Commercial Transactions · Privacy · AI Governance

Charles
Daum

California Bar · CIPP/US Certified

Enterprise technology attorney with 15+ years negotiating complex commercial deals, building privacy programs, and governing AI risk. Deep legal expertise combined with the operational fluency of someone who has sat on the business side of the table.

Ask About My Background Get in Touch
Charles Daum
15+
Years at enterprise technology companies
3,000+
Transactions managed annually at Oracle Marketing Cloud
2,700+
Higher-ed institutions served as privacy counsel at Ellucian
What I Do

Experience by Domain

My career has not followed a straight line, and that is the point. Fifteen years across Oracle and Ellucian built a foundation that most attorneys develop only one piece of: deep commercial deal experience, in-house privacy program leadership, hands-on AI governance, and M&A integration work at scale. The domains below reflect how I actually practice, not how a title describes me.

01
Commercial Transactions & Deal Strategy
Click to expand
  • Led a team of eight supporting 3,000+ complex enterprise transactions annually across SaaS, data, licensing, and professional services at Oracle Marketing Cloud, personally owning the highest-value and highest-risk deals Oracle Marketing Cloud, Director of Deal Strategy
  • Served as primary commercial negotiator for the Oracle Financial Services GBU, closing a landmark $80M professional services agreement with a top-4 global bank through three days of in-person executive negotiations in London Oracle FSGBU, Operations Senior Manager
  • Negotiated enterprise SaaS agreements, vendor contracts, and data processing agreements as the primary legal resource for Ellucian's North American sales organization, serving as the commercial attorney of record for a customer base of 2,700+ higher education institutions Ellucian, Senior Privacy Counsel
  • Resolved privacy and data protection objections that had stalled enterprise deals with major public universities, including novel SaaS adoption agreements with institutions subject to state procurement rules, FERPA obligations, and provincial Canadian privacy frameworks Ellucian
  • Represented Oracle Marketing Cloud in a seven-figure customer settlement negotiation at the customer's corporate headquarters alongside the GM and VP of Professional Services Oracle Marketing Cloud
  • Designed and operationalized a unified global quote-to-order and contracting process across five acquired companies, enabling a coherent GTM strategy and scalable enterprise execution Oracle Marketing Cloud
Privacy & Data Governance
Click to expand
  • Rebuilt Ellucian's global privacy program from the ground up as one of two in-house privacy attorneys serving 2,700+ higher education institutions across nearly 50 countries Ellucian, Senior Privacy Counsel
  • Negotiated complex cross-border data protection agreements under GDPR, CCPA/CPRA, FERPA, PIPEDA, and provincial Canadian privacy frameworks, including novel SaaS adoption agreements with risk-averse academic institutions Ellucian
  • Overhauled global privacy policy framework including customer-facing notices, employee notices, and standard DPA templates, materially reducing friction in enterprise contract negotiations Ellucian
  • Built privacy-by-design review processes embedded in the product development lifecycle, including data use governance frameworks and risk escalation workflows across a global product portfolio Ellucian
  • Handled data subject access requests, data use agreements, breach notification analysis, and cross-border transfer mechanisms including EU SCCs and UK IDTA Ellucian
AI Governance
Click to expand
  • Served as sole legal member of Ellucian's AI Review Board, personally conducting use-case intake and risk assessments for all inbound vendors and internal product initiatives as generative AI entered the enterprise market Ellucian, Senior Privacy Counsel
  • Built Ellucian's AI governance framework from scratch: AI Acceptable Use Policy, vendor risk assessment methodology, and internal review process aligned to the NIST AI RMF and emerging EU AI Act requirements Ellucian
  • Produced AI and privacy law playbooks, contract templates, and sales enablement materials that allowed commercial and product teams to move quickly without escalating every question to legal Ellucian
  • Built a five-skill AI governance workflow system using Claude — master router, pre-ship governance review, DPIA assessment, post-ship monitoring, and report assembly — demonstrated live on this site Independent development
M&A Integration & Commercial Governance
Click to expand
  • Served as Oracle's "inside man" for the Eloqua acquisition: embedded post-close, pre-integration to align contracting, approvals, pricing, and GTM operations with Oracle standards — chosen specifically because prior acquisitions had failed for lack of this function Oracle Marketing Cloud
  • Led commercial governance integration across multiple acquired SaaS businesses including Responsys, BlueKai, and Maxymiser, each with distinct business models, customer bases, and legacy contract structures Oracle Marketing Cloud / Oracle M&A GBP
  • Joined Oracle's M&A Global Business Practices team to lead pre-integration commercial diligence across acquired companies, including early-stage GTM and agreement review to identify risk and incompatibilities before close Oracle, Director M&A Global Business Practices
  • Led acquisition diligence and value creation planning at Ellucian during a private equity transition involving Vista Equity Partners and Blackstone, including C-suite and PE owner briefings Ellucian, Senior Director Business Transformation
  • Managed diligence and coordination for the CampusLogic acquisition, working directly with Vista and Blackstone asset managers and Ellucian's C-suite throughout the process Ellucian
Education
J.D., cum laude
Case Western Reserve, 2006
Bar Admission
California State Bar
SBN 245725
Certification
CIPP/US
Certified Privacy Professional
Location
San Rafael
California
AI-Assisted Practice

