Hi, everyone, and welcome to another one of our ZoomInfo webinars. Today, we're talking about Data Privacy: Compliance Considerations for your GTM Strategy in 2022. Welcome, everybody. Thank you for being here, and thank you for joining us. I'm gonna get into introducing our speakers in just a moment. Wait, hint. We have one really special guest here today, so I'm super excited to have him on, but I'll definitely get into introducing our speakers in just a moment. I wanna cover some housekeeping items before we start. We are presenting these in a variety of different locations, so, but it is a web-based platform. Definitely let us know if you're experiencing any issues with connectivity.
We have a team member on our end that is here to answer those connectivity issues when we can, and utilize the Q&A chat box to let us know if you're experiencing any of those issues. We will do the best we can to correct them for you. Also use that Q&A chat box to let us know if you have any questions for our experts today, our speakers today. We'll be answering them within that Q&A box too, so definitely keep an eye on that. Our answers will come through there. Also we'll have a couple at the end that we'll answer live on the call as well. Also, we will be recording this session, so definitely you'll receive the recording within 48 hours after we conclude today. So definitely keep an eye on your inbox.
We also have a survey and some resources on this audience console for you to check out. We'll mention a couple of those resources throughout the session. Definitely keep a look on that. Keep an eye on those, and fill out the survey. We'd love to do the best we can to better this conversation, better this information for you, and just grow from here. Okay. Our last housekeeping item, as ZoomInfo is a publicly traded company, this presentation may contain forward-looking statements. Any buying decisions you make should be based only upon currently available products and offerings. Our complete Safe Harbor statement is displayed here for your review, but it's also added in that resource list if you'd really like to read the fine print. Definitely check that out. Awesome. All right. Onto the experts. Onto the speakers today.
As you may have noticed on the first slide and in all of our promotional items, we are extremely excited to have our newest member of the ZoomInfo team, our Chief Compliance Officer, Simon McDougall. Thank you so much for being here. Simon is coming to us with more than two decades of international experience in data privacy. Simon will oversee the ZoomInfo compliance function. Simon, thank you so much for being here. Welcome.
Thank you, Rebecca. You make me feel very old.
I'm so sorry to do that to you. Young at heart.
Absolutely.
Awesome. Our other expert today, Derek Smith. He is our Chief Strategy Officer here at ZoomInfo, and Derek is responsible for making sure that ZoomInfo is moving forward with keeping up with leading data and technology solutions. Derek, thank you so much for joining us.
Absolutely.
Awesome. My name is Rebecca Stanton. I am a Demand Gen Manager here on the marketing team. My team is on hand to help in that Q&A chat, so feel free to submit your questions there or let us know if you're experiencing any issues as we go through this presentation. All righty, folks, let's kick this off. Simon, we're gonna start with you. Welcome. What excites you about joining the ZoomInfo team?
Well, it's been a fantastic first two weeks for me at ZoomInfo. I think I've had a lot of fun being a regulator in the Information Commissioner's Office and working with large enterprises as a consultant before that. What really attracts me to ZoomInfo is the opportunity to get closer to the data and to get closer to real innovation in the business. What really impressed me in my conversations with ZoomInfo before I joined was the determination to do things in a great way, but to do it in the right way as well.
A recognition from across the board, not just within compliance and legal, but from Henry, the CEO, through to the sales, the engineering teams, to actually have privacy embedded in the products and recognizing that's a good thing to do, it's the right thing to do, and it actually differentiates what ZoomInfo does on a day-to-day basis. It's fun to be here. It's been a lot of fun so far.
Yes. I can definitely attest that it is fun working here. I've been here for about five years, and to see the evolution of this company and their heavy focus and interest on data and compliance is everything and just making sure that we're growing. We're excited to have you on board. But let's get into the data. Let's get into the privacy. What data and privacy trends do you see coming in this year, 2022?
Well, I'll start with the bad news, which is that the new rules are just going to keep on coming. And that's gonna be a trend over 2022. It's gonna be a trend for the next few years. In the U.S. right now, there's a lot of focus on new state legislation. There's an avalanche there. New rules are pretty fresh in China, in a whole range of parts of the world, starting in areas such as India. Virtually all of this is ramping up existing regulation, often using the European GDPR as a template for all or some of those rules. There are some areas where there may be a bit of a loosening of regulations.
