'GDPR as a gold standard': Kristine Wood on Loopio's approach to global data compliance

As Senior Legal Counsel at an AI-powered software company, Wood safeguards client information
'GDPR as a gold standard': Kristine Wood on Loopio's approach to global data compliance

At Loopio, an AI-powered software company based in Toronto, customer care is at the heart of everything they do. And, in a world where data privacy laws are constantly evolving, having a keen legal eye on everything is an absolute must. Steering the legal helm of the software firm is Kristine Wood, Senior Legal Counsel – who tells Lexpert that navigating compliance with both Canadian regulations like PIPEDA and international standards such as GDPR, is top of mind.

"We typically rely on GDPR as a gold standard for privacy law, which is what we've noticed as an industry standard across the board with our customers as well," says Wood. This reliance on GDPR highlights a broader industry shift towards adhering to globally recognized frameworks, ensuring that companies like Loopio maintain consistency in their privacy policies across borders. 

To manage these complexities, Loopio collaborates with external firms, like the UK-based Taylor Wessing, for guidance on the latest changes in privacy regulations and reviewing and engaging with the broader legal market on industry trends and disruptions.

“We rely on the resources that they publish, read those resources, and make note of any material changes,” she tells Lexpert. This strategy allows Loopio to stay ahead of emerging trends and regulatory shifts, including new legislation that may not be privacy-specific but has elements that impact the industry.

For example, Wood mentioned upcoming regulations, such as the UK’s Digital Operational Resilience Act (DORA), explaining how customers proactively seek amendments to ensure compliance.

"We've had a number of customers who have reached out saying, hey, we need to enter into this amendment, to ensure that we're in line with applicable law," she explains. These key stakeholders also play a role in illuminating updates and shifts to laws and regulations.

In addressing the balance between innovation and compliance, Wood points to the rapid advancements in generative AI as a key area of focus.

“Generative AI has outpaced current and existing legal frameworks," she adds, acknowledging the legal ambiguity surrounding this technology. Loopio's approach has been to observe industry leaders like Microsoft and Adobe to shape their own generative AI terms.

"We based and drafted our gen AI terms by looking at other industry leaders... and then really creating terms that address product-specific concerns, including what those risks are to both our customers and ourselves. [It’s also about] revising templates – once you start seeing more industry-standard agreements and trends develop and what needs to be revised, that means you can keep pace with other industry leaders by ensuring well-founded and trusted templates, which in turn benefits the business by increasing buyer enablement and deal velocity.”

Negotiating SaaS agreements presents another layer of legal complexity, particularly when it comes to liability, intellectual property, and data ownership. Wood tells Lexpert these agreements often involve "issues around limitation of liability" that hinge on the companies' risk tolerance. She also emphasizes the importance of involving the right business leaders to understand the specific risks and communicate them effectively during negotiations.

“It boils down to business decisions and making sure that you have the right leaders in the conversation, understanding where that risk really lies," she says. For example, broadening indemnification obligations, while it is a legal term, it’s a risk that the business needs to get comfortable with and determine whether it falls within its risk metric" she explains. “Explaining the likelihood of the risk and the impact if the risk were to materialize are all things that the business needs to consider.”

Intellectual property and data ownership in SaaS agreements also require careful consideration, especially in multi-tenant systems like Loopio's. Wood says that their solution doesn’t offer customizations for individual customers, which can lead to misunderstandings during negotiations.

“A lot of the times you're working off of a boilerplate template, and the customer wants to see certain key terms that aren’t necessarily applicable, for example... We’re a multi-tenanted solution, and we don’t create any customizations for customers, so there are no IP ownership rights to transfer."

Risk management in a rapidly evolving tech environment requires a robust framework that evolves alongside the business. For Wood, this means not only addressing immediate legal concerns but also aligning with broader business decisions, particularly when dealing with large-scale contracts.

“Opening a company’s risk metric a lot of the times becomes a business decision. So, limitation of liability, while it is a legal term, it at the end of the day really is a business decision," she explains.

Ultimately, Wood’s insights underscore the intricate balance between legal compliance and business innovation in the tech sector. From staying ahead of regulatory changes to navigating complex SaaS agreements, her approach is grounded in a deep understanding of both legal frameworks and the specific needs of Loopio's customers.