According to various estimates, Uber has somewhere in the neighborhood of 75 million passengers served by a total of 3 million drivers. Ruby Zefo, Chief Privacy Officer at Uber, is part of the team that protects their data.
Zefo, who joined Uber in 2018 to serve as its first chief privacy officer, is responsible for the development and implementation of privacy standards, procedures, and processes in every market where Uber operates.
She’ll be participating on a panel at Chief Executive and Corporate Board Member’s Cyber Risk Forum, “The Future of Data Protection: Adapting to the Privacy Imperative” to explore the future of privacy, in which personal data becomes a currency, consumers demand more of companies, and organizations actively compete of trust and data stewardship.
We spoke to Zefo in advance of this event to talk about what she does as chief privacy officer and the difference between security-by-design and privacy-by-design. Below are excerpts from this conversation.
Privacy-by-design is touted as one way to address privacy issues. What does it mean in practice?
Global privacy laws, regulations, and regulatory guidance are not harmonized and are rapidly evolving. Uber follows the common regulatory guidance to take a risk-based approach, and has a PIA and DPIA process to effectuate privacy-by-design and help our business partners move faster. Some laws and guidelines are high-level or unclear regarding how they will apply to a certain technology, particularly new technologies. And unlike security-by-design, we don’t have technical standards for privacy. Putting new technologies through the PIA process, and following responsible privacy principles, is one way of rooting out the risk involved and putting privacy-enhancing controls in place where they matter most. In addition, we have a broad privacy team at Uber that includes employees well beyond the legal department that are passionate about privacy, including our privacy engineering team, our privacy public policy team, and our information security pros that all help out.
We collaborate early in the process to help shape the experience users will end up having at product launch. One example I have is that our customers can use our rider app without location services, which was a deliberate product decision to give users choice about their data. We also have privacy champions in our business units that can help us spot issues in their early stages and help their colleagues navigate through the PIA process.
Are there any important differences in the way companies think about privacy-by-design and security-by-design?
While there can be similar touch points and reporting for privacy-by-design and security-by-design, much of security-by-design (including, in some instances, data security) can refer to technical standards in addition to laws and regulations. But there are no technical standards for privacy, as I mentioned. In lieu of that, privacy-by-design can incorporate privacy principles. Privacy principles can provide guidance in areas of the law and ethics that are unclear or evolving. Principles answer the question “What should we do?” not “What can we do?” For global companies, relying on different product versions for compliance with the many different local laws is not scalable or efficient, not stable, and would not provide a consistent user experience. Instead, doing more than the law may require, and standing by privacy principles, can be easier, more cost-effective, and more user-friendly. And the privacy-by-design process is the method by which you can bring privacy principles down to the contextual tactical and operational level.
What is the role of a Chief Privacy Officer when it comes to cybersecurity?
I collaborate with the CISO and his teams all the time. We really are a dynamic duo that can not only reduce our company’s risk profile, but proactively skate to where the puck is going and improve user experiences. For example, we work together to evaluate our personal data security controls against the evolution of “reasonable data security” in the tech and transportation industries, to properly manage suspected incidents, to improve our products and platforms with their privacy engineering and architecture teams, to improve our practices with their security assurance team, and to create employee trainings. We also create various reports for our own teams, for our internal Privacy and Cyber Security Council, for our executives, and the board, so that they have insight into our programs, processes, and program maturity. In addition, both the CISO org and the CPO org report up to the Chief Legal Officer, so we are also in many leadership meetings together where we are discussing broader strategy topics.
Read more: Cybersecurity in the Boardroom