When Brittany Rhyne started at Lyft about four years ago, she walked into a program that had buy-in from the top but needed some improvements. The privacy team was doing hundreds of reviews a year but its size was outnumbered by the rest of the business. It needed to move away from manual work in Google Docs and implement some automation to help the privacy team keep pace with the business as it prepared to go public. It also sought to deepen the relationship between product and privacy.
"We didn't really have the opportunity to build that deep knowledge on a particular product or feature because we were rotating reviews, and we were still working on building those relationships across the teams. It was a little difficult to do. We needed to get the word out about our process and streamline how we performed reviews."
— Brittany Rhyne / Privacy Analyst
THE CHALLENGE
Manual reviews, shallow relationships, and pressure to scale
Privacy reviews were manual and inconsistent
Reviews were conducted in Google Docs and varied from analyst to analyst. The team worked like a round-robin. One person might write a novel, while another might jot notes. That resulted in recommendations that varied.
Product and privacy lacked deep relationships
Collaboration happened through reviews, mainly. While the company had recently introduced public Slack channels and "privacy consults" where the team could answer one-off questions, the teams didn't yet have deep relationships. "People just didn't necessarily know how to get to us," Rhyne said.
Privacy needed to scale to keep up with the business
With an eye toward going public, Lyft needed to launch new products and features as quickly as possible, so there was a strong emphasis on speed and velocity.
"This really presented a unique opportunity for the privacy program. We wanted to show that we shared that core tenant, and that by coming through our process, teams would not only be guided through an efficient review, but they'd also be saving a lot of time in the long run. If we were going to scale we needed to introduce some automation into our process to take the burden off of the team and focus our attention on the highest levels of risk."
— Brittany Rhyne / Privacy Analyst
THE SOLUTION
A tool that works out of the box and meets teams where they already work
Lyft identified three focus areas any tool would have to address:
Visibility
The privacy team needed more visibility outside of the company-wide tech spec template. It needed advocates and awareness to help the company embody the message that "privacy is everyone's responsibility."
Scaling
The team needed to produce reviews that were more consistent and focused on areas of high risk.
Metrics
The team needed to demonstrate its outputs, which was difficult to do with reviews that weren't queryable. "We needed to figure out what measurements provided the clearest picture of what we do," Rhyne said.
How Lyft evaluated tools
Once the team identified areas for improvement, it started evaluating privacy operations tools. It needed a tool that could fit seamlessly into its existing process (which started and ended in Jira), wouldn't add additional time for stakeholders, mirrored how stakeholders operated, would be compatible with existing systems, and would allow the team to generate custom reports.
"We did not have the bandwidth to sign on for high maintenance costs, so this ruled out other solutions that operated more like customizable workflow builders. The feature to create custom reports was important to us, because we were still honing in on the best way to represent our team's outputs."
— Brittany Rhyne / Privacy Analyst
After going through an RFP with four different vendors, the team, the CISO, and other leadership decision-makers decided TerraTrue would best fit its needs.
"We justified the cost of a privacy operations tool as a core piece of this work. If we can scale the fundamentals of our program, that frees up the team to focus on strategic efforts as well."
— Brittany Rhyne / Privacy Analyst
Why Lyft chose TerraTrue
The decision came down to taking a realistic look at what the team had bandwidth for, not only regarding initial setup, but any ongoing maintenance.
"We are all very familiar with how frequently new privacy laws and regulations come out. To keep pace with that and make sure that you're capturing all that relevant information in your reviews is really difficult for a small team if you have a tool that constantly needs manual updating, versus something that works out of the box. So that was a key factor for us."
— Brittany Rhyne / Privacy Analyst
The team also valued TerraTrue's integrations and "being able to not have to change the way people work." They didn't want just a customized workflow builder, because that was too much manual upkeep.
THE IMPLEMENTATION
Embedding privacy into Jira and socializing the process
It was important for the tool to meet stakeholders where they were at: Jira.
"This meant integrating our process in Jira and mirroring the way these partner teams worked."
— Brittany Rhyne / Privacy Analyst
The team built out its project as a "help desk" in Jira, adopting the same SLA metrics that other help desks use, like time-to-acknowledge new tickets and time-to-closure. They set up an on-call rotation for the analyst team "similar to the eng teams we support," so if a question arose in a public Slack channel, there was a clear point person who could help.
The privacy team developed automations to triage launches based on a "feeder question" that would determine if the launch contained changes with significant privacy implications.
To ease implementation, the privacy team reached out to collaborating teams to socialize the process, articulate the benefits, and assure stakeholders they could get through implementation quickly. In debriefs, the team focused on the "where, when, and why" of the review process, including small things like an easy-to-remember go link, an accessible landing page from Jira, and public, conspicuously named Slack channels.
THE RESULTS
Visibility, stronger relationships, and meaningful metrics
Increased visibility early-on
Rolling out the process to Lyft's teams "really emphasized relationship building within privacy, encouraging the privacy analysts to form those connections in other organizations, and empowering those individuals with being advocates."
An improved relationship between product and privacy
"There is a really positive relationship between our teams. Privacy has worked on showing how we enable the business through this proven commitment to reducing the review burden on the product and eng teams, and improving our transparency throughout the process by providing upfront SLAs."
Privacy and security reviews achieve economies of scale
Lyft's intake system merges privacy and security, creating identical Jira tickets for both. Any time a ticket mentions data sharing, the third-party risk team joins to ensure there's already a review completed. "It's definitely more seamless than when we had separate intake processes altogether, because then we were missing things," Rhyne said.
The ability to produce deliverable, meaningful metrics
The two main metrics Lyft's privacy team reports on now relate to trends among reviews' risk levels and SLAs. When the team reports on risk, it looks at how many tickets were identified as P0, the highest level of risk, and compares that to the previous quarter. For SLAs, Lyft tracks time-to-acknowledge and time-to-closure, and identified that overdue reviews were often a result of the requesting team's need to track down answers, not privacy delays. The team implemented a "freeze" tag that pauses the SLA timer, greatly improving reporting accuracy.
"I measure our success through our impact on the products and features and through upholding our user promise that is the privacy policy. Through our SLAs we can prove that we are not slowing down this development, and through the risk tiering of reviews we can demonstrate how we are mitigating these risks to the business."
— Brittany Rhyne / Privacy Analyst
"Privacy gained the visibility and awareness it sought and was able to evangelize that privacy is everyone's responsibility. We are here to guide, but without the support of the product and eng teams, this is not achievable."
— Brittany Rhyne / Privacy Analyst
KEY TAKEAWAYS
Brittany's tips for privacy teams
→ Set clear timelines upfront. "We really state to teams, up front, when we want them to come to us. And for us, that's at least three weeks before launch. This allows us to adequately dig in, get the details, and gives them some cushion if we do have a change that needs to be made."
→ Document risk acceptances thoroughly. "I always feel like you need a little bit of paranoia to be a good privacy analyst. If we provide a recommendation and they don't want to go forward with it, sometimes that's totally fine, but we do need to just capture the reasons why."
→ Meet engineering where they work. "Jira can be a bit intimidating at first, especially if you are more accustomed to tracking your work through spreadsheets. But once you learn how to use it there are a lot of really powerful tools and automations that can help to streamline your processes."
→ Choose a tool that works out of the box. Lyft ruled out customizable workflow builders because the ongoing maintenance was too much for a small team. A tool that keeps pace with new regulations without manual updating was a key factor.
→ Use SLAs to prove privacy isn't the bottleneck. Tracking time-to-acknowledge and time-to-closure lets the privacy team show leadership that reviews aren't slowing development.