ZoomInfo Technologies Inc. (GTM) Earnings Call Transcript & Summary

Hi, everyone, and welcome to another one of our ZoomInfo webinars. Today, we're talking about data privacy, compliance considerations for your DTM strategy in 2022. So welcome, everybody. Thank you for being here, and thank you for joining us. I'm going to get into introing our speakers in just a moment, hint, hint, we have one really special guest here today. So I'm super excited to have him on, but I'll definitely get into introing our speakers in just a moment. I want to cover some housekeeping items before we start. So we are presenting these in a variety of different locations. So -- but it is a web-based platform. So definitely let us know if you're experiencing any issues with connectivity. We have a team member on our end that is here to answer those connectivity issues when we can and utilize the Q&A chat box to let us know if you're experiencing any of those issues. We will do the best we can to correct them for you. Also use that Q&A chat box to let us know if you have any questions for our experts today, our speakers today. We'll be answering them within that Q&A box to you. So definitely keep an eye on that. Your responses will -- our answers will come through there. But also we'll have a couple at the end that we'll answer live on the call as well. Also, we will be recording this session. So definitely, you'll receive the recording within 48 hours after we conclude today. So definitely keep -- as well, keep an eye on your inbox. We also have a survey and some resources on this audience console for you to check out. I'll mention a couple of those resources throughout the session. And definitely keep a look on that -- keep an eye on those and fill out the survey. We'd love to do the best we can to better this conversation, better this information for you and just grow from here. Okay. Our last housekeeping item, ZoomInfo is a publicly traded company. This presentation may contain forward-looking statements. Any buying decisions you make should be based only upon currently available products and offering. Our complete safe harbor statement is displayed here for your review, but it's also added in that resource list if you really like to read the fine print. So definitely check that out. Awesome. All right. So on to the experts, on to the speakers today. So as you may have noticed on the first slide and in all of our promotional items, we are extremely excited to have our newest member of the ZoomInfo team, our Chief Compliance Officer, Simon McDougall, thank you so much for being here. Simon is coming with -- to us with more than 2 decades of international experience in data privacy. Simon will oversee the ZoomInfo compliance function. So Simon, thank you so much for being here and welcome.

Thank you, Rebecca. You're making me feel very old.

I'm so sorry to do that to you, but young at heart, I'm sure. Awesome. Our other expert today, Derek Smith, he is our Chief Strategy Officer here at ZoomInfo and Derek is responsible for making sure that ZoomInfo is moving forward with keeping up with leading data and technology solutions. So Derek, thank you so much for joining us.

Absolutely.

Awesome. And my name is Rebecca Stanton. I'm a demand gen manager here on the marketing team. I also -- my team is on to help in that Q&A chat. So feel free to submit your questions there or let us know if you're experiencing any issues as we go through this presentation. All right, folks, let's kick this off. So Simon, we're going to start with you.

Welcome. What excites you about joining this ZoomInfo team?

Well, it's been a fantastic first 2 or 3 weeks for me at ZoomInfo. I think I had a lot of fun being a regulator at the Information Commissioner's Office and working with large enterprises as a consultant before that. But what really attracted me to ZoomInfo is the opportunity to get closer to the data and to get closer to real innovation in the business. And what really impressed me in my conversations with ZoomInfo before I joined was the determination to do things in a great way, but to do it in the right way as well. And recognition from across the board, not just within compliance and legal, but from Henry, the CEO, through to the sales, the engineering teams to actually have privacy embedded in the products and recognizing that's a good thing to do, it's the right thing to do, and it actually differentiates what ZoomInfo does on a day-to-day basis. So it's fun to be here. It's been a lot of fun so far.

Yes. I can definitely attest that it is fun working here. I've been here for about 5 years. And to see the evolution of this company and their heavy focus and interest on data and compliance is everything and just making sure that we're growing. So I definitely -- we're excited to have you on board. But let's get into the data. Let's get into the privacy. So what data and privacy trends do you see coming in this year, 2022?

