Ep. 01

Sarah Mattina,

VP of Legal at G2

Oct 06, 2020

Sarah dives into her workstyle as a lawyer running privacy and shares how DataGrail provides her team with support that helps customers trust how G2 handles privacy.

Text Transcription

Daniel Barber  0:14  

Morning and welcome to the GrailCast in the era of the dynamic workplace, selecting the right technology solutions for your team is now more important than ever. In today’s  show I’m thrilled to welcome Sarah Mattina, Vice President of legal at G2 to the leading software review website. Welcome, Sarah.


Sarah Mattina  0:33  

Hi Daniel. Thanks for having me.


Daniel Barber  0:34  

Yeah, excited to chat with you. Obviously been chatting for quite some time. I think for today, you’ve led G2’s legal team for quite some time. Do you want to give us just a little intro on yourself and then we can get into the nuts and bolts?


Sarah Mattina  0:46  

Absolutely. Yeah. So I have been at G2 for a little over two and a half years. My introduction to data privacy, actually I joined in very late April of 2018 and as you know, GDPR went into effect on May 25. So I had about three weeks of runway to become G2’s internal GDPR expert. We did have help and that was wonderful. And so that’s  kind of how I’ve been dealing with GDPR and since then CCPA and more to come ever since. 


Daniel Barber  1:16  

Right? Yeah, no, I mean, I think, you know, it’s it’s become very clear over the last few years that G2 two is the prominent sort of review site for software reviews. I was excited to work and partner with you earlier on in 2018 and going into 2019. The interesting thing that we saw, right was this change from initially GDPR being the the global regulation, the standard for Europe. And now we’re seeing the state level reforms with CCPA and California, is regulation going to affect an enforcement last month. 


What did you see as you kind of saw your GDPR going into effect and then now with this trend towards ccpa, and other potential state level regulations?


Sarah Mattina  1:58  

Yeah. So I’m grateful that started with GDPR on some level, because it was a very strict and robust regime. And what I’m seeing is that some of these states proposals and the state laws that have been passed are kind of GDPR light, they’ve drawn a lot of inspiration from GDPR, and they tend to be less restrictive. So if you have built a solid GDPR foundation, you have a slight advantage in working towards implementing towards other regimes, because you typically have to just dial it back a little as opposed to having to add more to it. And if you need to make a decision on anything, you can just decide to pretty much implement straight GDPR across your entire company and you feel pretty good that you are 90% compliant with CCPA, for example, which has only a few extra items that GDPR doesn’t have


Daniel Barber  2:44  

So to follow on to that what do you see with the the marketing teams and the different teams that you’re working with, across GDPR and CCPA, because obviously, it’s all encompassing, it’s not just legal and security and the teams that directly relate to privacy, how did you work with those groups?


Sarah Mattina  3:06  

Yeah, it’s definitely a cross functional effort. We just have to work really closely, you have to, I would say that one of the best things we have done is kind of have a privacy stakeholders group that meets somewhat regularly and kind of touches base. It’s not high touch, it’s fairly low touch, but just keeping everybody on the same page. 


I think it helps the other teams when they understand the why as the lawyer, I try to explain why this law is there. And then I let them work out the how, in terms of, you know, like, I give them the guide rails, and then they have the freedom to implement within those, so yeah, it’s been it’s a team effort, always with anything, any of these new privacy regimes coming out.


Daniel Barber  3:41  

makes total sense. That’s pretty consistent across the group too. So moving along the gear thinking through sources of information that you go to the perhaps, you know, are on the legal side or on privacy side, or a bit of both, that you’d like to share with with folks I’ve seen today.


Sarah Mattina  3:56  

Yeah, I mean, one of my top resources is the information On the IAPP website, there’s a lot of stuff for a free user. And there’s also an upgraded account that has a lot of really good stuff. If you are a privacy professional, I would highly recommend checking that out, it’s worth the money. And I also just kind of rely on privacy blogs, lots of the big firms put out really, really well researched privacy blogs, and other people just have their kind of learnings out there on the internet. 


And then lastly, for me, I am involved with some professional networking groups with other lawyers, you know, in the US and Europe, all sorts of places. And it’s a great place to kick around ideas and see how people have actually done something because you say read the blog, get the basic idea. And then you ask your group, how, how did this work for you? How did it not work? And so it’s nice, three step process there.


Daniel Barber  4:48  

cool. No, that makes total sense. So this is now thinking about risks. Obviously, risks are something as a legal professional, I’m sure you’re thinking about all the time, I think for many folks, especially those is not illegal. This is an area that they struggle with to sort of understand what is the risk, right? If I’m the CISO, or find a CTO, which we have a number of viewers in those departments, and they look for guidance from legal, how do you think about the risks across the landscape today from a privacy standpoint?