I'm based in the U.K., and there's some consultation in the U.K. right now, which may mean that the U.K.'s version of GDPR post-Brexit is slightly simplified, but it's a pretty marginal change. I think everybody has to accept this is gonna carry on being a trend, and the regulation is going to expand in scope to cover other areas such as online harms, AI regulation, et cetera, et cetera. I think anybody in the technology world, the data world, the online world effectively we have to accept now that, as is the case within financial services, as is the case within medicine, regulation is here to stay. It is table stakes for playing in this space. We just have to really engage with that.
Bad news there, more regulation on the way. The other thing which I see as the long-term trend is ongoing increased end-user awareness in how their data is used, what rights they have, what concerns they have. We are in the middle of a trust crisis. People do not trust what is going on with their data, what organizations do with their data, how their data is handled, and they're asking more questions around how this is going on. Sometimes this is to do with how our children are profiled online. Sometimes it's to do with what our governments are doing. It also ties into what is going on within different organizations, even on a business-to-business conversation. Transparency and building trust in these conversations is gonna be critical.
Wonderful. Derek, anything to add there?
No. I would just double down on what Simon said. You know, I think what's happening in the States, you know, different states are generating their own regulations and that brings complexity to compliance. But Simon knows what's coming in. I think he handled it pretty well there.
Wonderful. Okay, also to you, Derek. When evaluating a data provider, what should organizations be looking for in terms of privacy practices to get comfort in the vendor's processing of data?
That's a great question. You know, something I've noticed is that data providers all over will slap GDPR compliant on their website, right? There is no body that labels a company as GDPR compliant. That is a self-given proclamation. It's quite easy to do, right? You just put it on your website, tell your web designer to do it. You know, when you see that someone says they're GDPR compliant, you know, as someone in sales and marketing or compliance or legal, I would ask, "How are they GDPR compliant?" I would have a minimum understanding of what it generally takes for a data provider to be GDPR compliant, right? Like, you can say you're GDPR compliant, but are you? The GDPR has a lot of different, you know.
The GDPR doesn't try to stifle sales and marketing teams, but they do have a lot of conditions to be able to process data as a data provider or as a sales and marketing team. If they're GDPR compliant, a data provider should be providing notice to the individuals or data subjects in which they are selling the data on, right? They need to give them an opportunity to opt out easily, to be deleted. There are lots of things that GDPR compliant data providers need to do, and, you know, I would pressure test them on whether they're actually doing those things. I would say that's the first thing.
Something we'll get into a little more later is, you know, when you look into a data provider, the effort you put into and the comfort you get around them might even factor into a potential investigation, right? Regulators are looking for you to be thoughtful. Doing the diligence on your data provider is something that matters. You know, if you're careless about picking a data provider, if you pick a data provider that hasn't made a commitment to privacy, you are putting yourself at increased risk.
Yeah. Audience members.
Yeah. I think if you-
Oh, go ahead, Simon. Sorry about that.
No, Rebecca, I was just gonna say that I think we live in such a complicated world now in this respect. In the old days, you had very simple, you know, transfers of data and transfers of services. Now with different data providers, there's an onus on really using partners who are really going to support you and help you manage your own risk and understand what your own risk is and what your own obligations are. It's not really enough to have a clever lawyer on the other side of the table say, "Well, you know, here's a few disclaimers. I mean, operationally, we're okay, that you're okay." It's got to actually be an understanding around, well, our operations are your operations in many ways.
Our data accuracy is your data accuracy, our transparency is your transparency. You need to find providers who really get that you have regulated exposure here, you have reputational exposure here, and they're looking to actually support your own operations.
I'll add one more thing on top of that. You know, I've found that some of our customers in the U.S. that are a little more unfamiliar with privacy regulations, they think that if you use a GDPR compliant data provider, that you're good, you can't violate the GDPR. That's not true, right? You know, we at ZoomInfo, we do everything we do to make sure we are processing data lawfully and according to how the GDPR says we should process data. That doesn't absolve you from processing data lawfully. It is important to understand that compliance doesn't extend to you as a customer. Also, when you have a company or data provider like ZoomInfo that's put so much effort in understanding these laws, it makes it awfully easier for you to comply.
That's another benefit of picking a data provider that really puts a lot of attention into compliance, is that they can teach you or they have resources to help you be compliant yourself.
