Best way forward to GDPR compliance


At 25 May 2018 the current Data Protection Directive will be replaced by General Data Protection Regulation, GDPR. The new regulation set higher requirements to all organisations that collect and use data from European citizens. This requires many organisations to, in less than a year, take action to meet the new legal requirements.

In 1995 the current Data Protection Directive was adopted. A directive sets a target which all the EU countries must achieve. This has led to differences in national laws within the EU. The new law is a regulation which is a binding act that must be followed in its entirety throughout the EU. This will uniform the data processing of personal data regardless of where in the EU the data processing takes place. The common law will improve the conditions and security for the EU citizens to continue trade and be mobile within the EU.

General Data Protection Regulation has the same basics as the current Data Protection Directive. Some areas has strengthened and some new parts has been added. The regulation covers what and how personal data shall be processed and who may process the data. This is expressed in seven principles:

    • The right to be informed
    • The right to access
    • The right to rectification
    • The right to erasure
    • The right to restrict processing
    • The right to data portability
    • The right to object

All organisations that collect and use personal data from the EU citizens are covered by the new regulation. For all registers it shall be possible to tell the purpose of registration and which data that are used. There shall also be processes to remove data without a purpose. Some personal data are extra sensitive and shall be treated with extra care.

To organisations with more than 250 employees there are additional requirements that will apply. The regulations requires e.g. more documentation of the existing registers and the processes to keep the registers updated. In these organisations a Data Protection Officer, DPO, shall also be appointed. The DPO will, in the organisation, be responsible for the GDPR-compliance.

For you who haven’t started the process towards GDPR-compliance you have less than a year until the new regulation applies. It can be plenty of time but it may not be enough depending of the amount of personal data and how structured your registers are. From my experience the process towards GDPR-compliance can be divided into five steps.

    • Create a project organisation
    • Inventory of the use and collection of personal data
    • Perform a GAP-analysis and set up an action plan
    • Implementation of the action plan
    • Information and education about the law

The first step will be to appoint a group of resources that will take responsibility to lead the work towards compliance. This project group will be the organisation expert group in GDPR and help the organisation to succeed. It is important to have resources from the company with good contacts to the different parts of the organisation. It can also be valuable to use external resources. It can be e.g. legal expertise to interpret the laws but it can also be as project management to lead the work.

The second step and the first activity for the project group to do is an inventory of the use and collection of personal data. This is a time consuming task that involves large parts of the company. The project group will prepare information and templates that will be used by the resources in the organisation who have the detailed information about the registers.

The inventory is an important step in the process to find which areas that does not conform with the coming laws. It is also difficult since there are often areas in the organisation that are not associated with personal data and easily will be left out. It could be areas like system backups, system logs, presentations, intranet, photos etc.

The large amount of data that will be collected during the inventory will be analyzed in step three of the process. The project group will, by performing a GAP-analysis, find which areas the organisation are not GDPR-compliant. In this activity the legal expertise will be invaluable to find the critical areas.

The analysis will result in a list of areas which are not compliant to GDPR. These areas will generate an action plan containing the changes that needs to be implemented before 25 May 2018. The activities in the list needs to be prioritized based on severity, risk and time consumption.

At this time in the process you have a possibility to see how much work you have ahead of you. You have the action plan with all the tasks that needs to be solved and it will be a matter of time and resources to solve it. This can be the most time and resource consuming step. The changes can relate to both system and organizational changes and can, most probably, be assigned to many different resources in the organisation.

This is a step that can run at the same time as the process and is about information and education in GDPR. It is important that the participants in parts of the process get basic information about GDPR. It is also important that all employees that will be in contact with personal data get a basic information in how to process personal data.

In my experience it is, in practice, impossible to control all processing of personal data and it is therefore important that all employees have a good knowledge in the subject to get full GDPR-compliance without full control.

