Best way forward to GDPR compliance

GDPR

At 25 May 2018 the current Data Protection Directive will be replaced by General Data Protection Regulation, GDPR. The new regulation set higher requirements to all organisations that collect and use data from European citizens. This requires many organisations to, in less than a year, take action to meet the new legal requirements.

In 1995 the current Data Protection Directive was adopted. A directive sets a target which all the EU countries must achieve. This has led to differences in national laws within the EU. The new law is a regulation which is a binding act that must be followed in its entirety throughout the EU. This will uniform the data processing of personal data regardless of where in the EU the data processing takes place. The common law will improve the conditions and security for the EU citizens to continue trade and be mobile within the EU.

General Data Protection Regulation has the same basics as the current Data Protection Directive. Some areas has strengthened and some new parts has been added. The regulation covers what and how personal data shall be processed and who may process the data. This is expressed in seven principles:

    • The right to be informed
    • The right to access
    • The right to rectification
    • The right to erasure
    • The right to restrict processing
    • The right to data portability
    • The right to object

All organisations that collect and use personal data from the EU citizens are covered by the new regulation. For all registers it shall be possible to tell the purpose of registration and which data that are used. There shall also be processes to remove data without a purpose. Some personal data are extra sensitive and shall be treated with extra care.

To organisations with more than 250 employees there are additional requirements that will apply. The regulations requires e.g. more documentation of the existing registers and the processes to keep the registers updated. In these organisations a Data Protection Officer, DPO, shall also be appointed. The DPO will, in the organisation, be responsible for the GDPR-compliance.

For you who haven’t started the process towards GDPR-compliance you have less than a year until the new regulation applies. It can be plenty of time but it may not be enough depending of the amount of personal data and how structured your registers are. From my experience the process towards GDPR-compliance can be divided into five steps.

    • Create a project organisation
    • Inventory of the use and collection of personal data
    • Perform a GAP-analysis and set up an action plan
    • Implementation of the action plan
    • Information and education about the law

The first step will be to appoint a group of resources that will take responsibility to lead the work towards compliance. This project group will be the organisation expert group in GDPR and help the organisation to succeed. It is important to have resources from the company with good contacts to the different parts of the organisation. It can also be valuable to use external resources. It can be e.g. legal expertise to interpret the laws but it can also be as project management to lead the work.

The second step and the first activity for the project group to do is an inventory of the use and collection of personal data. This is a time consuming task that involves large parts of the company. The project group will prepare information and templates that will be used by the resources in the organisation who have the detailed information about the registers.

The inventory is an important step in the process to find which areas that does not conform with the coming laws. It is also difficult since there are often areas in the organisation that are not associated with personal data and easily will be left out. It could be areas like system backups, system logs, presentations, intranet, photos etc.

The large amount of data that will be collected during the inventory will be analyzed in step three of the process. The project group will, by performing a GAP-analysis, find which areas the organisation are not GDPR-compliant. In this activity the legal expertise will be invaluable to find the critical areas.

The analysis will result in a list of areas which are not compliant to GDPR. These areas will generate an action plan containing the changes that needs to be implemented before 25 May 2018. The activities in the list needs to be prioritized based on severity, risk and time consumption.

At this time in the process you have a possibility to see how much work you have ahead of you. You have the action plan with all the tasks that needs to be solved and it will be a matter of time and resources to solve it. This can be the most time and resource consuming step. The changes can relate to both system and organizational changes and can, most probably, be assigned to many different resources in the organisation.

This is a step that can run at the same time as the process and is about information and education in GDPR. It is important that the participants in parts of the process get basic information about GDPR. It is also important that all employees that will be in contact with personal data get a basic information in how to process personal data.

In my experience it is, in practice, impossible to control all processing of personal data and it is therefore important that all employees have a good knowledge in the subject to get full GDPR-compliance without full control.

When you have come this far you have adapted your organisation to the new regulation and taken actions to avoid the scary fines as you probably heard of. Even if there was a massive work to get here this has only been the initialization project to be compliant. The detailed processes and routines in how personal data are processed needs to be maintained and improved so the organisation is compliant for many years. Details about that will be a new chapter.

Good luck!

