, access controls, or monitoring. Attackers will look for weak links, such as laptops, shared drives, or forgotten cloud storage.

• Regulations such as GDPR require organisations to know where personal data resides. Shadow data undermines these compliance efforts and may lead to fines or sanctions.

• Duplicate datasets lead to inconsistent reporting, poor decision-making, and unnecessary storage costs.

• In the event of a breach, businesses may underestimate the scope because they are unaware of hidden datasets.

Working examples

A hospital stores patient records in a secure, encrypted database, but:

• A doctor, needing to work quickly, exports patient details into a spreadsheet

• Copies of data not under hospital control

• Sensitive health data across multiple insecure locations

• Introduction of compliance, legal, and reputational risk

A law firm manages client files in a secure document management system, but for convenience, solicitors, partners, trainees, or other staff:

• Save case files to USB or laptop drives

• Email document bundles through public email systems

• Collaborate through personal Dropbox or OneDrive accounts

Shadow copies of data may contain privileged client data. If a laptop is lost or if a client requests data deletion, the firm cannot ensure removal of these unofficial copies. What began as minor workarounds now represents serious compliance and reputational risk.

While shadow data often arises from legitimate needs, it introduces risks that can outweigh the convenience. For businesses bound by regulation, trust, and professional duty, shadow data can quietly erode compliance and expose sensitive information. One quick copy can multiply into a long-lasting vulnerability. Bringing shadow data into the light is no longer optional.

Imagine if one person held the only keys to a vital system, and then went on sudden sick leave. How long would it take before things ground to a halt?

There is a persistent fallacy in some workplaces, the belief that if you keep your knowledge to yourself, you become indispensable. That by becoming the only person who knows how to do a task, run a process, or fix a problem, you’re creating job security. In reality, this mindset introduces fragility, not strength. It’s a short-term tactic that fails the long game of career growth, leadership, and organisational resilience.

In a previous article, Winning the lottery or failing the bus test (8^th June 2015), I explored a simple resilience thought experiment: What happens if a key person wins the lottery or gets hit by a bus? Whether someone leaves for joyful reasons or tragic ones, the point remains. Businesses must be prepared to continue functioning without any one individual.

That article focused on assessing the risk, whereas this one focuses more on one of its root causes; knowledge hoarding.

The Hidden Cost of Knowledge Hoarding

The idea that hoarding knowledge makes you valuable is deeply flawed. It’s understandable that people want to feel needed, but locking knowledge inside our heads doesn’t protect our position. In practice, it limits our growth, introduces single points of failure or single points of success into the business, situations where one person’s absence could derail critical operations or progress. These points of fragility are the antithesis of good governance, risk management, and succession planning.

I have experienced many situations over the years where we have discussed specific topics and issues, identified information that we needed to proceed, assigned tasks in the meeting, and scheduled a follow-up meeting, only to discover a week later that someone already had all the information but didn’t share it, allowing us to waste valuable time.

Understanding the Motives

People hoard knowledge for many different reasons. Sometimes fear-based, other times it’s due to past experiences or organisational dynamics. Here are some of the most common causes:

• Fear of being replaced

• Belief that knowledge equals power

• Job insecurity

• Ego or status-driven behaviour

• Lack of trust in colleagues or leadership

• Past experiences of being overlooked or unrewarded after sharing

• Competitive or toxic workplace culture

• Unclear job boundaries or expectations

• Lack of recognition for knowledge-sharing efforts

• High workloads and time pressure

• Absence of easy-to-use documentation tools or systems

These are based on a fallacy, that being the only one who knows something creates job security. In truth, this behaviour can backfire spectacularly. The real value comes from empowerment, not from exclusivity.

Sharing knowledge also depends on trust. In organisations where people feel safe to ask questions, admit what they don’t know, and share openly, knowledge flows more naturally. This psychological safety underpins a learning culture and strengthens resilience.

I once had a conversation with someone who told me that, because I’d gone to university and earned a degree at great personal expense, my knowledge was my property, something to sell, not share. I’ve never fully agreed with this mindset. I’ve always felt that knowledge becomes more valuable when it helps others. It is one of the reasons I continue to write and publish articles here on Integritum; not because I have all the answers, but because collective thinking helps us all improve.

In resilient teams:

• Knowledge flows through cross training

• Processes are documented, shared, and improved collaboratively.

• Team members cover each other’s workload during sickness and annual leave

• If someone receives a promotion, resigns, or retires, they can do so without the business suffering.

The Path to Growth

If someone else can do what you do, it doesn’t make you replaceable, it makes you promotable. Consequently, the objective is not to cling to tasks, but to enable others so we can move on to higher-value work. It is not about guarding secrets, but creating capacity in others.

For succession planning, every role should have a shadow, a backup, or at least a process manual. This also supports onboarding new staff, covering holidays or sickness, or responding to emergencies. Shared knowledge builds resilience.