When you have come this far you have adapted your organisation to the new regulation and taken actions to avoid the scary fines as you probably heard of. Even if there was a massive work to get here this has only been the initialization project to be compliant. The detailed processes and routines in how personal data are processed needs to be maintained and improved so the organisation is compliant for many years. Details about that will be a new chapter.

Good luck!


Evaluation as a catalyst in the growth of a project

vækst finalIntroduction

Evaluation is a very used expression, which we use all the time in working situations in connection with the solution of a task or project.

The purpose of evaluation is to accumulate the experience you have done, so successes can be repeated and mistakes can be avoided in future projects. The focal point of the evaluation is to ensure that the people involved easily can take benefit from the evaluation process. They will recognize and make it particularly important to focus on and ensure control and learning in the project. The concern regarding control of resources and its optimum allocation in a project, in the context of learning, is that it is essential to gain complete certainty that you are on the right path. In case of conflicts between the people involved in the project – evaluation helps to adjust the process itself.



As a professional IT project manager, I gained experience from large and complex organizations and have seen their limited acceptance in the use of evaluation methods. Here I have seen statements such as “The evaluations cost time, money and let us choose a supplier we already know”. ”Therefore there is no need to spend time to run a comprehensive evaluation process”. Here it turns out that some outcome from projects has a decisive impact on the company’s bottom line and their market share compared to their competitors.

Is it necessary to evaluate?

Experience shows that there definitely is a need for evaluation during and after project completion. Without evaluation, it can very easily go wrong economically for the company. In the beginning of the project it is crucial to evaluate the criteria of gain, what the gain should be and it must be defined in the requirements specification. It is legally binding and determines what vendor shall provide for the money. It is important to involve customers or users of the evaluation process during project development. First of all it is important for the involved people to know if their money and support has been used sensibly or not. Secondly their frustrations over the failures of the project during the research/developmental phase can be used constructively and can contribute to a lot of learning for the future projects.

One solution to the problem can be a so-called agile method for developing both infrastructure and research/developmental projects in private and public IT companies.



Using the agile management

The approach is to work in small iterations of 2-4 weeks duration and after each iteration the finished product is shown. It gives abundant opportunities for people involved (customers, supplier and the project team) to initiate changes as required.

A lot of positive and negative assessments will be committed in all projects. To be successful, and create a positive experience in an efficient way, you need the feedback on the choices being taken. Feedback about the choices made during the project, can easily and efficiently be visualized by using the starfish method.

The Starfish method used during the Sprint Retrospective

The article is only based on SCRUM Sprint Retrospective, and not the entire SCRUM method. Retrospective is one of the important project meetings at the end of each sprint. Here are some of the most important issues to consider and discuss during each sprint.

  • Keep doing: Is a good starting point for team members to focus on typically all the good things that they liked about the project.
  • More of: Is another type of focus that helps further refine or highlight practices, achievement, for an instance, that the team members might want to try more, and are not necessarily taken full advantage of.
  • Start doing: Is a great opportunity for team members to suggest new things to try because of things that may not have gone so well or just for simply keeping things dynamic and fun.
  • Stop doing: Obviously for things that are not very helpful to development practices or not adding much value.
  • Less of: Helps to focus on practices that might need a bit more refining or actions that were simply not helpful in the current circumstance.


Screen Shot 2017-05-08 at 16.32.22This method has been used in connection with a public sector customer project.

Experience has shown that there is more room for learning by involving people. Getting people to write on the “yellow note” and then post-it under the group area in the starfish method is also a great visual way to evaluate health in the project. It forces human capital to think creatively and act upon it, Instead of saying things that are not worked out thoroughly. The reason being; saying something verbally is much easier, compared to writing something down on a yellow note.

In several projects, I have used the methodology for both development and infrastructure projects from the public and private sectors. Here I have achieved more excellent results in project evaluations by using the method in Sprint Retrospective. In addition, the results of evaluations have continually contributed to strengthening change processes by sharing insights and results with the customer, supplier, project team and other stakeholders who adapted their activities.

