GDPR, are you racing against time?

I recently spent twelve months working with Stockport Council helping, initially, their IT and Digital teams transform their ways of working, how they deliver products, support and value to their local authority colleagues and the citizens of the borough. After around four months I rapidly found that I began working more and more with the rest of the organisation, which being a Service Organisation shared many of the same issues, problems and impediments; the Volatility, Uncertainty, Complexity and Ambiguity which the fast-paced modern world inflicts on each and every one of us.

Fortunately for SMBC, in the GDPR domain, they had managed to secure an ace card in a particularly learned and aware subject matter expert, Naveed Malik, who, having spent five years with the Information Commissioner’s Office (ICO) and a year with another local council, had built up a nuanced understanding of data protection law and practice, specialising in developing a privacy culture in the resource-stretched environment of public authorities.Therefore, expertise was, and is, not a problem for them.

When Naveed and I first put our heads together, along with PM Jovian Smalley (who has since joined the ICO), the problem was the more universally felt issue in high demand, economically constrained, complex service environments:

  • GDPR, it’s new, it affects the whole organisation and demands everyone accommodates new behaviours (and like many places, prior to this change in legislation, there was no existing privacy culture to speak of).
  • There is a lot of work to be done in raising awareness, defining and implementing new practices and it needs to be done by everyone, not serviced by a small back office team.
  • How do we make sure all the right people are involved, at the right time and the right things are being done in the right order to make this massive endeavour successful?

Our answer, of course (this is me after all), Kanban.

Here’s what we did;

1)     We started to visualise, on a quickly assembled Kanban board, all the work demands Naveed’s bijou IG team were charged with delivering and we separated out the work which was bound by short time-scale turnaround SLAs.

This helped us understand what people capability & capacity was tied up in that demand so that we could ring fence it and make sure we did not land ourselves in hot water by diverting their attention, from the important work they must continue to carry out, to GDPR preparation. We could then see what capability and capacity was available to point at the emergent priority represented by GDPR.

2)     We got together in a room with a project brief and scope prepared by Naveed and based on ICO’s GDPR 12 steps guidance, and we started to break down all the “big ticket” items of work in to smaller, more task oriented descriptions. We wrote these on cards and compiled our Kanban backlog. This exercise helped everyone understand what needed to be done, on a more granular level, which in and of itself helped a few influential people come to terms with the enormity of the enterprise. We repeated this activity a number of times, breaking down and breaking down as we went, unearthing and rethinking what activity actually had to happen in order to achieve the desired outcome. Once we could describe it like this it felt easier to achieve, and everyone felt in more control. We could see the wood for the trees.

3)     We commandeered a wall and built a big “board”. We boiled down the twelve steps in to themes that we channelled across the board so that we could understand which tasks would progress each theme. This also helped us better coordinate the grouping and sequencing of activity.We represented everyone at work or available to work on progressing the tasks on the board with “avatars” and we showed where work items or tasks were blocked or suffering some sort of impediment with small pink post-its.(The usual Kanban blockage signifier)

4)     We stuck up posters around the board describing the purpose of the board, and the work being done through it. Instructions or “policies” on how the cards describing the work should be templated. How blockers and impediments should be described and how we should come together around the board to interact and collaborate.

5)     We established a set of “ceremonies” including Stand-ups, where the core team comes around the board everyday to discuss progress, Backlog refinement and planning, where certain stakeholders gather round to discuss sequencing and prioritisation. These are frequent and regular. By exception, when things were proving problematic, the board would act as a great place to gather round to discuss issues with things like stakeholder engagement, or lack of focus, or when agreed sequencing was not being adhered to. We would gather people around the board because it was easier to see the impact of actions and how it was adversely or positively affecting the progress of the work.

These simple steps helped everyone involved come together to simply and transparently understand what was happening at any given time, how that may or may not differ from what needed to happen, give us the opportunity to discuss why it was happening in this way and allow opportunities to deliver supported decisions to keep things on track and then to witness the impact of those decisions in the greater context. It allows governance and intervention to be applied, as heavily or as lightly by necessity as the situation dictates. We can be more agile and respond quickly to issues as they emerge and act or react in innovative ways with the means of studying and understanding if the action or reaction has been beneficial or not then observe, orient, decide and act again from the constant feedback loops we are encouraging.

When you have a complex piece of work with a tight deadline, such as GDPR, it is not just about knowing the technicalities of what needs to be implemented. Success can hinge on how effectively and efficiently you can deliver those things. The more people involved, the more complex this becomes and many (often unseen) systemic and cultural factors can hinder delivery flow, putting success at risk. Visualisation, limiting the amount of work active at any one time (WIP), thereby creating a better environment to practice considered prioritisation and sequencing, will encourage teams of any size to be more collaborative, cooperative and decisive.

Naveed, has witnessed a number of things since we first put our heads together;

  • The board encourages people to have the difficult conversations before they become “impossible”, this helps people tackle the complex issues sooner rather brush them under the carpet in a fit of cognitive dissonance,
  • It encourages servant leadership, “hierarchically subordinate” people are able to illustrate systemic issues in a way that compels “hierarchically influential” people to get involved and own the resolution of the system issue.
  • People doing the work have the means of saying “no” or “not right now” to the constant demands for their attention because we have explicit policies for limiting WIP this creates safety and support for everyone, which not only increases productivity and the amount of work being finished (as opposed to being started and not finished) but most importantly this helps boost staff morale. Increasing productivity and morale can set in place a virtuous cycle of positivity, a double whammy.
  • This doesn’t mean everything is now sunshine and lollipops. Conflict may still exist, but the visualisation can help de-personalise many issues and help people to reason things out. Improvement is based on disagreement, someone needs to disagree that the current state is ok in order to suggest a better one. One of the SMBC team described this as us “having become mature enough for conflict” meaning that because we do it regularly before things get out of hand, the personal stakes are lowered, we have become more used to compromise, which means out of disagreement comes stronger agreement based on respectful scrutiny.
  • Working visually, openly, transparently, “showing our working out” and debating it’s validity, respectfully in groups that include all levels of hierarchy inspires trust, helps to reinforce purpose, encourages mastery and allows for autonomy and confidence in individuals and teams


The massive endeavour quickly became something very achievable. It is no surprise then that Naveed implemented the Kanban methodology for all of his team’s business-as-usual activity to profound effect.

If you are reading this article then you may also have access to the type of expertise present in Naveed and your challenge may be similar to that experienced at Stockport; you know what to do, getting it done is the challenge then hopefully this article has offered you an option to consider.

If, however, you are in the unfortunate situation of not being as far forward and you are here searching for more GDPR knowledge, here are a couple of introductions to GDPR from some very esteemed and knowledgeable folk in my network, take a look:

Here is the Information Commisioner’s Office guidance.

HiveMind has several GDPR experts on hand to advise and guide you

HiveMinder Alan Simmonds of gdpr360 has shared this quick reference graphic.






HiveMind colleague Sue Duris pointed me at this by Sam Saltis

Stuart Rance, Sysaid – How to explain GDPR to a 5 year old

And there are, of course, many more.

If you would like to discuss how Kanban can help your GDPR programme or the delivery of any other pressing, complex service, project or programme, drop me a line.