When we share knowledge, the benefits are wide-reaching. It builds trust, supports professional development, and improves operational continuity. For example:

• We build trust with colleagues

• We support a culture of learning

• We position ourselves as leaders

• We reduce organisational risk

• We create the conditions for personal growth and advancement

The idea that ‘if no one else knows how we do this, they’ll always need us’ may feel like control, but in reality it only serves to trap us where we are. True job security doesn’t come from being irreplaceable, it comes from being so effective, helpful, and growth-oriented that people want us to succeed, and want to give us responsibility, not less. The more people that can do what we do, the more space we will have to do something greater.

Standards such as ISO 27001, ISO 9001, and ISO 42001 define management system frameworks that reinforce the importance of documented processes and knowledge continuity as core aspects of resilience and risk management.

As AI continues to automate routine work, the value of human roles will shift even more toward strategic thinking, mentorship, and collaboration, all of which depend on shared knowledge.

In 2017 and 2018, I wrote a four-part series titled “How Much Info Is Too Much?” to challenge an uncomfortable norm: professionals, especially in IT and information security, are routinely expected to share confidential client details as proof of credibility. Whether in procurement discussions or during recruitment, the pressure to disclose private information to secure the next opportunity became standard practice.

Seven years later, this article recaps the original series, ties in a follow-up article on recruitment ethics, and considers whether we have changed our professional culture or whether client confidentiality is still treated as expendable when careers or contracts are on the line.

The Ethics of Disclosure

The series began with a direct comparison that exposed the double standards applied to confidentiality in IT and other professions.

“Imagine asking a solicitor about their past divorces to prove they can handle yours. It would never happen.”

Part 1 (4^th December 2017) challenged the assumption that sharing previous client information demonstrates trustworthiness. It used everyday examples like taxi drivers, alarm installers, and lawyers to make a key point. In nearly every other industry, discussing former clients would be considered unprofessional, if not a breach of duty. Why should IT and information security be any different?

Even now, procurement teams and hiring managers sometimes equate name-dropping past clients with credibility. Sharing details about past clients to win future work may signal cooperation, but it also demonstrates a lack of discretion and professionalism.

During my years running a small business, I often found myself pressured to list previous clients. This expectation not only contradicted the NDAs I had signed, but also reflected a fundamental misunderstanding of professional discretion. This isn’t to say that referencing clients is always wrong, but it must be:

• Done with clear consent

• Aligned with contractual terms

• Handled with the client’s reputation and privacy in mind.

Anything less risks crossing the line from credibility to compromise. In my case, I relied on client-provided testimonials, which offered a transparent and ethical way to demonstrate value without breaching confidentiality.

• An obvious red flag during procurement is the request for client names during early-stage discussions. Referencing industries served, or challenges solved is usually sufficient; naming clients is rarely necessary.

• While IT lacks formal licensing, many adjacent fields, including law, healthcare, and finance, would consider such disclosure a breach of conduct. Expectations in tech are starting to catch up.

• Professional trust is earned through process, integrity, and insight, not by exposing others’ confidential work.

• Clients who ask you to sign a Non-Disclosure Agreement (NDA) while requesting information about your past clients fail to see the contradiction.

• Professionalism includes protecting client reputations long after the contract ends, reinforcing trust and encouraging future referrals.

Spotting Red Flags in Early Conversations

The second article shifted from theory to practice, warning about misleading early-stage discussions.

“A 15-minute call that’s all about your past clients and nothing about current needs? This is not a sales lead; it is a red flag.”

Part 2 (12^th December 2017) moved from principle to practice, focusing on identifying conversations that veer into information mining rather than genuine engagement. If a potential client spends more time asking about previous engagements than outlining their own needs, it’s likely not a real opportunity.

With AI-powered phishing, voice impersonation, deepfakes, spoofed job interviews, fake procurement opportunities, and corporate espionage now part of the landscape, the original advice has only grown in relevance.

• If the caller avoids basic discovery questions like “What are your current pain points?” or “What do you need?”, it’s likely not a real opportunity.

• Attackers use believable personas (recruiters, clients, journalists) to harvest sensitive business information.

• Ethical conversations involve reciprocal openness, so we shouldn’t share anything confidential if the other party is unwilling to share anything about their needs.

• Professionals don’t always know how to identify social engineering.

• Having a clear discovery script or process can help deflect and detect bad actors while remaining professional.

When Disclosure Becomes Expected

Part three took a more candid tone, acknowledging that indiscretion is sometimes rewarded, even incentivised, in the workplace.

“Those who break confidentiality are often rewarded with a contract opportunity, not because they are professional, but because they cooperate in breaching confidentiality.”

Part 3 (18^th December 2017) took a sharper tone, acknowledging the grim reality that disclosing confidential information helps people win work. This behaviour has become normalised in sectors like IT and information security, where no professional licence to revoke and no external body enforcing ethical standards.

We still see this today, especially in competitive bids where clients and employers reward name-dropping and logo slides. ISO standards, frameworks, and organisational codes of conduct are slowly shifting this culture by embedding expectations of privacy, discretion, and ethical information handling.

