Privacy by design to safety by default: A process improvement approach to data protection

11 October 2016

Process improvement in a legal context

The concept of taking a process improvement approach to legal practice is gaining momentum. Historically, it has been those in General Counsel and in-house roles who have applied the use of formerly manufacturing-based methodologies to respond to challenges in the legal sector such as improving efficiency and reducing the cost of transactional work or litigation, often following the lead of the organisations within which they operate. The development and adaptation of process improvement, particularly Lean Six Sigma, tools and techniques for professional services has enabled law firms to follow suit and we are starting to see a steady emergence of the “process improvement lawyer” (or equivalent) across the sector, working closely alongside the other emerging breed of legal project managers. 

Recognised as a hallmark of a Six Sigma project is the “DMAIC” approach to projects; a rigorous pattern of key tools and techniques within five key project phases: Define, Measure, Analyse, Improve and Control. At the Analyse phase of any process improvement project one can take either a purely process analysis approach or combine this with statistical analysis, depending on the type of problem being addressed. The process improvement approach advocates an examination of steps which “add value” (VA) to the process and those steps which are “non-value add” (NVA); with a view to stripping out any “waste” or NVA steps in the process. In a legal context, this presents a challenge with respect to compliance with the Data Protection Act 1998 (DPA). For example, in litigation, there may be steps within a process which do not progress a case (NVA) but which cannot be eliminated as waste because they serve a DPA compliance function. This leads us to examine such steps in more detail and even initiate process improvement projects with the sole purpose of addressing this data protection challenge.

In recent years, the spotlight on data protection has been intense. Those working in the regulatory and professional discipline and healthcare sectors are haunted by horror stories of lost or stolen papers, misdirected correspondence and unintended disclosure of personal data and sensitive personal data. The fear of causing harm either to the individuals concerned, the employees involved or the organisation’s reputation has on occasion caused a surge in protective measures which have at times encroached on the legitimate aims of the regulatory and disciplinary process: to ensure that a registrant/member has a fair hearing; and that the public is protected by those not fit to practise in their chosen profession. 

Conducting a Privacy Impact Assessment (PIA)

In order to redress this balance between these equally legitimate objectives, we turn to the Information Commissioner (ICO) for guidance. The ICO advocates a “privacy by design” approach to this challenge to be practically adopted through the use of the Privacy Impact Assessment (PIA) tool. The PIA is promoted as a means by which an organisation can build trust with its various stakeholders and the general public, improve an organisation’s understanding of their customers and increase overall awareness privacy and data protection issues. The PIA guidance deliberately avoids providing specific advice to organisations in the way of proposed solutions to privacy risks with the expectation that it will be used as a platform upon which an organisation can develop its own methodology. When using the PIA guidance in tandem with a process improvement methodology, this can reinforce the rigour of the PIA at the same time as providing more tangible tools which can be used at each stage of the PIA in order to assist with achieving its aims. Crucially, in taking a process improvement approach to a PIA, this can enable an organisation to track and measure the improvements made as well as ensure that such improvements are sustained for the long term and are flexible in a changing legislative landscape.

Before embarking on a PIA or process improvement project concerned with data protection compliance, it is important to remind ourselves of what is meant by privacy. The term “privacy by design” provides us with an anchor to what is central to any project of this sort: that the DPA was enacted in order to protect a fundamental human right: a person’s right to respect for their private and family life (Article 8, ECHR). From a litigation perspective, we are also concerned with Article 8(2) from which we derive some of the deliberately limited DPA exceptions for data processing which are considered “necessary” as part of legal proceedings. For the most part, we do not struggle with our appreciation of the importance of privacy for an individual engaging with a regulatory process.  Where we may fall down however is in this concept of “design”. 

Process analysis and design

As lawyers, we can often get stuck in our ways in terms of business process design. It certainly would not hurt for us to follow the emerging trend in US businesses, business schools (and now some law schools) to place more emphasis on “Design Thinking”, particularly when it has a lot to offer in terms of addressing challenges such as data protection compliance. In simple terms, design is the art or action of conceiving of and producing a plan of something before it is made and it is often said that good design can help people to understand complicated information. There is no question that our challenge here is to assist those working at the coal face of the litigation to understand the complexities of the application of the DPA.

Business process design/re-design can be complex, particularly where there are multiple teams and various stakeholders involved. It is therefore unlikely to be successful if conducted by one person, perhaps the organisation’s data protection officer, sitting in a room with a blank page. This is where our industry can turn to the well-tested and highly developed tools of the manufacturing industry for assistance. Whilst design in manufacturing is not concerned with privacy by design, it does a have a responsibility to its consumers for safety by default.