Wonderful. If you're not taking notes, audience members, definitely start because there's a lot of great information that we're gonna be delivering to you today. If not, well, you'll receive the recording, so you'll definitely have another chance to check this out. Speaking of those regulators, Simon, I wanna shift things over to you. What types of things do regulators look at in the event of potential issues requiring an inquiry?
Now, that is a great question, and it needs a bit of context, Rebecca, 'cause I'll break it into two buckets. If you are unlucky enough to be involved in a mega breach, and there's a huge amount of PII which you held, which has been stolen or lost or encrypted through ransomware, or alternatively, if you have press attention about something you're doing, then the regulators are gonna come knocking, and they're going to be going, "Drill down on your operation, whatever happens." Very often, it's not gonna be one regulator, it's going to be a number of different regulators around the world, and very often different regulators in one country that deal with your sector and deal with privacy, so on and so forth.
There's gotta be some planning for that kind of scenario, which is the kind of mega breach. But then there are other breaches which are just driven by individual complaints, by you know, by smaller issues, where regulators are going to be looking to filter out where they invest their resources. Now, any regulator is resource constrained in the same way that every organization is resource constrained. When I was at the ICO, we had to decide how we prioritize our work. When a regulator is looking at a particular incident and looking at a particular organization, trying to work out if they want to pursue an investigation, if they want to ask more questions, if they want to go into a formal enforcement process, they're going to be trying to understand a few different things.
They're gonna be interested in whether harm has happened to individuals. That's always gonna be a big factor to think through. Have people actually suffered monetary loss, embarrassment, inconvenience, shame from whatever has happened in this incident? That's always a big question, where is the harm? The other thing they're gonna be very interested in in these everyday breaches is really your first few responses to the questions they ask you about your governance and your controls and how you manage privacy. Because I'll be honest, most of the time you can tell whether an organization is well managed or not by those first few responses. When a regulator asks a question, "Do you have some policies?" That you can say, "Well, here's our policies and governance around this. Here's who's responsible for this in the organization.
Here's the notice that we give around our data processing activities." Do you have those answers ready-made so that you can basically talk the language of the regulator and get back to them? If you have to run around and pull something together, and the ink is still wet on it, and you get an outside lawyer to write a rather complicated letter back to the regulator overnight, that all just smells of confusion and of immaturity, and that'll make the regulator think, "Maybe there's more here than I thought.
Maybe actually, this is not a well-run organization. I think the key thing is if you do have an incident, and you know, all large organizations and many small organizations will have challenges from time- to- time, make sure that you're well prepared and you have answers around how you manage things up front so you can address questions quickly.
Wonderful. Okay. A lot of great insight there. Thank you, Simon. Derek, speaking of those challenges, what are challenges that sales and marketing teams face when it comes to complying with privacy regulations?
Well, I think there's quite a few. You know, obviously you have different jurisdictions, right? The way that you handle data from people in California to Mississippi to the U.K. to China, they all have different laws. That can be confusing for a sales and marketing team, first off. You know, add on top of that, a lot of these regulations are ambiguous, right? No regulator goes out there and says, "I wanna make a law that ruins the day for sales and marketers," right? That's not the intent of the regulation. Often, if you read these regulations strictly by the letter of the law, you can feel that way.
There's a lot of ambiguity, and that ambiguity fuels differing interpretations from different types of sales and marketing or from legal and compliance teams, right? One of the challenges is that, you know, one of our customer's legal teams might say, "Oh, no, it's fine to use, you know, calling mobile phones in the U.K." We might have another customer who says that, "Hey, we'd rather our sales team not call mobile phones, only call office lines." Right. Sales and marketing teams are kind of going into the process of using B2B data and leveraging it to fuel revenue, and the rules are sometimes unclear, right? You know, I would say if you're a sales and marketing team, build a strong relationship with your compliance team.
You know, try to get them to understand what you're trying to do. You know, Your goal isn't to violate the data rights of a data subject. Your goal is just to generate business for your company, right? There's responsible ways to do that. I think the ambiguity of the laws and the, you know, the general sense in sales and marketing that there are different interpretations about how to use data makes it complicated for a marketer to come into a new job and just really hit go right away. You really have to do the research into how your legal team and compliance team thinks about using data and, you know, what types of data you're processing and to really have a good strategy around using it.