 

Evaluation as a catalyst in the growth of a project

vækst finalIntroduction

Evaluation is a very used expression, which we use all the time in working situations in connection with the solution of a task or project.

The purpose of evaluation is to accumulate the experience you have done, so successes can be repeated and mistakes can be avoided in future projects. The focal point of the evaluation is to ensure that the people involved easily can take benefit from the evaluation process. They will recognize and make it particularly important to focus on and ensure control and learning in the project. The concern regarding control of resources and its optimum allocation in a project, in the context of learning, is that it is essential to gain complete certainty that you are on the right path. In case of conflicts between the people involved in the project – evaluation helps to adjust the process itself.

 

Problem

As a professional IT project manager, I gained experience from large and complex organizations and have seen their limited acceptance in the use of evaluation methods. Here I have seen statements such as “The evaluations cost time, money and let us choose a supplier we already know”. ”Therefore there is no need to spend time to run a comprehensive evaluation process”. Here it turns out that some outcome from projects has a decisive impact on the company’s bottom line and their market share compared to their competitors.

Is it necessary to evaluate?

Experience shows that there definitely is a need for evaluation during and after project completion. Without evaluation, it can very easily go wrong economically for the company. In the beginning of the project it is crucial to evaluate the criteria of gain, what the gain should be and it must be defined in the requirements specification. It is legally binding and determines what vendor shall provide for the money. It is important to involve customers or users of the evaluation process during project development. First of all it is important for the involved people to know if their money and support has been used sensibly or not. Secondly their frustrations over the failures of the project during the research/developmental phase can be used constructively and can contribute to a lot of learning for the future projects.

One solution to the problem can be a so-called agile method for developing both infrastructure and research/developmental projects in private and public IT companies.

 

Solution

Using the agile management

The approach is to work in small iterations of 2-4 weeks duration and after each iteration the finished product is shown. It gives abundant opportunities for people involved (customers, supplier and the project team) to initiate changes as required.

A lot of positive and negative assessments will be committed in all projects. To be successful, and create a positive experience in an efficient way, you need the feedback on the choices being taken. Feedback about the choices made during the project, can easily and efficiently be visualized by using the starfish method.

The Starfish method used during the Sprint Retrospective

The article is only based on SCRUM Sprint Retrospective, and not the entire SCRUM method. Retrospective is one of the important project meetings at the end of each sprint. Here are some of the most important issues to consider and discuss during each sprint.

  • Keep doing: Is a good starting point for team members to focus on typically all the good things that they liked about the project.
  • More of: Is another type of focus that helps further refine or highlight practices, achievement, for an instance, that the team members might want to try more, and are not necessarily taken full advantage of.
  • Start doing: Is a great opportunity for team members to suggest new things to try because of things that may not have gone so well or just for simply keeping things dynamic and fun.
  • Stop doing: Obviously for things that are not very helpful to development practices or not adding much value.
  • Less of: Helps to focus on practices that might need a bit more refining or actions that were simply not helpful in the current circumstance.

 

Screen Shot 2017-05-08 at 16.32.22This method has been used in connection with a public sector customer project.

Experience has shown that there is more room for learning by involving people. Getting people to write on the “yellow note” and then post-it under the group area in the starfish method is also a great visual way to evaluate health in the project. It forces human capital to think creatively and act upon it, Instead of saying things that are not worked out thoroughly. The reason being; saying something verbally is much easier, compared to writing something down on a yellow note.

In several projects, I have used the methodology for both development and infrastructure projects from the public and private sectors. Here I have achieved more excellent results in project evaluations by using the method in Sprint Retrospective. In addition, the results of evaluations have continually contributed to strengthening change processes by sharing insights and results with the customer, supplier, project team and other stakeholders who adapted their activities.

The method is universal and can be used in all aspects of a project. It is highly recommended to use the method after achievement of a milestone in the project and in consultation with all stakeholders/ participants. It informs the participant about what works and that which does not. In this way they will get a better insight and understanding of the results they have achieved. This will make it possible to introduce new ideas by providing constructive feedback.

I would definitely recommend using the method in Scrum Retrospective when you need a quick and sensible evaluation here and now.