Nishant Bhajaria, Head of Privacy Engineering and Governance at Uber, joins BigIDeas on the Go to discuss privacy by design, how companies should think about privacy engineering to stay prepared for upcoming regulations, and his new runbook on privacy.

Privacy Controls: From Reactive to Proactive

From Nike to Netflix to Google to Uber, Bhajaria’s journey in the privacy domain has taught him a tremendous amount about privacy engineering — enough for him to write the proverbial book on privacy by design.

“We were doing a lot of good work at Nike,” says Bhajaria about his early days in privacy, “but fundamentally, the field was seen as more reactive.” At the time, the attitude was largely a “let’s stop bad stuff from happening” approach — instead of one that considered privacy from the outset.

Since then, Bhajaria has been guided by a need to “shift left,” bringing privacy closer to the customer — and not pushing deletion and privacy controls to the tail end of the process.

“We’re trying to make sure that we catch designs and specs early in the process. We’re trying to categorize data early. We’re trying to get a sense of how do we make sure that the user is at the end of our thinking process — and at the very, very beginning before data even comes into the company.” That means “a lot more automation, a lot more dashboarding, and a lot more working with the policy legal teams.”

GDPR and the Evolution of Privacy by Design

Ever since GDPR coined the phrase “privacy by design” — or baking privacy into everything you do — the concept has remained somewhat “open-ended,” according to Bhajaria. And initially, “that’s how it was supposed to be,” he attests. “It was interpreted to mean that, before something goes out the door, let’s make sure privacy is part of the actual design.”

Bhajaria takes a more proactive approach. “What we’ve done over the course of time — especially what we are doing at Uber right now — is making sure that privacy controls are part of the design before something is conceived.”

Privacy by design has a practical application that keeps department heads accountable and prevents legal teams from becoming the resident bad guys who just keep products from seeing the light of day.

“When engineers and product managers across the company build something, when it’s a whiteboard idea, my team goes and talks to them and makes sure that we embed our controls into their architecture,” says Bhajaria. “Additionally, my team writes tools and controls for deletion, extraction, and consent. We write central tools that engineers across the company can use.”

Building Privacy Tools Across the Company

In Bhajaria’s experience, “engineers are not going to make privacy by design decisions when you just tell them. They simply don’t have that kind of time.”

It’s crucial for companies to put their “internal energy and resources” into understanding policy requirements and having the right tools and technology in place to account for them — and scale.

“Having tooling, having dashboards, having controls, having standards, having guidance sessions, having resources available across the development pipeline is what privacy by design really means,” says Bhajaria.

Check out the full podcast to hear more about Bhajaria’s expertise and advice for companies — including how to account for the growing variation in regulations and other changes to the regulatory landscape.