CIArb Features

GDPR: the first 12 months – what have we learned?

07 May 2019

On Friday 25 May 2018 the Data Protection Act came into force and implemented the EU’s General Data Protection Regulation (GDPR) in UK domestic law.  Described by one data specialist as “beautifully drafted” GDPR may not be everyone’s vision of beauty.  Nevertheless it is not going away.  How have we all coped in the past 12 months?

There have been a lot more breaches being reported.

The information Commissioner (ICO) analyses breaches of the 7th Data Security Principle and personal data breaches of the data protection legislation including GDPR.  The 7th Data Security Principle provides, per Part 1 of Schedule 1 to the now repealed Data Protection Act, 1998:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

This has been replaced by Article 5(f) of the GDPR:

[Personal data shall be:] processed in a manner that ensures appropriate security of the personal  data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

The ICO found the most common breaches in the past 12 months are:

  • Data posted or faxed to incorrect recipient
  • Loss or theft of paperwork
  • Data sent by email to incorrect recipient
  • Failure to redact data
  • Failure to use bcc when sending email
  • Loss or theft of unencrypted devices

What is surprising is not that these are common breaches but that they are still occurring and in greater numbers.  The notification levels, according to the ICO, have been rising:

Before 25 May 2018 these breaches were reported for all of the 22 sectors monitored:

Apr 2016 –March 2017: 1,271 notifications

Apr 2017 – March 2018: 1,736 notifications

After 25 May 2018 the data is reported by reference to the GDPR categories of obligations and individually for each of the 22 sectors.  The statistics for the Justice and Legal sectors combined are:

Apr 2018-Sept 2018: 722 notifications

This is of course just for the six months in question but, significantly, represents almost 42% of all notifications in the preceding reporting year.

As at date of submission of this article (3 May 2019) the year’s quarterly statistics show a marked increase in reporting of breaches, about which the ICO say: 

“We believe recent increases are possibly due to increased awareness of the GDPR and the launch of our new Personal Data Breach helpline.”

What are the consequences of the last 12 months changing landscape for arbitrators and mediators?  During that time:

  • GDPR has taken a grip
  • The Civil Justice Council recommended near-compulsory use of ADR
  • A greater awareness of breaches has developed
  • The ICO has made it easier to report breaches

In the next 12 months those changes put together will lead to a colossal spike in the number of mediations and many more breaches of data protection law unless mediations are conducted securely from start to finish.

The biggest danger zone lies in the Collaboration Gap.  That space between parties’ solicitors’ extranets where mutual distrust prevents one side using the other side’s extranet.  Furthermore, mediators and arbitrators cannot sub-contract responsibility for their own GDPR compliance to the parties’ solicitors.  Partly because GDPR imposes obligations on arbitrators and mediators but, perhaps of greater moment, the obligation to ensure the confidentiality of the arbitral proceedings or the mediation.  Confidentiality duty is a requirement placed full-square on the shoulders of arbitrators and mediators by the terms of appointment.  Professional regulation adds further weight to that primary obligation. 

These issues are being recognised by bodies such as the CIArb who call for cyber-security to be addressed in their latest arbitration rules.  Nor are they alone, the International Institute for Conflict Prevention and Resolution (CPR) has also recently revised its administered scheme rules to provide an obligation to consider cyber-security.

The ultimate responsibility for ensuring adequate cyber-security lies with the arbitrator or mediator. How well equipped are they to judge the adequacy of cyber-security measures (if any) offered to the arbitration or mediation by the parties? 

The role of the neutral to ensure reasonable and adequate security against unwanted cyber intrusion has been highlighted by recent instances of hacking in the international arbitration sector but it can only be a matter of time before more instances occur and serious fines are handed out (or worse) by the ICO and professional regulators. Be prepared!


Tony is the Director of Limited the provider of online ADR platforms and a Past President of the London Solicitors Litigation Association.