Well, I'll start with the bad news, which is that the new rules are just going to keep on coming, and that's going to be a trend over 2022. It's going to be a trend for the next few years. So in the U.S. right now, there's a lot of focus on new state legislation. There's an avalanche there. Got new rules, pretty fresh, in China. I mean a whole range or parts of the world, [ stuff pending ] areas such as India. And virtually all of this is ramping up existing regulation, often using the European GDPR as a template for all or some of those rules. There are some areas where there may be a bit of a loosening of regulations. So I'm based in the U.K. and there's some consultation in the U.K. right now, which may mean that the U.K.'s version of GDPR post-Brexit, it is slightly simplified. But it's a pretty marginal change. So I think everybody has to accept this is going to carry on being a trend. And the regulation is going to expand in scope to cover other areas such as online harms, AI regulation, et cetera, et cetera. I think anybody in the technology world, the data world, the online world, effectively, we have to accept now that as is the case within financial services, as is the case within medicine, regulation is here to stay. It's table stakes for playing in this space. And we just have to really engage with that. So bad news there, more on regulation on the way. The other thing which I see as the long-term trend is ongoing increased end-user awareness in how their data is used, what rights they have, what concerns they have. We are in the middle of a trust crisis. So people do not trust what is going on with their data, what organizations do with their data, how their data is handled. And they're asking more questions around there on how it's going on. And sometimes, this has to do with how our children are profiled online, sometimes it's to do with what our governments are doing, but it also ties into what is going on within different organizations, even on a business-to-business conversation. So transparency and building trust in this conversation is going to be critical.

Wonderful. Derek, anything to add there?

No, I would double down on what Simon said. I think what's happening in the states, different states are generating their own regulations, and that brings complexity to compliance. But Simon knows what's coming and I think he handled it pretty well there.

Wonderful. Okay. So also to you, Derek, what -- when evaluating a data provider, what should organizations be looking for in terms of privacy practices to get comfort in the vendor's processing of data?

That's a great question. Something I've noticed is that data providers all over will slap GDR compliant on their website, right? There is no body that labels a company is GDR compliant. That is a self-given proclamation. And it's quite easy to do, right? You just put it on your website, tell your web designer to do it. And so when you see that someone says they're GDPR compliant, as someone in sales and marketing or compliance or legal, I would ask how are they GDPR compliant. And I would have a minimum understanding of what it generally takes for a data provider to be GDPR compliant, right? Like you can say you're GDPR compliant, but are you? The GDPR has a lot of different -- the GDPR doesn't try to stifle sales and marketing teams, but they do have a lot of conditions to be able to process data as a data provider or as a sales and marketing team. And so if they're GDPR-compliant, the data providers should be providing notice to the individuals or data subjects in which they are selling the data on, right? They need to give them an opportunity to opt out easily to be deleted. There are lots of things that GDPR compliant data providers need to do and I would pressure test them on whether they're actually doing those things. So I would say that's the first thing. Something we'll get into a little more later is when you look into a data provider, the effort you put into and the comfort you get around them might even factor into a potential investigation, right? Regulators are looking for you to be thoughtful. And doing the diligence on your data provider is something that matters. If you're careless about picking a data provider, if you pick a data provider that hasn't made a commitment to privacy, you are putting yourself at increased risk.

Yes. So audience members if you were not -- go ahead, Simon. Sorry about that.

No, Rebecca. I was just going to say that, I think we live in such a complicated world now in this respect. In the old days, you had very simple transfer of data and transfers of services. Now with different data providers, there's [indiscernible] really using partners who are really going to support you and help you manage your own risk and understand what your own risk is and what your own obligations are. It's not really enough to have a clever lawyer on the other side of the table, say, well, here's a few disclaimers, I mean, operationally, we're okay, that you're okay. It's got to actually be an understanding around, well, our operations are your operators in many ways; our data accuracy is your data accuracy; our transparency is your transparency. So you need to find providers who really get that you have regulatory exposure here, you have reputational exposure here, and they're looking to actually support through own operations.

I'll add one more thing on top of that. I've found that some of our customers in the U.S., they are a little more unfamiliar with privacy regulations. They think that if you use a GDPR-compliant data provider, then you're good. You can't violate the GDPR. And that's not true, right? So we, at ZoomInfo, we do everything we do to make sure we are processing data lawfully and according to how the GDPR says we should process data, but that doesn't absolve you from processing data lawfully. And so it is important to understand that, that compliance doesn't extend to you as a customer. But also when you have a company or a data provider like ZoomInfo that puts so much effort in understanding these laws, it makes it awfully easier for you to comply. So that's another benefit of picking a data provider that really puts a lot of attention into compliance, it's that they can teach you or they have resources to help you be compliant yourself.

