By James Rundle 

Ensuring compliance with data protection laws has become so complicated that companies must make room for regulatory and ethics experts in product engineering processes, privacy executives say.

These laws can present a potential risk without a clear process for making sure new products and services comply with them, said Ruby Zefo, chief privacy officer at ride-hailing company Uber Technologies Inc.

"I can't tell you how important it is to leverage existing processes so that your engineers and your product people only have to go to one place, " she said while speaking at the WSJ Risk and Compliance Forum on Wednesday.

The patchwork of rules governing privacy can range from state legislation to international laws, such as the European Union's 2018 General Data Protection Regulation, and carry severe penalties.

Companies that violate the GDPR, for instance, can face fines of up to 4% of their global revenue, or EUR20 million ($24 million), whichever is higher. Certain state laws, including the California Consumer Privacy Act, also allow individuals to sue companies and form class-action lawsuits over privacy breaches.

At Uber, Ms. Zefo said, projects undergo a review process where information is distributed to the appropriate people to ensure compliance with relevant regulations.

"It comes into a system that will both cover the engineering side and the legal side," she said.

At financial-services company Visa Inc., the process is similar, said Kelly Mahon Tullier, the company's chief legal and administrative officer, at the same event. Privacy and legal officials are involved from the start of projects, such as those involving artificial intelligence for antifraud tools, she said. The team asks questions about what data are involved, which geographies will be covered and whom engineers are working with to ensure that the right compliance obligations are met.

"The laws are different in different places, which makes it challenging, " she said. "So all of those tools come through us regularly, to make sure that we're at the table."

Having legal and privacy personnel involved doesn't mean slowing innovation, Ms. Zefo said, adding that it can sometimes simplify projects.

For example, Uber deployed a new tool during the pandemic to ensure that drivers were wearing masks. The initial thought would have been to use facial-recognition technology, but her team and the product team quickly realized that a simple selfie submitted to an object-detection system met the need.

Having legal and privacy staff involved from the start meant that they were able to build the tool around a shared philosophy, Ms. Zefo said.

"Let's make it simple, elegant, efficient, and not overly invasive," she said.

Write to James Rundle at james.rundle@wsj.com

 

(END) Dow Jones Newswires

May 05, 2021 18:49 ET (22:49 GMT)

Copyright (c) 2021 Dow Jones & Company, Inc.