Wonderful. Awesome. Okay. Simon, piggybacking off of that, what, in your opinion, are some best practices that sales and marketing teams should consider or keep in mind when it comes to supporting compliance?
I think one of the key things, this very much is, I think, the other side of the coin to what Derek was saying, is that you don't have to have swallowed the whole rule book in order to be good at privacy within sales and marketing. I would completely echo what Derek was saying in terms of having a really honest and ongoing dialogue with your legal and compliance folk is critical. Sometimes there will be creative tensions there. That's okay. That's healthy. There needs to be discussion. There doesn't have to be a you know ongoing you know kind of harmony all the time. The ongoing dialogue is key.
When you actually transfer it to people who are front of house and are having sales and marketing conversations and processes every day, every hour, every minute. I think you can bring it back to basic principles. In the end, privacy regulation is about respecting people and respecting people's autonomy, respecting their rights. It's respecting their interests. And so we can all actually sit there and say, "Well, how would we like ourselves to be treated in these situations?" It doesn't have to be an abstract thing. It's. We're not talking about contract law or monopolies. We're talking about people's information. Everybody has their own information. And you can fall back on basic principles around transparency, around notifications and being clear about what you're doing.
Proportionality, just only using the information in the way that it is proportionate rather than just using it, willy-nilly and across the board. Questions around personal autonomy and rights and making sure that people, if they want to make changes to their data, they can do. You can bring it back to what you would think you would want to happen to your data and your experience of privacy in the other direction as a consumer and a user, and transfer that onto how you're dealing with data within sales and marketing. That will get you a very long way to being compliant without having to actually ingest, you know, the full range of arcane rules out there.
I would just add on to that, you know, you should also do your diligence and make sure you're finding a good partner for a data provider. You know, that's something that you can slip on, and if you don't take the time to vet your data provider, that could come back to bite you later.
Awesome. That, Simon, that definitely makes me feel better that I don't need to be a pro at compliance. It's definitely a concern that's always sitting in the back of every marketer's mind, so it's nice to hear that. All right, Derek, why don't you wrap us up here. What does ZoomInfo have planned in terms of future product features to continue to stay ahead of the changing privacy landscape?
Yeah. I'm pretty proud of what we've done in the product thus far. You know, salespeople and marketers can filter out individuals who are on the National Do Not Call Registry or the TPS directory in the U.K. That's a good start. We have lots of different customizations in our platform to allow you to use the data you want and not see the data that you don't. We're gonna double down on that and build in extra flexibility into our platform. You know, perhaps your compliance team doesn't want you to use personal emails in Germany, right? That's gonna be something that you can turn off. You can hide that data from your salespeople and marketers. What we're really looking to do throughout the year is build in unmatched customization.
We already have unmatched customization, in my opinion, but we're gonna go another step, and we're gonna let you have, you know, per data point, per jurisdiction, access configurations to make sure that you know, like I said, different companies have different rules, and they have different standards for what they can do and what they can't. The only way that we can make all of these customers happy and give them the tools that they need and the tools that they want is to build in this type of flexibility. I think that's something that's really important. But also, you know, we're gonna build our international data out there. That's something we invested a lot in in 2021. We're planning on adding, you know, 25 million contacts, 10 million more companies internationally. You know, ZoomInfo started in the U.S. That was our strength.
Over the past couple of years, we've really expanded to offer data in pretty much every corner of the world. You know, as sales and marketing operations get more sophisticated across the world, and they start using automation and start leveraging data more and more data-driven strategies, well, we need to have more data to fuel these go-to-market motions. I'd say data expansion and more customization are two of the top priorities for us that are gonna benefit international customers or, you know, U.S.-based customers who sell internationally. I think both are gonna be really excited about what we're doing there.
Fantastic. Awesome. All right, let's shift into some audience questions. We're gonna answer a couple, over the call here, audience members, but feel free to keep submitting those questions. We have our team that's also answering them as well. This question, Simon, I'm gonna toss to you. Actually, I think both of these are good fits for you. Derek, feel free to put your two cents if you'd like. Okay, so this first one: How do you, I guess, save face, so to speak, if our organization made a data mistake? Will we always be penalized even if it was a mistake?
