Unfortunately, Google found itself in exactly that situation. Google had previously told various regulators (e.g. in Australia) that it had deleted the payload data (which may contain personal data) that it had collectd from wifi networks when its Street View cars drove along streets. Now, Google has found out that they still had in its possession some payload data (which may contain personal data).
It is not clear how other many countries in Asia are in this sitution, but Google has already informed the UK and Australian privacy regulators of the mistake. You can read Google's letter to the UK ICO here. A similar letter was sent to the Australian OAIC. No news from the Hong Kong regulator on this yet (remember that Google gave an undertaking to the Hong Kong Privacy Commissioner that it had deleted all the payload data).
I last posted on the Street View here, and was of the view back then that regulators in Asia would generally not reopen their investigations. I am still of that view.
I have no particular insight into the workings of Google, but incidents like this suggest a number of things which could be instructive for other companies in similar situations.
- People make mistakes. No matter how robust your process or system is, the human element within the process or which crafted the process will fail from time to time. Automated processes still rely on input by humans (search terms, date range of the search, locating the hard disk or tape drive in the box in the room). So, what does that mean for companies that realise that they have made a mistake. Apologise and be up-front with it. Voluntary disclosure in situations like this can be a good thing (and usually a necessary thing) - especially where you are dealing with a reasonable regulator.
- Second, investing in people and processes does help. A number of companies have woken up to the idea of the importance of a separate compliance function (i.e separate from the legal function). Having the right people with the the right relationships and an understanding of cultural differences does help in Asia. Backing up these people with senior executive support can help in the implementation of compliance processes and programs, and in responding to breach situations.
- Third, try to get it right the first time. There is always an urgency to responding to a complaint or a regulator. Pressure comes from many sides: internally from management, externally from the press, regulators, consumer groups, the complainants. Pressure may also come from the regulatory framework itself which requires a response within a specified period of time. It is crucial to get the information right the first time round especially if you are giving an undertaking to the regulator. In many Asian jurisdictions, providing inaccurate information to a public officer is a criminal offence. You can't unscramble a scrambled egg. If you need more time to get the information, ask for an extension of time (most regulators are reasonable - especially if a relationship of trust is established). I know it is sometimes easier said than done.
- Fourth, identify and fix whatever made you make that mistake in the first place. Regulators like to be reassured that the mistake is not a systemic one. That you are taking proactive measures to make sure it does not happen again. It will take some time to fix that but giving that reassurance that steps are being taken to deal with the mistake is usually helpful.
Those are my quick takes on this. Hopefully Google does not have a sequel to this.