Sarah Mattina  5:18  

I think most of those folks that you just mentioned there, you know, the risk that’s really going to resonate the most with them is the fines. Right? They’re really going to be concerned about the fine. 


So explaining, you know, what happens when there’s non compliance? I think the risk that I really see is that we’re just these regimes are proliferating, there’s GDPR, they’re ccpa, there’s a new one coming out of Brazil, there’s another one out of South Africa, different states within the US are, you know, spinning up their versions. And I think that is an overarching risk that if this just proliferates to that extent, it’s going to be very, very hard to maintain compliance. 


And what happens if these regimes contradict each other, you know, for a company like G2, we’re not collecting big, big data, I don’t necessarily know where someone is coming from, if I need to help them exercise their privacy rights, and I don’t ask for that information. So on the one hand, you know, we want to follow certain privacy concepts of like taking as little information as you need, but in doing so that makes it that can make it hard to comply with the law, because you don’t know which law applies. 


And so for me, it’s like the one of the biggest risks is as these things start to really come from all sorts of different places, like how will G2 to be able to comply and like a commercially reasonable manner? Because of course, we could, like we could just hire a bunch of lawyers and comply. But yeah, is that going to be something that our business can sustain?


Daniel Barber  6:42  

Yeah, it’s sort of this idea of a standard, right, what becomes a standard because if there are, you know, according to Gartner, 65% of the world’s population will have data protection by 2023 and we’re at 10% today, then what you described of sixteen different flavors becomes very, very hard for business to comply. So you know, Microsoft’s position, obviously in this area was, you know, we will honor CCPA rights across the US, that creates its own set of challenges as well.


Sarah Mattina  7:12  

That is the same tactic. We also have taken that approach. Yeah. But you do have to start making decisions based on commercial reasonableness. And for us, it was not, it would have, yes, we could just give this to California users, but the process of discovering who is and who is not a California user was too high a bar to clear and so we have just applied it across the country.


Daniel Barber  7:35  

So on a different note, where do you see the opportunities? Because obviously, you know, the constructs of transparency and control are pretty built into privacy policies at this point, where do you see opportunities.


Sarah Mattina  7:46  

there’s a lot of opportunities for data privacy lawyers coming up. So I think there’s going to be you know, big jump in privacy related careers, not just legal ones across the board, and there’s a big opportunity for software vendors like DataGrail to really be first in the space and take this off the plate of smaller companies really automate this or semi automate it to the extent possible, and kind of opportunities for anybody who’s willing to be an outsource for these kind of things. So I think two big ones there.


Daniel Barber  8:19  

Yeah. Yeah. Well, thank you, and then sort of wrapping things up. So as we think about G2 , and obviously, you know, the program that you’ve now built, how do you think about the advantage for G2 in the privacy could be an advantage, and is there an advantage that G2 could take to market?


Sarah Mattina  8:35  

Yeah, definitely. I think, at this point, you know, people don’t just want you to have a privacy posture and privacy program, they absolutely expect one. And if you haven’t been building one since GDPR, you are probably a little bit behind. And you might be having awkward conversations about where you’re at with your ccpa and all of those things. So being on top of that as a huge commercial advantage. 


Also, you know, like you said, you know, G2 is the place where businesses go to research software. If we’re not the leading expert, leading implementer of all of these concepts, you know, people are going to come to us to look for that advice, and we need to practice what we preach, and we need to really be a leader in that area as well. And I think we are so that’s another advantage for us. Yeah, I think those are two main ones is really not being caught behind the eight ball, and being a leader in the field is always an advantage. Right? 


Daniel Barber  9:27  

Absolutely. Yeah. I mean, I think your point of investing during the GDPR period is interesting, because, you know, we see now companies coming to us that perhaps didn’t need to implement anything for GDPR and chose not to. And CCPA is now sort of the first national level piece of legislation that they may need to comply with and that becomes challenging. So it’s great to kind of see the investment there and I think to your point, as sort of a leading research site, then continue that investment shows that you are making that commitment as well


Sarah Mattina  10:00  

And we had helped along the way. I mean, we’ve been a partner with DataGrail since GDPR came into effect and that also helped us immediately just kind of add a few more clicks and do not sell my information button. And with the help of good partners, we were able to make that transition from GDPR compliant to also CCPA compliant and you know, before the deadline, and that’s really helpful.


Daniel Barber  10:24  

Well, thank you once again. So that wraps up our session for today. As I mentioned before, these are 15 minute sessions, you can have coffee, learn about some insights from your peers at the executive level. So tune in next week for another session. And thanks again, Sarah, Thanks to G2 and look forward to seeing you on on the podcast again soon. 


Sarah Mattina  10:46  

Thanks for having me.


Stay informed on privacy regulations, weekly insights, and the latest GrailCast updates with our weekly newsletter.