Closure Report
Project Summary
The General Data Protection Regulation (GDPR) is an EU regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union. The new legislation came into force on 25 May 2018. Aligned to this across Applications Services there were a number of requirements to be met prior to the new legislation coming into force.
The project provided support for the work required across Application Services to ensure compliance with the legislation.
Outcome
COM042 GDPR Preparation for Applications project provided support for the work required across Application Services to ensure compliance with the legislation. The project delivered:
- Internal register for Apps Services
- Assessment of services which required privacy notices (and progressed publication of these)
- Evaluation of other work required for Apps owned services for May 2018 and beyond
- Recommendations for Apps Services Privacy Impact Assessments
- Evaluation of working practices and recommendations for future work to make changes to these.
The project also developed an action plan for colleagues within Apps to work together to ensure compliance with GDPR aligned to the areas identified. These actions have been ongoing throughout the project and will continue beyond the closure of the project. Ownership of the action plan prior to closure has been identified as the OGG.
Analysis of Resource Usage:
Staff Usage Estimate: 25 days
Staff Usage Actual: 22 days
Objectives & Deliverables - Outcome
| No. | Description | MoSCoW | Outcome Achieved? |
| O1 | Completed internal register for Apps Services | Yes | |
| D1 | Identify and support review of services and applications in scope of project | Must have | Yes - Review was undertaken across Apps owned services |
| D2 | Review and update internal register documentation | Must have | Yes - Internal register developed |
| O2 | Assessment of which services requiring privacy notices | Yes | |
| D3 |
Assessment of internal register to identify services requiring privacy notices |
Must have | Yes - Gathered and documented within internal register |
| D4 | Publication of privacy notices | Must have | Partial - PN's identified within register and published on appropriate sites - Committee Online TBC and within action plan (as BAU) |
| D5 | Unidesk mechanism and instructions on publishing Privacy Notices | Must have | Yes - Aligned to Records Management guidelines |
| O3 | Evaluation of wider work required for Apps owned services and recommendations on future action | Yes | |
| D6 | Identify work required for May 2018 including process for Privacy Impact Assessments | Must have | Yes - This was identified within internal register and documented within internal action plan |
| D7 | Identify work and deliver action plan for future implementation | Should have | Yes - Action plan including responsibilities and timelines developed |
| D8 | End User Guidance and Communication Plans | Should have | Partial - Included within action plan and being progressed as part of BAU |
| O4 | Evaluation of working practices and recommendations for future work to implement GDPR required changes | Yes | |
| D9 | Identify current working practices in relation to data processing | Should have | Yes - Undertaken as part of the development for the internal register |
| D10 | Provide recommendations for future work including data anonymisation (including Dev, Test and Live) | Should have | Yes - Undertaken and documented within internal action plan |
Links to key documents
Links to current version of key documents (4/9/18) can be found here - https://secure.projects.ed.ac.uk/unpublished/project/com042/meetings/key-documents
Explanation for variance
As outlined above some of the remaining deliverables have been moved to BAU due to the length of time it will take to roll out and also to support ownership of these going forward.
Within the project an action plan was developed and work to roll out actions have been on going throughout the project however a number of these have a longer expected delivery date than the end of this project. There was a need for the project to identify ownership of the action plan prior to closure. It is for this reason the OGG were asked to take on the ownership for the action plan - see OGG minutes. This will ensure on going focus on the delivery of the longer term actions to meet GDPR across Apps Services whilst benefiting from cross service representation, established group process, and appropriate seniority to enable effective escalation of risks and issues.
Actions within the plan will remain with current owners but progress would be tracked via the OGG until completion. OGG has confirmed that the delivery of the action plan will be monitored by the group going forward.
Key Learning Points
- There was a change of Project Manager twice during the project which did impact the continuity and flow (and ultimately timescales) within the project.
- The decision at the outset was taken not to include budget for the wider group of staff supporting delivery of the objects and deliverables (this was to be included in BAU activities). This was however challenging for the staff involved due to wider workloads and dependencies especially within Service Management who played a key roll within the project team and development of the deliverables.
| Attachment | Size |
|---|---|
 ogg_proposal.docx | 19.82 KB |
 com042_gdpr_action_plan.xlsx | 30.3 KB |
| data_sharing_register.xlsx | 20.93 KB |