Beyond Law: Ethical Culture and GDPR

What it was

A CIPR Business Ethics Briefing, completed as part of my CIPR continuous professional development.

What I learned

GDPR can be seen as a gift – an opportunity for fresh thinking and a challenge to make sure we are being fair and open in our dealings with customers.

At heart, GDPR seeks to give control to individuals over how organisations use their personal data (and to harmonise such privacy laws across the EU).

Getting GDPR wrong could mean significant fines, negative publicity, loss of trust, reputation and brand damage, legal actions and regulatory enforcement.

Rather than embracing GDPR out of fear of the negative consequences, organisations can look to how it supports ethical business practice.

The need to separate Ethics from Compliance – “Ethics starts where the law ends”.  Compliance is arguably too narrow a prism through which to see GDPR.

The  briefing proposes practical steps for ensuring that organisations use data ethically – and so comply with GDPR along the way.

What I will aim to do differently as a result

Consider the wider ethical considerations of GDPR in our implementation plans

Communicate the importance of the ethical usage of personal data, and importance of leaders setting the tone

Consider how our organisation could go beyond compliance and address cultural issues on data handling

Certified Agile Leadership

What it was:

A two-day interactive course on the leadership aspects of agile, run by the Agile Centre in London on 6 and 7 December 2018.

This course forms the Scrum alliance certified agile leadership (CAL) credential 1

What I learned:


“Conversational turn-taking” and “Ostentatious listening” – These create psychological safety

The key principles behind agile:

* Law of the small team: Small teams working on small tasks in short iterative work cycles delivering value to customers
* Law of the customer: an obsession with continuously adding more value for customers
* Law of the network: coordinating work in an interactive network

Self managing, organising teams are productive and efficient


Agile overview:

Our reasons for doing agile:
* Be more customer centric
* Respond quickly to change
* Reduce risk in complex projects
* Adaptability

Economic trends and market factors for Agile:
* Complexity
* Speed to market
* Demanding customers
* Staff empowerment
* Globalisation of markets

Complexity and uncertainty:
* Uncertainty around what
* Uncertainty around how

Low Uncertainty around what, low Uncertainty around how: E.g building a bridge
This is simple

Low or medium uncertainty around how or what
This is complicated

High Uncertainty around what, high uncertainty around how
This is chaos

The rest… This is complex. This is where agile thrives. You need fast feedback to make it work!

Agile is a response to the VUCA world. It is about incremental adaptive delivery, and course correction. Agile assumes you do not have perfect information up front

Management trends fitting to the business environment of the time:
* Assembly line working; a simple approach used in the 1900s
* Waterfall; useful in a complicated world of infrastructure projects , mid twentieth century
* Agile and Scrum; demanded by the VUCA world of early 21st century

There is a need to improve my organisation agility because:
* We face a VUCA world
* Our Customers do not fully understand what they want and need

Agile transformation:

The main areas are:
* Processes and practices
* Structure and policies
* Culture and leadership
Organisations tend to focus on processes and practices as these are easiest to change quickly
But you need to do all of them!
Most agile training and coaching also tends to focus on agile processes and practices – the idea that if everyone could write good user stories then everything would be OK!
Agile leadership focuses on the structures, policies, culture and leadership

Challenges an organisation might face in adopting agile:
* Lack of enablers
* Organisational silos

Main impediments in my organisation:
* Lack of resource and skills
* Enabling processes are not agile

Do we require mainly changes to processes, structures or culture?
The answer is structures and culture – processes we can do as we go!

What role will leadership play in the change?
* Set context, and then culture
* Make the case
* Deliver the changes

The Agile leader

Management is an old practice and was designed in the 1890s for a different world. We face new challenges:
* Exponential change
* Greater speed and competition
* Knowledge advantage is hard to sustain
Management was created to solve a problem, to get people to do what you wanted, and not think too hard. The world has changed, now we need to exploit thinking, creativity and knowledge.
Organisational agility is one on the biggest correlates of business performance
Leadership agility is a key component of organisational agility

A model for leadership agility:
* Expert leaders
* Achiever leaders
* Catalyst leaders

The catalyst leader works to create the right culture, though actions and behaviour, to encourage and empower senior team leaders. They articulate an inspiring vision and empower and develop others to make it a reality.

Exercise: I am spending too much time doing, not enough leading, and hardly any coaching. I should be doing more coaching, and some leading, and much less doing! This resonated strongly with me. I am operating as an achiever leader, but it’s critically important for me to be a catalyst leader!