Wonderful. So if you're not taking notes, audience members, definitely start because there's a lot of great information that we're going to be delivering to you today. So -- and if not, well, you'll receive the recording. So you'll definitely have another chance to check this out. Speaking of those regulators, Simon, I want to shift things over to you. What types of things do regulators look at in the event of potential issues requiring an inquiry?

Now that is a great question, and it needs a bit of context, Rebecca because I'll break it into 2 buckets. If you are unlucky enough to be involved in a mega breach, and there's a huge amount of PII which you held, which has been stolen or lost or encrypted through ransomware, or tend to be if you have press attention about something you're doing, then the regulators are going to come knocking. And they're going to be going drains up on your operation whatever happens. And very often, it's not going to be one regulator, it's going to be a number of different regulators around the world and very often different regulators in one country that deal with you or your sector and do privacy so and so forth. So there's going to be some planning for that kind of scenario, which is the kind of the mega breach. But then there are other breaches which are just driven by individual complaints, by smaller issues, where regulators are going to be looking to filter out where they invest their resources. Now any regulator is resource constrained in the same way that every organization is resource constrained. And when I was at the ICO, we had to decide how we prioritized our work. And so when a regulator is looking at a particular incident and looking at a particular organization trying to work out if they want to pursue an investigation, if they want to ask more questions, if they want to go into a formal enforcement process, they're going to be trying to understand a few different things. They're going to be interested in whether harm has happened to individuals, that's always going to be a big factor. So think through have people actually suffered monetary loss, embarrassment, inconvenience, shame from whatever has happened in this incident. That's always a big question, where is the harm. The other thing they're going to be very interested in these everyday breaches is really your first few responses to the questions they ask you about your governance and your controls and how you manage privacy because I'll be honest, most of the time, you can tell whether an organization is well managed or not by those first few responses. So when a regulator asks the question, do you have some policies that you're going to say, well, here is our policies and governance around this. Here who's usually responsible for this in the organization. Here is the notice that we give around our data processing activities. Do you have those answers really made so that you can basically talk the language of the regulator and get back to them? If you have to run around and pull something together and the ink is still wet on it and you get an outside lawyer to write a rather complicated letter back to the regulator overnight, that will just smell of confusion and of immaturity and they'll make the regulator think maybe there's more here than I thought. Maybe actually, this is not a well-run organization. So I think the key thing is if you do have an incident, and all large organizations and many smaller organizations will have challenges from time to time, make sure that you're well prepared and you have answers around how you manage things upfront so you can address questions quickly.

Wonderful. Okay. A lot of great insight there. Thank you, Simon. Derek, speaking of those challenges, what are challenges that sales and marketing teams face when it comes to complying with privacy regulations?

Well, I think there's quite a few. Obviously, you have different jurisdictions, right? So the way that you handle data from people in California, to Mississippi, to the U.K., to China, they all have different, different laws. And so that can be confusing for a sales and marketing team first off. And add on top of that, a lot of these regulations are ambiguous, right? So no regulator goes out there and says, I want to make a law that ruins the day for sales and marketers, right? That's not the intent of the regulation. But often, if you read these regulations strictly by the letter of the law, you can feel that way. And so there's a lot of ambiguity and that ambiguity fuels differing interpretations from different types of sales and marketing -- or from legal and compliance teams, right? So one of the challenges is that one of our customers' legal teams might say, "Oh, no, it's fine to use -- calling mobile phones in the U.K." And we might have another customer who says that, "Hey, we'd rather our sales team not call mobile phones, only call office lines, right?" And so sales and marketing teams are kind of going into the process of using B2B data and leveraging it to fuel revenue. And the rules are sometimes unclear, right? And so there, I would say, if you're a sales and marketing team, build a strong relationship with your compliance team, understand -- try to get them to understand what you're trying to do. You're not -- your goal isn't to violate the data rights of a data subject, your goal is just to generate business for your company, right? There's responsible ways to do that. So I think the ambiguity of the laws and the general sense in sales and marketing that there are different interpretations about how to use data makes it complicated for a marketer to come into a new job and just really hit go right away. You really have to do the research into how your legal team and compliance team thinks about using data and what types of data you're processing and to really have a good strategy around using it.

