What I Learned as a One-Year-Old Uberian
Ruby Zefo, Chief Privacy Officer
This month I had my first anniversary as Uber’s first Chief Privacy Officer — my one-year “Uberversary,” or, as my pun-loving team called it, my “Ruberversary.” In some ways, like a baby, I had a crawl-walk-run experience, albeit at a much faster pace than for most humans, except possibly baby Jack Jack from the Disney film “The Incredibles.” Uber doesn’t just set cities in motion, it inspires passionate employees to move fast, too. And my passion is data privacy and security.
A lot of people asked me why I made the leap from a mature Fortune 50 company that put the silicon in Silicon Valley to a relative upstart changing the way the world moves. The short answer is that after poking around quite a bit in my due diligence, I concluded that this was an incredible opportunity to provide leadership and help build a top-notch data privacy and security legal team for a company that took its lumps, learned from its past experiences, and was highly motivated to do better.
From my first day on the job, I haven’t been disappointed. I felt exceptionally welcome by everyone I met, including by people whom others may presume would be antagonistic toward privacy, such as our Chief Information Security Officer (CISO), and our head of products (both of whom interviewed me for the role). I still hear experts in the security industry talk about the “tension” that should exist between privacy and security professionals that they believe is necessary to achieve their goals, but our CISO and I believe that collaboration, open communication, and a desire to learn more about each other’s practices are the behaviors that lead to the best outcomes.
And for product specialists who claim that privacy hinders innovation, we believe that you aren’t very innovative if you can’t figure out a way to earn the trust of your customers in giving you the data you need to run your business and give them a good experience in return. I continue to be welcomed by people throughout Uber, and that doesn’t mean anyone is a doormat; honest debate is important in a field — like privacy — where even the basics feel so very personal.
What have I learned as I move into my toddler years at Uber? Here are some practical tips on building a global, scalable data privacy and security legal group. Disclaimer: I’m a lawyer-as-CPO (a two-fer in my mind), so that’s my lens.
Conjure up a good customer experience, not just legal compliance.
Legal compliance is a minimum baseline — start there and then create privacy-rich features that will enhance the customer experience and add brand trust. Examples at Uber include the ability to use our rider app without turning on location services, and providing in-app chat between drivers and riders who don’t see each other’s phone numbers. Sometimes people ask, “Why not do the least amount required by law?” For starters, data privacy and security laws are not harmonized globally (or even in the U.S.) and are evolving rapidly. Brand-spanking-new laws can make it difficult to interpret exactly what a law requires or how it will be enforced.
Instead, start with a principled basis for processing personal data, and establish a privacy-by-design process for building products and services that includes reviewing them for both legal compliance and user experience. That will provide a framework where doing the right thing, not only the legal thing, is the goal.
This goal is also more efficient and scalable than trying to rejigger every product or service for minimum legal compliance in every local market, and provides customers with a consistently good experience no matter where they are located. What happens in Vegas should stay in Vegas, even if your trip started in a privacy-forward state like California and moseyed over the border. Under this framework, happy customers aren’t a byproduct of the process but rather a deliberate, and hence more likely, outcome of it.
Think bigger.
Take off your local lenses. For global companies, think globally in building and maintaining your team. For example, don’t try to do it all with U.S. practitioners unless you have to. Diversity in hiring leads to better decisions, period. By focusing on global hiring, you will have people on the ground in other regions who can better understand the local laws, better understand the culture that drove the laws and how a new law is likely to be enforced, and build better relationships with regulators and other influencers.
Roles should be diverse, too, and map to skills needed. Include operational experts in your hiring. A lot of legwork goes into a robust, global data privacy and security program. No reason lawyers need to do it all — you’ll probably pay more for that JD. Instead, a seasoned privacy ops person — or even an enthusiastic newcomer eager to learn and quick on the uptake — can do a great job helping lawyers build or mature the program. But keep them in your own group so that they aren’t subject to the vagaries of someone else’s budget and headcount that you can’t control.
Don’t forget data privacy’s sibling, data security. The cybersecurity function needs lawyers too, and having the same legal team support both data privacy and data security gets rid of pesky neanderthal notions that there should be in-fighting between privacy and security pros to be successful. That just means the biggest bully wins, but like real siblings, we’re supposed to love and nurture them equally. Wouldn’t you rather have all considerations factor into an educated decision by experts who have at least dipped their toes into an adjacent field that is quickly converging anyway?
Don’t forget your cousins in other organizations. Get to know your extended data privacy and security teams in other groups. All the data security folks are obvious colleagues. Like me, hopefully you also have privacy engineering and privacy product pals who help translate your advice into real products, features, and services. I also have public policy and communications colleagues who help translate internal work into external positions, influencing, and communications. Share your goals and priorities to make sure everyone is aligned. We all rise or fall together, so make sure you create strong team bonds.
Embrace your Data Protection Officer (DPO). I’m a big fan of having a separate, independent person for this role. The DPO needn’t be a lawyer, either. Uber’s DPO has a technical background, which works well for us. Regardless, a trusting relationship is very important, as is clarity on the difference in the roles. The DPO’s role should not be described as nothing but a whistleblower hired to spy on the business and run to the nearest Data Protection Authority with complaints.
Instead, an experienced DPO can help guide the business in the right direction as it innovates within the legal framework at issue (e.g. GDPR), and shouldn’t be stuck on technical mandates or other haunting specters that aren’t actually required for legal compliance or a good customer experience. Let your DPO be the yin to your yang, the nuts to your bolts, the cheese to … well, just about anything.
Are we having fun yet?
Building a stellar new team or enhancing an existing team depends on the people and how well they work together. Data privacy and security experts are in high demand, and chances are that someone will pay more than your company to hire and retain them. But it’s rarely all about the money. Provide the kind of leadership and team experience that makes people want to come to work for you and your company and stay there.
In addition to hiring a diverse group of people, you need to focus on trust and team building. Have an in-person team meeting sooner rather than later for the sole purpose of having people get to know each other, build trust, and have fun. In our case, we had an improv consulting team facilitate engaging brainstorming sessions on day one, and then culled through that information for insight and action items on day two (followed by cooking lessons and team dinners).
Throughout both days we also had everyone do creative two-minute presentations on who they are, whatever that means to them. These issued forth in all kinds of formats: standard slide sets, poems, photo montages with no spoken words, stories, a few tears, and a lot of support and cheering as they got very personal. We came out of our meeting with three new initiatives: a short set of group values, a global decision-making process, and effective communications guidelines for emails and meetings. And a lot of team spirit that still continues. Trust me, it will be time well spent.
Looking back over the last year, it’s a little disconcerting that I simultaneously feel as if I’ve been at Uber a very long time because of everything the team achieved in a year, and a very short time because that first year zipped by so darn fast. Overall, I feel like I’m still on my honeymoon — happy and very hopeful for what the future will bring, and how I can help drive it to a better place so customers can sit back and enjoy the ride (see how I did that?).