For agile to take root, we need catalyst leaders across the organisation.

“Post-heroic leadership”: leaders who develop beyond the achiever level to create highly participative teams and organisations characterised by shared commitment and responsibility

Agile culture

Culture can make an enormous difference to productivity
Organisational culture is the most frequently identified blocker to agile
“If you do not manage culture, it manages you”
Creating the right culture is the most important thing you do as a leader

Competing values in organisations
* Collaborate
* Control
* Create
* Compete

For ‘control’ (hierarchical) organisations like ours, compatibility with agile is inherently low. Processes and procedures often outweigh people and products. Governance can become burdensome and hierarchies are often a barrier to change. The best Agile framework to lead with in a control organisation is Kanban or SAFe.

There is a simple framework to help organisations understand how they need to change they culture to become more agile friendly

We must work hard collectively to create an enabling culture. Without that, Agile values, principles and practices will never survive.


Increasing engagement

Organisations with engaged employees achieve 250% higher net revenues than their competitors with disengaged employees

Increase engagement through:
* Autonomy, ability to be self directed
* Mastery, ability to get better and learn new skills
* Purpose, bring about positive change

Need a growth mindset to lead in an agile context

From the David Marquette talk:
* Leadership is about embedding the potential for greatness
* If you want people to think, give intent not instructions
* Get your people to think what you are thinking, ask them what do you think I am thinking?
* Move the authority where the information is.
* Don’t take control and attract followers
* Give control and create leaders

Reflection: I prefer thinking and doing on leading and coaching my team and managing stakeholders than I do about the actual mechanics of my day job. I should sacrifice the day job for leadership, not the other way round!

Agile structures

To realise the efficiency of agile the organisation structure must be such that it can. Creating small agile teams in organisations not designed for agility will not likely give these efficiencies.

Lessons from the case studies:
* Communicating across teams and giving everyone a whole system view, so that everybody had some understanding of the whole
* Accepting that communication is necessary even if it comes with a local efficiency cost
* The complex interaction of parts

The common themes:
* Moving from efficiency to adaptiveness
* Removing silos and hand offs
* Invest in shared understanding
* Creating radical transparency
* Remove barriers to communication
* Decentralising decision making

Three waves: one single teams, scrum. Two, Scaled agile, three is the agile business

Organisation design

Scrum team is cross functional and has all of the necessary skills
Analyse, build, test, release quickly in an agile increment
Get teams to spend time with each other, encourage those relationships
Organising by feature not by function
Attributes that contribute to competitive advantage, in order
* Passion (contributes most)
* Creativity
* Initiative
* Intellect
* Diligence
* Obedience (contributes zero)

Management practices tend to maximise the bottom two, and ignore the top three. This is the wrong way round!
Collocation is key. Once people are more than ten metres apart, the chance of them collaborating drops off significantly

Great teams are
* Collocated
* Self organising
* Psychologically safe

Agile Governance

Governance is doing the right things, and doing things right

The (absurd) underlying assumptions of traditional project governance
* It is possible to know up front the best things to build to delight our customer
* Our is possible to know up front how much it will cost and how long
* Centralised bureaucracies are best placed to pick winning ideas
* Things will change little as we progress
* It is sensible to place big bets on minimal information

Better to have an experimentation pot, fund all business cases at small scale and then cancel the ones that are not successful, than choose a few big bets and give them all the funding up front.

Have an empowered product manager, with ‘control tribes’ alongside e.g. compliance, finance, legal.
This actually gives the control tribes more control, as they keep a tight rein in the money and can relate this closely to success, rather than signing over all the money at the start
The sprint review becomes the governance meeting

Leading the change

Nine steps, in order:
1. Align on the vision – why are we doing this?
2. Educate leadership
3. Align on current culture
4. Align on desired culture
5. Align on desired structure
6. Align on the starting framework – e.g. scrum
7. Establish the agility team
8. Educate all the teams
9. Experiment, measure, evolve – run small experiments and measure impact

Start with why. Need a sense of urgency among senior leaders
Get leaders to understand. Make them choose red or blue pill – are they really up for this?
The agility team, also known as the executive action team, establish the backlog of changes needed and deliver them in an agile way. Organisational change is the product.
They are a cross-functional team of empowered leaders

Complex change requires all five of the following in place
* Vision
* Skills
* Incentives
* Resources
* Action plan

Learning from the Q and A session:

Working in a truly agile business can be very empowering and refreshing… But then you get all the approvals very quickly then you have to deliver, so be careful what you ask for!