Wonderful. Awesome. Okay. So Simon, piggybacking off of that, what in our opinion are some best practices that sales and marketing teams should consider? Or keep in mind when it comes to supporting compliance?

So I think one of the key things, this very much actually is, I think, the other side of the coin to what Derek was saying is that, you don't have to have swallowed the whole rule book in order to be good at privacy within sales and marketing. I would completely echo what Derek was saying in terms of having a really honest and ongoing dialogue with your legal and compliance folk is critical. Sometimes there will be creative tensions there. That's okay. That's healthy. There needs to be discussion. It doesn't have to be ongoing kind of harmony all the time, but the ongoing dialogue is key. But when you actually transfer it to people who are front of house and are having sales and marketing conversations and processes every day, every hour, every minute, I think you can bring it back to basic principles. In the end, privacy regulation is about respecting people and it's respecting people's autonomy, it's respecting their rights, it's respecting their interests. And so we can all actually sit there and say, well, how would we like ourselves to be treated in these situations? It doesn't have to be an abstract thing. We're not talking about contract law, [ monopolies, ] talking about people's information. Everybody has their own information. And you can pull back on basic principles around transparency, around notifications and being clear about what we're doing. On proportionality, just only using the information in the way that it is proportionate rather than just using it willy nilly and across the board. And questions around personal autonomy and rights and making sure that people who want to make a change to their data, they can do. So you can bring it back to what you think you would want to happen to your data and your experience of privacy in the other direction as a consumer and an user and transfer them to how you're dealing with data within sales and marketing. And that will get you a very long way to being compliant without having to actually ingest the full range of arcane rules out there.

And I would just add -- I would add on to that, you should also do your diligence and make sure you're finding a good partner for a data provider. That's something that you can slip on. And if you don't take the time to vet your data provider, that can come back to bite you later.

Awesome. That -- Simon, that definitely makes me feel better that I don't need to be a pro at compliance. It's definitely a concern that's always sitting in the back of every marketer's mind. So it's nice to hear that. All right, Derek, why don't you wrap us up here, what does ZoomInfo have planned in terms of future product features to continue to stay ahead of the changing privacy landscape?

Yes. So I'm pretty proud of what we've done in the product thus far. Salespeople and marketers can filter out individuals who are on the U.S. do-not-call list or the TPS directory in the U.K. That's a good start. We have lots of different customizations in our platform to allow you to use the data you want and not see the data that you don't. We're going to double down on that and build an extra flexibility into our platform. So perhaps your compliance team doesn't want you to use personal e-mails in Germany, right? That's going to be something that you can turn off, you can hide that data from your salespeople and marketers. And so what we're really looking to do throughout the year is building unmatched customization. We already have unmatched customization in my opinion. But we're going to go another step and we're going to let you have per data point, per jurisdiction access configurations to make sure that -- like I said, different companies have different rules and they have different standards for what they can do and what they can't. And the only way that we can make all of these customers happy and give them the tools that they need and the tools that they want is to build in this type of flexibility. So I think that's something that's really important. But also, we're going to build our international data out there. That's something we invested a lot in 2021. We're planning on adding 25 million contacts, 10 million more companies internationally. ZoomInfo started in the U.S., that was our strength. But over the past couple of years, we've really expanded to offer data in pretty much every corner of the world. And so as sales and marketing operations get more sophisticated across the world, and they start using automation and start leveraging data more and more data-driven strategies, well, we need to have more data for it to fuel these go-to-market motions. So I'd say data expansion and more customization are 2 of the top priorities for us that are going to benefit international customers or U.S.-based customers who sell internationally. I think both are going to be really excited about what we're doing there.

Fantastic. Awesome. All right. So let's shift into some audience questions. We're going to answer a couple over the call here, audience members, but feel free to keep submitting those questions. We have our team that's also answering them as well. So this question is, Simon, I'm going to toss it to you. Actually, I think both of these are good fits for you. But Derek, feel free to put your two cents, if you'd like. Okay. So this first one, how do you, I guess, save face, so to speak, if our organization made a data mistake? Will we always be penalized even if it was a mistake?