The method is universal and can be used in all aspects of a project. It is highly recommended to use the method after achievement of a milestone in the project and in consultation with all stakeholders/ participants. It informs the participant about what works and that which does not. In this way they will get a better insight and understanding of the results they have achieved. This will make it possible to introduce new ideas by providing constructive feedback.

I would definitely recommend using the method in Scrum Retrospective when you need a quick and sensible evaluation here and now.


Management estimate times pi gets it right


Estimation is one of the essential parameters that are crucial to whether a project is a success or failure. This is because the error in estimation is expressed as an underestimation or overestimation and is therefore a major problem for the company. Underestimation can be financially costly and overestimation in tender processes may result in that the company does not get the tender.

Estimation-methods are used leniently in most IT companies. The largest and most important reason is that estimation is not always performed by professionals. The estimation is performed by all business functions from the senior management, chief consultants and developers. Despite the fact that a reliable result often requires preparation and composition of various specialists and their skills.


As a project-manager I have worked with many complex IT-projects. I have experienced on several occasions that the management has been a little too “trigger-happy” when applying estimation.

The management issue
Most managers often lack the necessary skills, expertise and experience to make qualified estimates. This is where the fundamental problem arises. The vast majority of managers underestimate often as they perceive estimate as a negotiating process, where time is the greatest sacrifice. For them it is about informing the customer about the price of the product, which in any case shall not exceed the asking price. If this is the case, then they will most likely select a different supplier. There are some customers who make a claim for getting an early estimate. That is perfectly acceptable, and there should be room for this, as long as there is a broad consensus about the fundamentals with the client about the initial rough estimates.

Experience shows that developers involved in the work are rarely taken seriously. The developers will be blamed when the deadline is exceeded due to erroneous estimates. Because management sets expectations for a quick “guesstimate” and are not willing to pay the costs to implement a real estimation. Furthermore, there are challenges with task-descriptions which may seem ambiguous, which obviously lead estimates into the directions of east and west. It is typically caused by “scope creep” and imprecisely worded requirements which must be improved and that is also part of the problem.
Thus, I believe that it is a problem in management, as they often tackle the estimation process very simplistically.


How to obtain a more accurate estimation
All these uncertainties and other much more difficult issues can easily be estimated more accurately, but it requires some compromise between management and specialists.

  • Management must fundamentally recognize professionals and their skills. This makes it possible for professionals to get a feeling of the obligation to carry out their work in good faith, accommodating and meeting the expectations of the management. Management must be inquisitive, show interest and engage in dialogue to find out where the complexity lies in the task. It can be because they misunderstand each other regarding the scope or the requirement specifications are not clear.
  • Cooperation increases dividends. Get several different developers with relevant knowledge to provide input and thus achieve a more accurate estimation. We have learned about the use of Scrum poker in the agile world.
  • It is important in the project to identify preconditions by dividing the project into independent activities with the help of the Work Breakdown Structure (project into phases, deliverables and work packages). It is very important for the project and makes it easier for developers to meet the estimation.
  • Diversity in the estimation process is important in order to have different inputs on various project activities. The project managers, Scrum master or facilitators are also responsible for variation in inputs about the estimation since different specialists look different on the assignment.
  • In the initial phase, it is essential to devote time for the project and steering committee meetings, as well as time for design, test and access to the right tools to test persons. Additionally, it is a good idea to set aside time for risks and unforeseen events.


It is just a matter of finding the correct methods. I have been involved in projects and have developed a checklist in order to make estimation easy. Here I have learned that the checklist can contribute significant improvements in the estimation process and it shows that the management should consider the following questions in the checklist, before the release of the estimation to the customer. The customer always learns and remembers the first estimate and often it is difficult to change the estimates along the way.

Screen Shot 2017-03-31 at 10.42.25

This checklist serves as a friendly reminder whether if the following benchmarks have been considered your estimate and also works as a support the process of estimation in a given project.