That's a great question. I'd be worried about if I was going into an organization as a regulator, as a consultant, and I'd be a bit worried about the phrase save face there, Rebecca, 'cause that's almost the one thing you don't want to be thinking about. I think the first thing you want to do is if you've made a data mistake, you should be trying to make sure that you minimize any harm, any disruption to the people who are affected by the mistake. That's the absolute number one rule, and try and do that as quick as possible. Very often it's entirely natural that if you have some kind of issue and it's all blowing up and everyone's calling each other, the first instinct is, "Oh, gosh, how is this gonna affect the company? How is this gonna affect me?
How do we actually? What, where's our reputational risk?" You manage your regulatory risk and your reputational risk, and you do the ethical right thing by thinking first of minimizing the damage to the people who might be damaged by the error. You've got to put that front and center, and that leads on everything else. The second thing then is to think both of your formal regulatory reporting requirements. In many countries, there are security breach regulations and privacy breach regulations. You might have to notify both the regulators and individuals. To look at the rules in your jurisdictions, but then also think about if you had to engage with different stakeholders, anyway and do that sooner rather than later.
Obviously, once you have got the lie of the land, that's the key thing. If you do all that and you have a good governance framework in place, and you can show that this was a one-off incident because you had, you know, in the end, mistakes do happen, things happen, then you really are minimizing the risk of having any major damage from a regulatory point of view. If you look at the big fines and the big breaches out there, it's often where there's been, you know, really big holes in their governance framework or also where they've sat on the issue for a long time and worried about saving face rather than being transparent. Understand the situation, but then bite the bullet and make sure that you're working to minimize harm.
Awesome. Okay, let's see what else we have here. One other question here. Okay. Simon, do you have any sources, books, guides, courses on how to get up to speed on GDPR or any data compliance in general? This person they say that it's starting out. They're starting out to do research on how they can be GDPR compliant, and much of the information on the web is confusing and vague.
Yeah. I think that's entirely fair. I think, there's lots of people out there who are amazing lawyers or they're great enthusiasts for this area and they put out a lot of stuff which uses a lot of terminology, assumes a lot of knowledge, and often is, you know, these are people who are arguing with each other about quite abstract concepts. I entirely sympathize with the question and the challenge. I guess three things. Firstly, come to ZoomInfo, ask us questions, come to the website, look at the blogs. We're very keen to continue having a dialogue with everybody about the challenges here, but also what we can do as ZoomInfo to help advise sales and marketing professionals and everybody on what good looks like in this space.
I'm really interested in my first few months here from hearing from folk about what they need in that way. Come to us and tell us what you need. Have a look at our material, but if you don't find what you're looking for, then tell us, and we can work on that. Outside of the exciting ZoomInfo universe, I will put in a plug. I would say this, wouldn't I? The Information Commissioner's Office material, the ICO material, my old place in the U.K., the U.K. privacy regulator, puts out some really good guidance. Traditionally, they have invested a lot in working in plain language and explaining things simply.
They have a range of bits of guidance which go from for smaller organizations and for end users through to larger organizations where there's some more assumed knowledge. I would really look at that suite of guidance, especially for obviously for U.K. GDPR and GDPR in general, but also for good practice in this area. The ICO has lots of good stuff. Then I would also point the folk on the call to the IAPP's website, the International Association of Privacy Professionals, which is a wonderful organization which produces a lot of material with a lot of it freely available, including regular updates and the like. It comes from the privacy professional's viewpoint. It's quite practical, but it can also go in-depth on points and a lot of good commentary there. ZoomInfo, ICO, IAPP.
Wonderful. Awesome. Okay, we're gonna wrap up then there, audience members. Actually, those resources we've added for you, so that's a great question. We added some of those resources already for you in that resource list that I mentioned in the beginning. Also in our survey, there is an open text field. Definitely let us know if there's anything that we can, you know, do better or provide more information on when it comes to privacy and compliance. Definitely fill that out, and let us know, and we will make sure that we are updating all of our information. We also know, you know, if, again, if you haven't had your question answered, we will also follow up with you on that. Last item, recording.
This has been recorded, and we will, you'll receive that recording within 48 hours via email. We'll also add some of those resources that Simon mentioned into that email as well. Definitely keep an eye out for that. Thank you, Simon, and thank you, Derek, for being here. I know that this was a lot of great information, and we will, I'm sure, be having many more of these now that we have Simon on board. I thank you both for joining us today.
Thanks, Rebecca.
Have a great one, everybody.