Lee & White

There was a recent case in the press about Google collecting and storing information broadcast over open Wi-Fi networks, attributed to the overzealous IT people who captured all data that they could technologically grab, and store it, just in case they might use it in the future.

This is a good example of what happens quite often in IT projects.

• The business owner has a great idea to use a new technology to boost sales or to develop a new product.
• The business analyst uses these ideas and draws up the business requirements and scope of a project to achieve this goal.
• The project manager executes the project and drives the IT and business teams to deliver the required code.

The whole process is monitored end to end by the data protection officer who

• Assesses the impact on personal data protection at the time the business owner intends to initiate the project
• Reviews and approves the business requirements and analysis documents, checking that personal data processing is
  • fair and lawful,
  • collected for the specific purpose of the project,
  • adequate, relevant and not excessive.
• Participates in status and scope meetings, guarding the above.
• Performs integration and user acceptance testing with a focus on personal data
• Gives the final go that a project can go live and it is not, now and in the future,
  • a risk to trust and reputation of the organisation, or
  • a violation of applicable data protection laws.

So far the theory. What happens quite often is that no dedicated data protection officer is assigned, and every party in this process, to the best of their ability and in good faith, do what they think is best.

• The business owner will want his new product to be fully compliant with best practices and data protection law, but hands it over to the project manager and fails to check these requirements at the end of the project.
• The business analyst draws up the business requirements, but limited by time and budget sometimes forgets to add the 'hidden' requirements of data protection.
• The project manager is stuck to a budget and will deliver it at any cost, dropping requirements from the scope if necessary at crunch time.
• The IT and business teams will try to get the maximum out of the new technology and add any features or use any new technology that they feel like or are intellectually challenged to use.

The solution is that the whole process of developing a project be monitored and audited end to end, and independent parties should be responsible for doing this. They should explicitely approve any step in the project, ensuring that the scope is strictly limited to what the project requires and no extra 'features' are added that can prove to be a very expensive overhead and liability further down the road, both in money and less tangible values.

Now for the case of Google, is removing the offending data the solution? No, because the offence was processing the data (gathering wifi signals) in the first place which cannot be undone.