What I will aim to do differently as a result

This course contained much of immediate value to my work, and much that I could follow up on. I need to reflect on the courses content in slower time to determine how this could change my strategy in digital transformation

As a team leader, I need to:
* Create context for my team leaders
* Reforge the senior team
* Invest time in team leadership
* Be outward facing, talk to our customers

I need to move from expert leader, through achiever leader, to catalyst leader. I will significantly re-prioritise my week and my time in order to make sure I am coaching and catalysing, not doing.

I will Coach my team to use the framework to do some analysis on what our organisation needs to do to create an agile enabling culture

I will recognise that I can improve, my performance is not fixed

I will reflect to senior staff that agile is a leadership style and leadership capability, as much as it is a technical / project management approach

I will examine how the recipe for agile transformation can be applied to defence, can agile transformation be reflected in our wider strategy?

Health and well-being: Confident leaders

What it was

Half-day session on health and well-being for senior leaders, delivered by Bailey & French at the BEIS conference centre, London on 21 November 2018.

What I learned

Mental health accounts for 25% of MOD civilian sickness absence
Reflecting on three positive things from your work day at the end of the day for two weeks has been shown to have a positive effect on wellbeing months later
A simple model for wellbeing is PERMA (prof Martin Seligman,

  • Positive emotions
  • Engagement
  • Relationships
  • Meaning
  • Accomplishment

Each of these is measurable and teachable.
Lots of work done has been done to address mental illness, but less effort on mental wellbeing, which can be thought of as getting people from the middle of the scale to the top, rather than from the bottom to the middle.

As a group we reflected on times when we had felt well-being along the lines of the PERMA headings, what had enabled this, and how we could help create this for our own teams.

I reflected on how a programme re-prioritisation exercise with one of my teams had left both them and me feeling empowered, better able to perform, more motivated, and less stressed about the amount work.

What I will aim to do differently as a result

I’ll aim to do something from each part of the PERMA model.

  • Positive emotions: Reflect on three positive things from your work day
  • Engagement: Set aside time for a flow activity and with the team
  • Relationships: Set up more coffee meetings with senior colleagues
  • Meaning: Set context, show the outcome even if intangible, phrase achievement as outcomes. Create meaning for the team.
  • Accomplishment: Have a good system for non financial reward and recognition with the team, find out ways to set this up.

Inclusive Leadership

What it was

A half day’s training in London on 20 November 2018, attended as part of the Future Leaders Scheme.

What I learned

  • There are broadly three components of inclusive leadership:
  • Culture
  • Relationships
  • Decision making style

Inclusive culture

  • Imagine a time you felt alone in a crowd. How did you feel/think? How did thismake you behave? How might others have interpreted this?
  • Psychological safety: a shared belief that the team is a safe environment to put oneself at risk
  • Psychologist standing: a sense of entitlement to speak up and act
  • Servant behaviour: collective goals and team working for one another
  • Components of trust: cognitive (are they technically capable), affective (do Iget on with them), transactional (do what they say they will do)

Culture tips:

  • Actively encourage everyone to contribute
  • Listen to different views and challenge
  • Value others expertise and experience
  • Create a sense on entitlement to speak up

Inclusive Relationships

  • Building team cohesion:
    • Creating a shared team identity
    • Avoiding fault lines
    • Avoiding favourites
  • Investing time:
    • Get to know people as individuals
    • Increase contact with people from different backgrounds
    • Mentoring people from under represented groups
  • Networks:
    • Diversity of your network
    • Developing their networks

Relationship tips:

  • Conduct a network analysis – how inclusive are you?
  • Work as a team, not sub groups
  • Challenge yourself, don’t go to the usual suspects
  • Invest time
  • Mentor someone different

Inclusive decision-making

  • Openness versus perception of risk
  • Flexibility
  • Avoid gut instinct
  • Awareness of bias
  • Bias thrives under these decision making conditions: Pressure, high cognitive load, need to reach closure, overall impressions, tiredness
  • Micro-messaging: brief verbal and non verbal interactions that make people feel under valued, undermined and excluded
  • Negative micro- behaviours: interrupting, assumptions / benevolent attitudes, limited eye contact, ignoring contributions
  • Micro- affirmations: Non verbal: eyes, body language, acknowledgment, time and attention; Verbal: involving, encouraging; Recalling: remembering (contribution)

Decision making tips:

  • Understand your biases
  • Stand back and look at how decisions are being taken
  • Set the right conditions
  • Be aware of micro behaviours
  • Listen to diverse points of view

We completed a quick inclusive leadership assessment. Actions to address these weakest areas are captured below.

