The path your project takes to get from beginning to end can vary greatly depending on the project. We also understand that each agency has their own processes in place and we don’t want to change that up or dictate how you work. That said, Google does have some key requirements you should keep in mind when you are building out your own internal timelines and project plans.
At Project Initiation
Any new project should be getting kicked off at least 5 weeks before the target launch date. This ensures that the proper legal, security, and technical evaluations have enough time to be completed. At the initiation of the project, and before development begins, here are some deliverables/milestones you can expect. These items are some of the most time consuming and should be started as soon as possible.
If required, you will be asked questions about security at your company. You must complete the questionnaire and fix issues in a timely manner. The length of time this process takes depends on a number of different factors:
- If your agency has gone through this process in the past, it can greatly shorten the timeline
- The faster your agency can respond to issues surfaced during the evaluation, the faster the process can move forward.
- If your project requires the use or collection of PII, that could extend this process
At a minimum, this process should be initiated at least 5 weeks prior to launch. If the project will be using or collecting PII, it’s recommended to begin this process sooner.
Privacy Design Document (PDD)
Privacy Design Doc is submitted listing all data types involved in the project (PII, email addresses, etc). The PMM will drive this, but may need your input on some questions..
Technical Design Document (TDD)
For each project, you’ll be responsible for completing a Technical Design Document. Please use our template when writing your TDD. In the TDD, you'll outline what you plan to build and how you plan to build it. The main audience is your ATL and the Security team. You should not begin development until your TDD has been reviewed and approved by your ATL and Security. Please be sure to keep the TDD up-to-date with any changes that occur during the project lifespan.
Personally Identifiable Information (PII)
At Google we take the privacy and security of our users information very seriously. If your application collects, uses, or stores user information such as real names, email addresses, geolocation, or other personal information, the milestones, reviews, timelines, and requirements for your project will be quite different than with a site that does not use PII. As you read through the information in this guide, and as you work through your project, make sure to keep in mind whether or not your site will be using PII and follow the appropriate required steps if it does.
If your project implements Google Analytics (most projects do) then remember that even the most basic analytics implementations are considered privacy-impacting with regards to reviews and approvals.
Once your project is underway, there are some key milestones and approvals you should be aware of. Many of these items are required in order for your project to launch, so it is key you take these into account when building your timeline or project plan.
5+ Weeks Before Launch
- Domain approval and name registration up to 30 days (average 10 days)
4+ Weeks Before Launch
- Higher risk sites (Eg. GCE, sites with PII collection, etc.) code complete, sync’d to your project Google code repository and ready for security and code reviews.
2+ Weeks Before Launch
- Simple sites (Eg. AppEngine, no PII, static content) code complete, sync’d to your project Google code repository and ready for security and code reviews
- Domain set up (PMMs and ATLs will handle this)
- Google Analytics implemented and ready for testing and review.
At Google we typically do not allow our agencies to maintain control of a live site. Approximately one week after your launch we will remove your ability to make changes to the live site. If changes are needed in the future, we can reinstate that access for a short time, but it will be removed again after the updates are made. If you need to retain access, this can be discussed during your security review but likely will extend how long the review period takes. Make sure to raise this issue early and plan accordingly!