A look behind the career and privacy theology of the law-lovin’ CPO of Uber, Ruby Zefo
Jared Coseglia On Apr 23, 2019
Ruby Zefo spent over fifteen years at Intel doing a ton of cool stuff! Now she’s at Uber, and privacy is her focus and passion. Like many of her preeminent peers in the privacy profession, Zefo found her way to the field after a series of internal promotions and having developed a reputation for understanding the brand and successfully implementing sensitive security and legal systems and protocols. “My manager said, ‘We need to step up the privacy team! You have built global teams here before, dropkick that!’” recalls Zefo after serving first as Intel’s managing counsel for trademarks and brands, then legal director for corporate affairs and IT/privacy and security, group counsel for McAfee products, followed by chief privacy and security counsel and finally group counsel for AI products. “Privacy was becoming the new black long before the GDPR,” Zefo admits. “I saw privacy as an opportunity for another career disruption.” Zefo is now the chief privacy officer for Uber, a company that has become a household name in under a decade and could possibly move toward a major public offering as early as this year.
Zefo is thoughtful, funny and to the point. She breaks down privacy into three pillars of challenge and constant consideration that should serve as a simple, recyclable reminder of what this profession is all about: laws, customers and technology. As she gets into the weeds of these three segments of the discipline, she illuminates potential opportunities for professionals looking to get ahead in the continuously competitive landscape of privacy.
Zefo is herself an attorney but feels that the responsibility to stay educated on the laws related to privacy is universal for anyone in the field. “Privacy laws and regulations are constantly changing; just keeping up can be really hard,” shares Zefo. And just keeping up may be enough for some hungry newcomers to the vertical looking to make an impact. According to Zefo, the speed and intensity with which privacy laws are changing and growing globally “levels the playing field for more junior people to break into the industry.” Zefo elaborates that, “You can be in privacy for twenty years, but if you are not keeping up [with the laws], you’re not worth much.”
Ruby Zefo, CPO at Uber
“But it’s not just keeping up,” she interjects. “Then you need to know how to operationalize it.” Zefo is indifferent to whether a privacy professional is a lawyer or not. “Legal … nonlegal … I can make anything work.” However, she does have a strong opinion about where the legal and operational privacy professionals should be based in the org chart. “I believe it’s best to have those privacy professionals condensed in the legal department. When you are split up, the nonlegal operational professionals end up in IT and not part of the privacy budget. Having done it both ways, I’ve been much happier being able to control the budget and share talent. No one questions if they are lawyers and nonlawyers. Both elements are helpful to a program.” One exception to this rule may be privacy engineers. “Privacy engineers often remain in engineering, which is appropriate in my opinion and a different kind of privacy function.” Zefo’s program at Uber is under legal.
When asked how privacy pros – lawyers or not – can keep learning and educating, Zefo, like many, points to attending privacy conferences, creating a social network, joining the IAPP, buying inexpensive books by experts or creating committees or working groups all in an effort to champion privacy programs and awareness. When asked what she looks for in new hires – lawyers or not – many of whom do not have explicit privacy experience in their background, she identifies “self-starters, go-getters and people willing to take chances.” Zefo finds the easiest people to weed out are the ones “who have taken no steps to self-groom themselves for a new practice area.”
he laws are but one pillar in Zefo’s triad of privacy practice. The customer, perhaps the most ever-changing and often hardest variable to understand and affect, is squarely at the center of Zefo’s professional ethos. “We are always asking what’s happening with customers,” says Zefo. “How do we differentiate in a competitive market? How do we keep up with customer expectations?” This in many cases has nothing to do with what is lawful, but rather what is liked. Zefo describes a constant ebb and flow between practicality and culture. “Sometimes the law isn’t enough. You’re doing something totally lawful, but customers don’t like it. Sometimes we remove things that they don’t like.” For large organizations, engaging customers about privacy and understanding what they want and do not want can be, according to Zefo, “hard to decipher, but has to be part of the conversation.” Zefo continues by saying, “Privacy is about feelings – not just how a regulator will enforce it, but how customers will view the policy.”
The final pillar in Zefo’s triad is technology. She includes both the use of technology to automate tasks for privacy programs as well as how everyone in the company uses technology as core to this consideration. Vendors are increasingly entering the privacy vertical, and Zefo values these entrees. “You need external vendors to choose from who are experts in the space,” comments Zefo. This list is growing, and Zefo believes this is largely due to the rapidly evolving priorities for buyers in the space. Additionally, Zefo views the dynamic between software provider and client as a partnership, pointing to the importance of giving vendors feedback so they can grow the tools in the right direction. Those who can wield technology and work collaboratively with complex in-house corporate legal teams have a real opportunity for professional advancement and enhancement in the privacy space.
“Technology has made a big impact on privacy,” says Zefo, “but it is not just about AI. AI is a very broad term – a true scientist would tell you to clarify.” When it relates to an individual’s personal data, Zefo feels people at a minimum want to know “what is going into our system, so what comes out isn’t bias.” Zefo smartly holds technology and the people who use it to a standard of “people don’t like what they don’t understand.” Thus, marrying transparency with simplicity when describing what technology does with one’s data is paramount to the practice of privacy programs and policies. “Your AI-enabled vacuum is not going to take over the world, but people are rightfully concerned when AI gets fancier,” adds Zefo.
Zefo closes the conversation with a clear example of how consideration of these three pillars of law, customer and technology is demonstrated by a simple Uber user experience. Say an Uber customer is in Tecopa, California, and has a driver picking them up and taking them to Las Vegas, Nevada. The destinations are in different states. How could this affect data regulation? Will an application technology know when or if data generation is created in different states? Are notifications necessary? Will this nuance require any unique user experience differentiation? Should it? “Laws are my job. I have to make sure my company is compliant,” says Zefo, “but that’s not the end of my analysis, especially when you are looking for customers to have a uniform experience.”
A uniform customer experience is a recurring theme among privacy leaders (see previous Coffees with Privacy Pros with CPO Cynthia Van Ort and CPO James Howard) and challenges all privacy pros to stay very in touch, not only with the laws, but with the people who use their service and products every day. The constant need for educational refreshment in these three pillars of privacy, coupled with the move of privacy from corporate to social consciousness, forecasts a high likelihood that privacy as a profession will continue to grow, expand and demand top talent who can keep pace and stay relevant.