That's a great question. I'd be worried about -- if I was going to an organization as a regulator, as a consultant, and I'd be a bit worried about the phrase "save face" there, Rebecca, because that's almost the one thing you don't want to be thinking about. I think the first thing you want to do is if you have made a data mistake, you should be trying to make sure that you minimize any harm, any disruption to the people who are affected by the mistake. That's the absolute #1 rule and trying to do it as quick as possible. And very often, it's entirely natural that if you have some kind of issue and it's all blowing up, and everyone's calling each other -- the first instinct is, oh, gosh, how is this going to affect the company? How is this going to affect me? How do we actually -- where is our reputation risk? You manage your regulatory risk and reputational risk and you do the ethical right thing by thinking first of minimizing the damage to the people who might be damaged by the error. So you've got to put that front and center, and that leads on everything else. The second thing then is to think both of your formal regulatory reporting requirements -- in many countries, there are security breach regulations and privacy breach regulations. You might have to notify both the regulators and individuals. So look at the rules in your jurisdictions, but then also think about if you had to engage with different stakeholders anyway and do that sooner rather than later, but obviously, once you have got the lay of the land. So that's the key thing. If you do all that and you have a good governance framework in place and you can show that this was a one-off incident because you have -- in the end, mistakes do happen, things happen, then you really are minimizing the risk of having any major damage from a regulatory point of view. And if you look at the big fines and the big breaches out there, it's often where there's been really big holes in their governance framework, or also where they've sat on the issue for a long time and worried about saving face rather than being transparent. So understand the situation, but then bite the bullet and make sure that you're working to minimize harm.

Awesome. Okay. Let's see what else we have here. So one other question here. Okay, Simon, do you have any sources, books, guides, courses on how to get up to speed on GDPR or any data compliance in general? It seems like when I see here, this person, they say that it's starting out -- they're starting out to do research on how they can be GDPR-compliant and much of the information on the web is confusing and vague.

I think that's entirely fair. I think there's lots of people out there who are amazing lawyers or they're great enthusiasts for this area, and they put out a lot of stuff, which uses a lot of terminology, assumes a lot of knowledge. And often, it's -- these are people who are arguing with each other about quite abstract concepts. So entirely sympathize with the question and the challenge. I guess 3 things. Firstly, come to ZoomInfo, ask us questions, come to the website, look at the blogs. And we're very keen to continue having a dialogue with everybody about the challenges here, but also what we can do at ZoomInfo to help advise sales and marketing professionals and everybody on what good looks like in this space. And I'm really interested in my first few months here from hearing from folks about what they need in that way. So come to us and tell us what you need, have a look at our material, but if you don't find what you're looking for, then tell us and we can work on that. Outside of the exciting ZoomInfo universe, I will put a plug in, I would say this, wouldn't I, about the Information Commissioner's Office material or the ICO material, or my old place in U.K. -- the U.K. Privacy Regulator puts out some really good guidance. Traditionally, they have invested a lot in working in plain language. And so -- and explaining things simply. And they have a range of its guidance to go for smaller organizations and for end users through to larger organizations where there's some more assumed knowledge. So I would really look at that suite of guidance, but especially for -- obviously, for U.K. GDPR and GDPR in general, but also for good practice in this area. The ICO has lots of good stuff. And then I would also point the folk on the call to the IAPP's website, the Intentional Association of Privacy Professionals, which is a wonderful organization which produces a lot of material with a lot of it freely available, including regular updates and the like and it comes from the privacy professionals' viewpoint. So it's quite practical, but can also go in depth on points and a lot of good commentary there. So ZoomInfo, ICO, IAPP.

Wonderful. Awesome. Okay. We're going to wrap up then there. Audience members, actually, those resources, we've added for you, so that's a great question. We added some of those resources already for you in that resource list that I mentioned in the beginning. And also in our survey, there is an open text field. So definitely let us know if there's anything that we can do better or provide more information on when it comes to privacy and compliance. So definitely fill that out and let us know, and we will make sure that we are updating all of our information. We also know if -- again, if you haven't had your questions answered, we will also follow up with you on that. And then, last item, recording, this has been recorded, and we will -- you'll receive the recording within 48 hours via e-mail. We'll also add some of those resources that Simon mentioned into that e-mail as well. So definitely keep an eye on for that. Thank you, Simon, and thank you, Derek, for being here. I know that this was a lot of great information, and we will, I'm sure, be having many more of these now that we have Simon on board. So I thank you both for joining us today.

Thanks, Rebecca.

Have a great one, everybody.

Thanks.