Privacy Chiefs Say Patchwork Data Laws Mean Lawyers Must Work Alongside Engineers
By James Rundle
Ensuring compliance with data protection laws has become so
complicated that companies must make room for regulatory and ethics
experts in product engineering processes, privacy executives
These laws can present a potential risk without a clear process
for making sure new products and services comply with them, said
Ruby Zefo, chief privacy officer at ride-hailing company Uber
"I can't tell you how important it is to leverage existing
processes so that your engineers and your product people only have
to go to one place, " she said while speaking at the WSJ Risk and
Compliance Forum on Wednesday.
The patchwork of rules governing privacy can range from state
legislation to international laws, such as the European Union's
2018 General Data Protection Regulation, and carry severe
Companies that violate the GDPR, for instance, can face fines of
up to 4% of their global revenue, or EUR20 million ($24 million),
whichever is higher. Certain state laws, including the California
Consumer Privacy Act, also allow individuals to sue companies and
form class-action lawsuits over privacy breaches.
At Uber, Ms. Zefo said, projects undergo a review process where
information is distributed to the appropriate people to ensure
compliance with relevant regulations.
"It comes into a system that will both cover the engineering
side and the legal side," she said.
At financial-services company Visa Inc., the process is similar,
said Kelly Mahon Tullier, the company's chief legal and
administrative officer, at the same event. Privacy and legal
officials are involved from the start of projects, such as those
involving artificial intelligence for antifraud tools, she said.
The team asks questions about what data are involved, which
geographies will be covered and whom engineers are working with to
ensure that the right compliance obligations are met.
"The laws are different in different places, which makes it
challenging, " she said. "So all of those tools come through us
regularly, to make sure that we're at the table."
Having legal and privacy personnel involved doesn't mean slowing
innovation, Ms. Zefo said, adding that it can sometimes simplify
For example, Uber deployed a new tool during the pandemic to
ensure that drivers were wearing masks. The initial thought would
have been to use facial-recognition technology, but her team and
the product team quickly realized that a simple selfie submitted to
an object-detection system met the need.
Having legal and privacy staff involved from the start meant
that they were able to build the tool around a shared philosophy,
Ms. Zefo said.
"Let's make it simple, elegant, efficient, and not overly
invasive," she said.
Write to James Rundle at email@example.com
(END) Dow Jones Newswires
May 05, 2021 18:49 ET (22:49 GMT)
Copyright (c) 2021 Dow Jones & Company, Inc.