Closure Report
Project Summary
This project delivered changes as to how the EdWeb hosted websites handle cookies, Web forms, and user consent. The project is part of a larger program to ensure that the University is GDPR compliant by the time that the legislation is enacted in May 2018. The project was delivered over the course of four months from February 2018 to June 2018. The project implemented a pop-up banner to approve the use of cookies on web browsers that accessed the EdWeb sites. The project delivered on all it's objectives.
Analysis of Resource Usage:
Staff Usage Estimate: 90 days
Staff Usage Actual: 70 days
Staff Usage Variance: 12%
Outcome
NR |
Objectives / Deliverables |
Priority |
Outcome |
|
|
||
O.1 |
Ensure that all cookies and embedded content utilised within EdWeb are conformant to the latest legislation |
|
|
D1.1 |
An opt-in cookie banner that covers a set of bundled cookies, mainly marketing and analytics |
Must |
Achieved |
D1.2 |
An overlay for third party content |
Must |
Achieved |
D1.3 |
An information only banner for system necessary cookies . |
Must |
Achieved |
|
|
|
|
O2 |
Define method of handling cookie consent |
|
|
D2.1 |
Define what cookies need to be handled |
Must |
Achieved |
D2.2 |
Agreed wording for each opt-in consent mechanism |
Must |
Achieved |
D2.3 |
Deliver opt-in consent mechanism for third-party provided content |
Must |
Achieved |
D2.4 |
Functionality allowing consent to be removed where previously given |
Must |
Achieved |
|
|
|
|
O3 |
Define method of handling data protection and privacy for EdWeb web forms |
|
|
D3.1 |
Opt-in consent for web forms |
Must |
Achieved |
D3.2 |
Updated guidance for editors |
Must |
Achieved |
D3.3 |
Encrypt data at rest. Needs to be part of a University-wide solution. |
Could |
Not achieved |
|
|
|
|
O4 |
Ensure that the corporate reputation of the University is maintained within EdWeb |
|
|
D4.1 |
Deliver cookie management functionality for website visitors that meets GDPR requirements within required legislative timescales |
Must |
Achieved |
D4.2 |
Deliver banner that works across all platforms and browsers for EdWeb |
Must |
Achieved |
|
|
|
|
O5 |
Ensure that the business has suitable manual processes to remove personal data as well as enacting right to be forgotten. |
|
|
D.5.1 |
Manual process to remove personal data from EdWeb including restriction of search data |
Must |
Achieved |
D5.2 |
Right to be forgotten manual process |
Must |
Achieved |
|
|
|
|
O6 |
Ensure that a Privacy Impact Assessment is undertaken |
|
|
D6.1 |
Deliver a completed and signed off PIA |
Must |
Achieved |
Explanation for variance
The initial estimates were generous given the varied options of implementing regulation compliance.
Key Learning Points
Some of the initial business analysis took longer than expected and did not deliver the quality required. This was due to an inexperienced Business Analyst (External Service Provider). In order to capture the full requirements, other project team members worked more than they normally would be expected on the requirements document. An additional factor was a varied interpretation of the new regulations and emerging guidelines from the UK Data Protection Office.
The project team worked well together, the changes were developed using Agile, with the stories maintained in JIRA.
Outstanding Issues
There are no outstanding issues.