In concert with what's internationally recognized by those in the industry as Data Privacy Day, Uber's first chief privacy officer is using the opportunity to personally message consumers directly through its app, a first for the company. In a blog post released yesterday, Ruby Zefo, CIPP/US, CIPM, FIP — who's also a member of the IAPP's Executive Committee — describes to consumers Uber's privacy features, including some changes it has made based on user feedback. For example, the company now hides "precise pickup and dropoff locations in the driver app after a trip ends to help protect information about rider locations." The feature's now available in the U.S. and is being rolled out internationally. 

In an interview with The Privacy Advisor, Zefo described her first six months on the job. And while some might have expected an industry veteran to meet some resistance from a tech startup with a less-than-stellar report card on consumer privacy, Zefo said the opposite is true.

"I was pleasantly surprised. Not only was there a team of lawyers and one person chugging away on the typical privacy things I would have done anywhere else, but also a much broader team of privacy engineers. I had never felt as welcome at any new job I've ever had," she said of her July arrival. "People were just waiting for me to come and were disappointed I hadn’t come sooner. I had expected some people might be a little less thrilled with someone coming in with the big whip on privacy, and I came prepared for that, but it really wasn’t the case."

Zefo said she credits the company's leadership with that. You'll remember Dara Khosrowshahi took the reins from a media-battered Travis Kalanick in 2017. The Washington Post described Khosrowshahi  as "disciplined and undeniably mature, a 48-year-old family man who is more inclined to follow rules than break them." It seemed a necessary change, if only from a privacy perspective. After all, Uber only recently finalized its settlement with the U.S. Federal Trade Commission over allegations it deceived consumers on its privacy and data security practices, failing to control employee access to rider information, including sensitive information, and resulting in two data breaches, one in 2014 and one in 2018. It also settled with all 50 U.S. states and the District of Columbia over its breaches, paying $148 million and agreeing to improve data security. 

Despite stepping into what most would call a crisis-management situation, Zefo wasn't daunted at all, she said. That may well be chalked up to her experience: She spent 15 years as CPO at Intel and, before that, seven years at Sun Microsystems. But she also has a fierce personality. "Nobody sasses me," she laughed. Which can be important, it would seem, when you're building a privacy program from the ground up at a company that wants to move fast and win market shares. In addition, the company had never had a CPO before, so this was fertile ground. 

"I did not feel at all like I had this giant uphill battle like I had feared," she said. "Building [the program] up has been not difficult from the strategy and support perspective. In a distributed organization the biggest challenge is going to be getting the funding for what you want and getting everyone moving in the same direction for the same thing." And that she has.

As such, cross-section teams are sharing roadmaps, putting key performance indicators in place and structuring the program out of components that were good at the company but now are part of its official annual strategy. 

"Things like that are what matter," Zefo said. "I have not had an ideological dispute, so that was a giant relief. We've settled most of our data breach cases, and we're moving into a different conversation now. We’ve paid our dues. I’m moving our company along toward, 'How are we going to help the customer now? What do they want to see in the app? What should we take out that’s detracting from experience? We’re asking our customers to drive those things."

And while that's a shift, it has been easy, she said, because of the support she got from the leadership team. "Every time I have had to escalate things to move forward or because there's a morals dilemma, I don’t even get half the words out of my mouth before I can sense that it’s going to get a very positive direction. I don’t need to advocate, I just need to make sure it’s gonna happen. So in some ways, it’s a much more tactical job because the mindshare is already there, and I don’t have to start doing that all over."

For support, Zefo is building out her team, which she describes as "growing left and right. The whole legal team is growing." However, she said she chose to leave legal team membership management within the regions they work on versus centralizing them in the U.S. "I really believe people need people on the ground. I’m working with their managers and working on what they’re collaborating on. But they're in their offices and basically doing the work that I’m directing. I'm not trying to pull people into some central office. We collaborate across boundaries."

The bulk of her time has been spent on working on the company's EU General Data Protection Regulation program and its settlements, Zefo said. But there has also been time dedicated to actively changing the company's perception, and not only on behalf of its users.

"We're building better relationships with regulators," she said. "We will go to the regulator in advance and say, 'Here’s what we need to do, we need you to bless it because, for example, this is a safety issue.' So you build relationships and build trust, and we've also gotten very good responses from some of the regulators we’ve made angry in the past."

If she has any fear, which she doesn't indicate in her straight-forward and fast-talking demeanor, it's the natural anxiety that comes with working in innovative technologies. 

"I want to do the right thing, and what is the right thing when you’re working with new technology? And then of course with the laws in a state of flux, how are the regulators going to look at things? There are so many different stakeholders we're trying to please. What’s the best for the business, the best for the customer? We want to put ethics into everything we do." 

And while surely there is work to be done — the ink barely dry on its breach settlements and consumers and regulators likely still wary due to past mistakes — Zefo, on this Data Privacy Day, is optimistic about the year ahead. 

"I think we have a reputational problem we have to get over, but [also] I just don’t think people knew what was behind the curtain," she said. "There were so many good decisions happening that just didn’t make headlines. I think those delicious and tasty goods will be on display in 2019."

photo credit: bfishadow Uber in Beijing via photopin (license)