Editor's note:
IAPP CEO and President J. Trevor Hughes recently hosted an interview with Zefo "Profiles in Privacy" for the IAPP's "Profiles in Privacy" series.
Ruby Zefo, CIPP/US, CIPM, FIP, might now be two years into her role as Uber’s first chief privacy officer, a post to which she brought experience building and leading a global privacy team, but, still, she described privacy as a field she “got drop-kicked into.”
Zefo was leading Intel’s trademark legal team when she was chosen to build and lead the company’s global privacy and security legal group. It was a new focus to be sure, with a lot to learn, but Zefo had little time for those who questioned why she was selected for the task, why she would accept it, and how she was going to do it.
“I said, ‘I don’t know how; all I know is I’m going to do it.’ And I walked away thinking, ‘That’s why, me.’ Because I’m not terrified. I felt very confident I could figure it out, and I did figure it out,” she said. “It’s not because I have the most knowledge. It’s because I’m a demonstrated fast leader, I can develop a group, I can make it happen, I’ve shown my results … I didn’t check any box except leadership, building a team, constant learning and developing myself. So there you go, that was it.”
Zefo jumped into the privacy work, obtaining IAPP certifications and attending networking events and educational opportunities. She also began honing her skills and sharing her privacy knowledge and experience through speaking engagements and teaching.
Her growth in privacy aligns with that of the profession itself, which is constantly advancing and changing as new technologies emerge, and that’s what Zefo loves about it.
“There’s something new to learn all the time. It keeps me on my toes, keeps my brain functioning well, challenges me, gives me an opportunity to think creatively,” she said.
When she joined Uber in 2018, Zefo said the company was looking to turn things around after several privacy-related challenges. It had just finalized a settlement with the U.S. Federal Trade Commission over allegations it deceived customers on its privacy and data security practices and failed to control employee access to rider information, resulting in two data breaches. The company also paid $148 million in a settlement with all 50 U.S. states and the District of Columbia.
Calling herself “the turn-around queen,” Zefo said it was that opportunity for positive change that drew her to the role, after 15 years at Intel.
“I love going in and making something better,” she said, adding the company already had a team in place that was working diligently on its privacy program and implementing the EU General Data Protection Regulation, which became a foundational element.
“Every meeting I had, which was a lot when I first started, people were explaining how glad they were I was here,” she said. “They were all wanting somebody good, and so I was able to move into operational work right away. I didn’t have to explain why we needed to change and do better and all that. It was about how I was going to do it and on what timeline.”
Since Uber is a global company with team members in the U.S., Europe, Latin America and Asia-Pacific, Zefo said, “We start with a very GDPR-like foundation, and we have our own principles. They don’t dictate how; they dictate the result. Changing the lens of every product feature to the principle basis really gets people a lot of the way there.”
While the COVID-19 pandemic has brought “a lot more work,” looking at its impact and potential changes through that lens has produced initiatives Zefo is proud of. While Uber uses a biometric-processing feature as a safety measure to authenticate drivers, when the pandemic called for drivers and users to wear masks, the company did not rely on that same technology. A “dumbed down” biometric feature, which determines solely whether an individual is wearing a mask or not, was implemented.
“That was a privacy-by-design choice. We’re not just going to reuse technology we have that overdoes it. This is all we need and that’s the way we are going to do it,” she said. “That’s just an example of one thing we did that was COVID-related. … It’s been a journey. It’s been a lot of different privacy-related activities regarding COVID-19, but I think the thoughtfulness that went into it ended up that we had a good result.”
In her day-to-day work, Zefo said the pandemic has solidified her focus on people. Parents are struggling with children learning from home, social networks have been ripped away from those who rely on them, and racial justice problems are plaguing our country. “Job one,” she said, is ensuring her team is engaged, motivated, focused and feeling good about their work.
While there’s undoubtedly a focus on compliance, Zefo said she most enjoys “the things we do that aren’t legally mandated,” like working with the privacy engineering and product teams on new features that make Uber’s offerings more transparent or beneficial for users.
“Things like that are the fun part,” she said. “It’s a super exciting field, never a dull moment. The learning, the ability to create an opinion that’s based on your judgment and not just some easy analysis that anyone could do — those are the things that make the job rewarding.”