The checklist is universal and can go hand in hand with all estimation methods such as Expert Method and Planning Poker also called Scrum Poker. But I would definitely recommend using the checklist in the start-up phase of customer offers or projects. This must be done in consultation with project stakeholders as well as customers, suppliers, etc. They will gain better insight and understanding of the initial rough estimates. That is not said that you should make estimations during a meeting with customers or external parties before it is consulted with others in the organization.

/ Zubir Shah, Professional project manager

The age of innovations

Innovations have become a very important part of business success. New technology trends give us new opportunities, people demands are increasing and we need smarter ways of working. Every organisation has their own ingredients for creating customer value through their products/services. This means that innovations need to be original and fit for purpose to drive business growth and to become a strong player on a competitive market.

But how do you know that your “innovations” are really innovative?


That is not an easy question to answer, because it depends on many different things. Nowadays the word “innovation” is used for quite different things and different people tend to have different meaning to it. When penetrating this diverse conception, you will get into a deeper understanding of what innovations really are and what they can help you and your organisation with.

First of all, the foundation of an innovation is that it always starts with some kind of new original idea for improvement and ends up with a realisation of that new idea. The realisation must add some kind of value, or else it is not an innovation.

In order to understand this relation, we will discuss “new idea”, “realisation” and “added value” separately.

New Idea

Anyone in the organisation can come up with good new ideas. It does not mean that every idea is good, but any role in an organisation have a specific insight and perspective that can evoke good ideas by finding new ways. The same goes with customers, partners and suppliers that can contribute based on their perspectives and knowledge.

The new idea can either be:

  1. a new concept realised by a new solution
  2. a new concept realised by an already possessed solution, currently used for another purpose.
  3. a new and better solution to realise a current concept

With use of the word concept above we mean our business conception of “what we need to achieve”. To realise that need we choose solutions that forms the enterprise. Consider the following list of different types of enterprise solutions:

  • Ways of working
  • Roles and responsibility
  • Co-workers
  • Our language to communicating internally and externally
  • Products
  • Services
  • Office locations and supplies
  • Software
  • Infrastructure
  • Technical machines

…the list can be made quite long…

Does this mean that innovations can be invented anywhere by anyone?

Yes, it can! But that does not mean that every new idea should be realised. It is just the ones that adds value worth investing in, you should put into real action.


Who in your organisation is responsible for the ordinary development or improvement of the different enterprise solutions mentioned above?

Probably it is different business units for different things. Some are changed ad hoc and some in a more mature way. So the conclusion is that all these business units need to have the ability to handle new ideas and sort out the innovations that adds value worth investing in. These business units should be allowed (with pronounced responsibility) to put innovations into real action, but with involved architectural guidance it can be done efficiently. 

Added Value

How do we sort out good new ideas from not-that-good new ideas?

The easy answer is “good ideas = adds value”.

But a more nuanced answer is that innovations is about revolutionary change. In the very end, they should be seen as a vehicle or catalyst for growth. Our different enterprise solutions are there for different specific purposes, and a good new idea can help us fulfilling that purpose. As stated before, a new idea could even introduce new purposes for achieving the business vision.

Some general purposes where innovations might come to hand:

  • Reaching business goals
  • Improve business operation
  • Improve products or services to increase customer value and strengthen the brand in a competitive market
  • Forming a well performing organisation and motivated co-workers

Innovation model (4)

Innovation principles

To not get stuck in the jungle of innovations invented both internally and externally it is a good practice to let your decisions be guided by the following principles. They will help you stay on track.

  • To reach your goals, your innovations need to do that as well.
  • Innovations can be invented anywhere by anyone, don’t miss the opportunity.
  • Release originality, not anarchy
  • Let the mission and purpose guide you.
  • Prioritize both innovations and regular development initiatives all together.
  • Handle new ideas based on their ROI.
  • With architectural guidance your innovations should be more efficient.
  • Handle innovative concepts or solutions based on how they fit into or improve the business model.