Uber Chief Privacy Officer advises on building strong compliance teams
DATA is a hot commodity in today’s world, and businesses that fail to protect customer data not only pay hefty fines to regulators but also lose customer trust and a large chunk of their market value.
That being said, although businesses understand the importance of data privacy, they struggle to guarantee it.
Uber, who was fined GBP385,000 (US$467,000) by the UK Information Commissioner’s Office and EUR400,000 (US$440,000) by the French Data Protection Authority towards the end of last year, for a data breach it suffered in 2016, seems to have been working on tightening the screws on its management of data.
At the start of this year, on 28th January, the company celebrated “Data Privacy Day” to commemorate Convention 108, the first legally binding international treaty (signed in 1981) to address privacy and data protection concerns.
On the occasion, Uber’s new Chief Privacy Officer Ruby Zefo highlighted several of the privacy upgrades that the company has brought into place as a result of new laws, best practices, and customer demands.
More recently, Zefo completed her first anniversary with the company and penned a blog post to share some learning and advice for business leaders and data managers.
“Legal compliance is a minimum baseline — start there and then create privacy-rich features that will enhance the customer experience and add brand trust,” was the first and most important piece of advice from the International Association of Privacy Professionals (IAPP) Fellow of Information Privacy and Stanford law graduate.
However, since Uber is a global entity operating in multiple jurisdictions, complying with varying laws sometimes becomes a challenge.
Zefo, therefore, suggests that companies start with a principled basis for processing personal data, and establish a privacy-by-design process for building products and services that includes reviewing them for both legal compliance and user experience.
“That will provide a framework where doing the right thing, not only the legal thing, is the goal.”
Zefo’s advice, of course, is reflective of the actions that Uber has taken to protect its customers. For example, the company allows riders to use the app and service without turning on the location feature on their smartphones and facilitating in-app chats between riders and drivers to avoid the exchange of numbers.
Both features show clearly that while privacy has been taken into consideration at the start, the end result is something that delights customers and earns just a little bit more of their trust.
While Uber’s Chief Privacy Officer has a massive role to play in shaping the product and services offered by the company in different markets, Zefo has built a remarkable ecosystem for data privacy within Uber.
At the end of her first Uberversary, Zefo offers “some practical tips on building a global, scalable data privacy and security legal group”:
# 1 | Diversity makes for better compliance
“Diversity in hiring leads to better decisions, period.
“By focusing on global hiring, you will have people on the ground in other regions who can better understand the local laws, better understand the culture that drove the laws and how a new law is likely to be enforced, and build better relationships with regulators and other influencers.”
In many of the markets that Uber operates in, it’s relationships with government bodies and understanding of local laws have really helped the company tide over issues in recent times.
# 2 | Data security and data privacy are close cousins
“The cybersecurity function needs lawyers too, and having the same legal team support both data privacy and data security gets rid of pesky neanderthal notions that there should be in-fighting between privacy and security pros to be successful.”
What Zefo says makes a lot of sense, especially for large companies where data privacy officers and data security professionals tend to lock horns — and lose sight of the bigger picture — that the customer is ultimately king, and providing them with the best possible experience is what matters most.
# 3 | Value the data protection officer
True, the role of the data protection officer (DPO) was created as a result of the European Union’s General Data Protection Regulation (GDPR) — but today, that’s a significant role that must get its due importance in the boardroom and have a say in decisions being taken product improvements.
“An experienced DPO can help guide the business in the right direction as it innovates within the legal framework at issue (e.g. GDPR), and shouldn’t be stuck on technical mandates or other haunting specters that aren’t actually required for legal compliance or a good customer experience.”
“Let your DPO be the yin to your yang, the nuts to your bolts, the cheese to … well, just about anything,” advised Zefo.
The bottom line, after all, Zefo emphasizes, is to value the DPO and see the position as a business enabler rather than a whistleblower.