  • My strongest areas were:
    • Psychological safety
    • Openness
    • Flexibility
  • My weakest areas were:
    • Investing time
    • Diverse networks
    • Psychological standing

What I will aim to do differently as a result:

  • Actions to create a more inclusive culture:
    • Allow time for people to speak up, and not just at the end
    • Ask people to say what they want out of the meeting, then cover that
    • Make more time with team leaders to discuss things, not just updates
  • Actions to create more inclusive relationships:
    • Spend more time with my teams at other sites, don’t just go for a meeting and leave
    • Involve a wider set of people in planning and senior team meetings
    • Become a mentor e.g. to a staff member from a minority group
    • Make appointments with colleagues outside my area and increase network contact
  • Actions to create more inclusive decisions:
    • Have one to ones with team members other than team leads. Some people may not feel able to speak up in a group
    • Try the Harvard bias ( implicit association) test

MOD Data Protection Conference

What it was

A day of talks on Data Protection, with speakers from across Government, hosted by my Information Rights Team at the MOD in London on 16 November 2018.

What I learned

  • Enormous amount of work across organisations in past six months to get compliant with the new data protection legal framework
  • The sky did not fall in on 25 May! It was never a cliff edge in compliance, and organisations that were broadly compliant with the old legislation would have found compliance with the new legislation do-able.
  • 94% increase in complaints received by the ICO this year versus last year
  • The Data Protection Officer role is key. They are expected to be hands on in giving internal advice.
  • It is more important to have a DPO in place than to worry about internal conflicts of interest
  • New technologies are posing new challenges e.g. face recognition and biometrics. Biometrics are a specific new category of information under the new legislation.
  • Data protection impact assessments must be completed for processing that is likely to result in high risk to individuals. You must come to the ICO if you identify a risk you cannot mitigate.
  • Breach reporting: not later than 72 hours, and must inform the subjects if there is risk of significant harm
  • ICO getting about 1400 beach reports per month. Part of their work now is in educating people not to over-report!
  • New regulatory action policy sets out new provisions and regulatory priorities for the coming year
  • ICO has published a technology strategy, covering the next three years, aiming to regulate new technologies such as AI and big data
  • The number of people who have trust and confidence in how organisations store and user their personal information has gone up, from 25% to 34%
  • The public are more likely to have trust and confidence in public authorities handling their personal data than private companies
  • ICO’s fundamental objective is to build a culture of data confidence in the UK
  • Fundamentals of being prepared for a breach – Have an evidence base in place:
    • A DPO
    • a breach procedure
    • Policy relating to the personal data asset ( how long to keep it etc)
    • Evidence of staff training
    • Privacy notice
    • Data protection impact assessment
    • If using a processor, contractual clauses covering GDPR obligation
    • Data sharing agreements
    • Cyber security certificates

I gave the closing address. My main points were:

  • We have seen numerous valuable internal and external perspectives.
  • Some common themes emerging, e.g:
  • Governance – organisations have not yet settled on a common model
  • Still firming up on breach reporting – what constitutes a reportable breach?
  • GDPR has rocketed Data Protection up the priority order in almost all organisations – we need to capitalise on that interest
  • Worth taking stock of what we do in defence – remember that our challenges are very significant. We are essentially a microcosm of Government in terms of the services we provide to the Armed Forces, and many of our component organisations are larger than whole Government Departments
  • The counterpart to GDPR compliance is risk. What is an acceptable level of breaches? Is risk always necessarily a bad thing in Data Protection?
  • The analogy is Heath and Safety – contrary to popular myth, having a strong health and safety culture doesn’t stop you from doing things. In fact it’s the opposite – having a strong H&S culture enables you to do riskier things!
  • In defence, we want to excel at exploiting information, therefore we need to excel at compliance too.
  • Thanks for coming, thanks for your work. As I’ve said before, our biggest asset is you.
  • To borrow from Churchill – it is not the beginning of the end for GDPR compliance, but it is perhaps the end of the beginning

What I will aim to do differently as a result

  • We need to establish with ICO when, whether and how MOD will apply the Defence exemption under DPA18
  • Establish whether our information stewardship construct will meet the direction coming from DCMS that we should separate the DPO from the data policy function