Take the car as an example.  When we get into a car, we do so with a set of expectations: that the car has the industry standard safety features, regardless of make or model. However, we also accept that as drivers, we have a responsibility to avail ourselves of these safety features such as putting on our seatbelt or placing our child in a car seat. There is also of course a requirement that every driver has been trained to drive safely. In addition to this, we have an expectation that road signs will alert us to danger and we will use our training and understanding of these signs to alter our driving and route accordingly.

In litigation, as lawyers, we are the responsible drivers and those at the helm of the organisation are responsible for the design of the car safety features, the roads and the signage. What nobody can control however is the journey which any unique case might take. So, just as in a car accident will happen, there will be times when data breaches occur, no matter how many safety features and warning lights are built into a process. However, with good process analysis, process experience, understanding and communication, we can work to reduce and eliminate certain risks through intelligent process design.  


Process improvement methodologies provide a plethora of useful tools and techniques which can be used at the various stages of a PIA for effective process design: tools for understanding how a process works, understanding how to improve process flow, quantifying problems or situations, preventing problems or making contingencies, standardising an approach, analysing and presenting data, making decisions or determining priorities. Some tools may be more suited to one stage of a project than another but some have relevance at all stages of process improvement project such as process mapping and the Failure Mode and Effects Analysis (FMEA). The FMEA is a Six Sigma tool.  It is sometimes viewed as being difficult to apply in a legal context, owing to the fact that, unlike manufacturing processes, many legal processes are human-dependent and so tasks cannot be repeated with the same accuracy in order to generate the necessary data for analysis. However, taken simply, the FMEA has a lot to offer in terms of improving legal processes, even in the absence of hard data for statistical analysis.  

The FMEA originated in the automotive industry and is concerned with examining what might go wrong in the process, what the impact of that error might be, how often it is likely to go wrong and how likely we are to be able to detect that an error has been made (preferably before it goes wrong but certainly at the point at which it does go wrong before it has the opportunity to cause harm).

During the Analyse phase of the project, we systematically and thoroughly analyse how the process affects the privacy of the individuals involved and examine the ways in which privacy risks can arise.  For example data which is:

  • inaccurate, insufficient or out of date
  • excessive or irrelevant
  • kept for too long
  • disclosed to an unintended recipient
  • used in ways that are unacceptable to the individual to whom the data refers
  • used in ways that are unexpected by the individual to whom the data refers

When looking at the solutions, we turn to Principle 7 of the DPA, ensuring that we have considered all appropriate technical and organisational measures for information security.  In the regulatory, litigation context this will also mean carefully balancing these measures against the legitimate aims of the process (fair trial and protection of the public). It will also mean conducting a cost-benefit and delay-benefit analysis to build into any assessment of appropriate solutions; the stage at which the “Design Thinking” approach could be extremely useful. 

On-going, continuous improvement

It is through this systematic and rigorous project approach, properly documented and comprehensively risk assessed, that we can strive to achieve safety by default.  Those conducting the work on a daily basis can rest assured that the process has all of the necessary safety features to protect against a breach and those interacting with the process externally can communicate with the organisation safe in the knowledge that necessary data protection infrastructure is in place.

Process improvement methodologies provide us with accessible and well-designed tools and techniques, which, when used with an open mind and some creativity, we can adapt and use to assist us in addressing some of our thorniest challenges. These tools are designed to be dynamic and so when used together in the context of a continuous improvement initiative, they enable us to adapt to changes in the legislative landscape for example, responding to the General Data Protection Regulation (in whatever guise that might take with Brexit) and any changes to an organisation’s appetite for risk which might follow.


Thank you to Ken Grady of Seyfarth Shaw LLP for his on-going support and guidance in my discovery of the application of Lean and Six Sigma in the legal sector and in particular, for his insightful comments which helped to shape this article.

I would also like to thank Glenn Gooding of Renault Nissan Consulting for the Lean Six Sigma Black Belt teaching and coaching which has equipped me with skills and tools to drive forward numerous projects both within the firm and externally for clients. Of the above application of the FMEA, Glenn had the following to add:

“The use of a tried and tested risk management tool such as FMEA, adapted for a somewhat new environment – in data protection and the legal world, is a testament to how transferable the tools and skills of the Lean Six Sigma DMAIC approach are. Often associated with making cars or aircraft, FMEA is a comprehensive tool when detailed analysis of situational risk is necessary. Renault-Nissan Consulting are delighted to have been able to provide training and coaching for Rowena Rix and congratulate her on the great progress she has made.”

Share insightLinkedIn Twitter Facebook Email to a friend Print

Email this page to a friend

We welcome views and opinions about the issues raised in this blog. Should you require specific advice in relation to personal circumstances, please use the form on the contact page.

Leave a comment

You may also be interested in:

Close Load more

Skip to content Home About Us Insights Services Contact Accessibility