• Selection teams often reward evidence of previous client activities, and from personal experience, I know how not being short-listed for an opportunity by refusing to disclose confidential information feels demoralising. This perpetuates indiscretion as a competitive advantage.

• I’ve seen contracts where the NDA was so vague that confidentiality was open to interpretation.

• It feels like people and businesses are gradually reframing discretion as a strength rather than treating it as an obstruction. I’ve lost count of the opportunities I missed because I chose to uphold confidentiality. Today, especially in regulated sectors, disclosing client details without authorisation now carries legal risk as well as reputational damage.

A Professional Alternative

To counter the trend of oversharing, the fourth article offered a proactive solution: shifting the focus to structured, client-first engagement.

“Credibility should come from solving real problems, not showcasing someone else’s private history.”

Part 4 (4^th January 2018), and the final article in this series, offered a way forward: a professional five-step process for engaging with clients. It helps avoid off-topic digressions about past work and puts the focus where it belongs, on solving the client’s current problems through a structured, ethical dialogue.

As procurement and supplier due diligence processes become more rigorous, driven by regulatory scrutiny, AI governance, and Environmental, Social, and Governance (ESG), structured professional processes are no longer a luxury. They’re essential for resilience, trust, and legal protection.

• A professional engagement process builds more trust than any client list ever could.

• Clients need insights into their problems, not a retrospective view on someone else’s problems.

• When done well, structured onboarding protects both sides and guards against phishing and reputational damage to  both parties. Clients are increasingly judged by what they ask and how they conduct vendor selection.

• I found that having repeatable processes helps maintain credibility through moments of pressure, ambiguity, or inconsistency. I don’t recall who, but someone once told me that “How people behave some of the time reflects how people behave all of the time”. I heard a similar quote recently “How you do anything is how you do everything”. This applies to confidentiality, as if I am will to tell a potential client what I did for previous clients, it is reasonable for them to assume I would do the same in the future with their confidential information.

Recruitment: A Parallel Problem

The follow-up article expanded the issue into recruitment, highlighting the ethical risks of sharing confidential information when changing jobs.

“If you’re willing to use your current employer’s clients now to get a new job, you’ll likely do the same to your next employer.”

In this follow-up article, Avoid Revealing Employer’s Clients (12^th April 2018), I explored how the same confidentiality breaches play out during recruitment. Candidates sometimes list their employer’s clients on public profiles and CVs or refer to them in interviews, thinking it shows breadth of experience. However, the ethical problem is the same: those clients aren’t theirs to share.

Today, these disclosures can end careers before they start. Many firms now treat unauthorised disclosure of client identities as a breach of NDA, contract, or even data protection law, and rightly so. Confidentiality applies just as much when leaving a company as when engaging with a new one.

• Listing employer clients without authorisation can violate contracts and raise character concerns before the interview stage.

• Employers increasingly filter out candidates who appear to treat sensitive data as a personal asset.

• I recall refusing to give client names because of confidentiality, then declaring that I had passed their confidentiality test, and that we can move on to discussing their requirements. They refused to do that. I saw this as a big red flag.

• Some roles now include applicant-level risk profiling where client name-dropping is seen as a security weakness.

• NDAs, employment contracts, and professional ethics don’t expire when you change jobs.

• The best candidates increasingly demonstrate judgement, not just experience.

• Organisations with strong governance cultures actively avoid hiring people who treat discretion as optional.

• Some recruitment agents still encourage “name-dropping” for profile strength, but this can backfire for both candidates and the agency.

Additional Thoughts

Whether in recruitment or procurement, the heart of this matter remains unchanged. Professionalism in this context is about discretion, not disclosure. We can’t gain trust and establish credibility by revealing what we did for others; we can only demonstrate what we can do for future clients or employers.

That said, one fact remains the same. Suppose people and businesses are forced to choose between disclosing client names (along with what was done and when) or risking the conversation about future work ending abruptly. In that case, they often choose the opportunity first.

Unfortunately, many professional cultures still reward indiscretion while overlooking integrity, especially when disclosure offers a short-term advantage. This isn’t just a question of professionalism; it’s a systemic problem.

It reminds me of the UK smoking ban in pubs. Many landlords wanted to implement a smoke-free policy years before it became law, not just for the health benefits but also to create a better environment for their customers and staff. They couldn’t because if one pub acted alone, the smokers would go next door, taking away a significant portion of their revenue. There were a few exceptions, but it wasn’t until the ban became a legal standard that everyone could act without fear of competitive loss.

Confidentiality suffers from a similar imbalance. Clients, employers, and recruiters are legally entitled to ask questions. Employees, consultants, and small business owners often feel compelled to respond, as not answering might mean losing the opportunity.

Change will remain slow until our professional culture matures to reward discretion and due process rather than indiscretion and shortcut credibility. It will remain impossible to lead alone, and the cycle will continue.