AI Governance Workflow Demo

I build AI-assisted legal workflows using Claude. Below is a live demonstration of a five-skill product counsel governance system: a master router, pre-ship AI governance review, DPIA assessment, post-ship monitoring, and report assembly.

Product Counsel AI Governance Workflow Demo

This is a live demonstration of a five-skill AI governance workflow system I built using Claude: a master router, pre-ship AI governance review, DPIA assessment, post-ship monitoring, and report assembly. The static walkthrough shows full stack output from a sample scenario. The live component runs the router and one workflow against any scenario you submit.

Sample Scenario
We are planning to launch an AI-powered employee performance review tool that will analyze employee communications — including email metadata, Slack message frequency, and meeting attendance patterns — to generate quarterly performance scores that managers will use to make compensation and promotion decisions. The system will be built on a third-party LLM. We operate in the US, UK, and Germany.
ROUTING DECISION: ai-governance-workflow + dpia-process-skill → report-output-summary

Both workflows apply: this is a pre-ship AI system review involving systematic processing of employee personal data. Running sequentially.
Workflow 1: AI Governance Review
High-Risk AI System

EU AI Act Risk Classification: HIGH-RISK

Annex III, Point 4(b): AI systems used to assist in decisions on promotion, compensation, task allocation, and monitoring of performance and behavior. Employment-related AI systems that influence compensation and promotion fall squarely within Annex III. The use of behavioral metadata as proxy performance indicators reinforces this classification.

NIST AI RMF Assessment

GOVERN: No documented ownership or accountability structure is described. It is unclear who is responsible for the system's outputs, who has authority to override a score, and what escalation path exists when a score is disputed. This is a blocking gap.

MAP: Foreseeable risks include disparate impact on protected classes; proxy discrimination via metadata; opacity to employees; vendor dependency on a third-party LLM; and scope creep risk.

MEASURE: No testing, bias detection, or benchmark methodology is described. For a High-Risk system under the EU AI Act, this is a blocking gap.

MANAGE: No mitigation or incident response procedure is described. Required before ship: a human oversight protocol, a dispute/correction mechanism for employees, and a vendor incident notification clause.

Privacy Intersections

Article 22 (Automated Decision-Making): If the system produces scores that managers use without meaningful independent review, this may constitute automated decision-making with legal or similarly significant effects, triggering Article 22 rights. This is the highest-priority legal question for EU/UK deployment.

Data Minimization: Email metadata and Slack message frequency are behavioral proxies. The proportionality argument for using communication volume as a performance indicator is weak without validation evidence.

Purpose Limitation: Email and Slack data were almost certainly collected for communication purposes, not performance evaluation. Repurposing for scoring requires either a compatibility assessment or fresh consent basis in the EU/UK.

Blocking Issues

Must resolve before ship: Article 22 compliance posture; Germany works council co-determination under §87(1)(6) BetrVG; legal basis for processing; third-party LLM DPA; pre-deployment bias audit methodology.

Research Flags

⚠ Whether the company's role as deployer vs. provider of a third-party LLM changes which Annex III obligations attach under the EU AI Act. Reason: emerging legislation — enforcement guidance on deployer vs. provider obligation allocation is not yet settled.
⚠ Whether a manager's use of an AI-generated performance score as a primary input constitutes "solely automated" processing under Article 22 GDPR when the manager has nominal but not substantive discretion. Reason: uncertainty — ICO and EDPB guidance does not resolve the "solely" threshold in cases of de facto managerial deference.
Workflow 2: DPIA Assessment
DPIA Required

Threshold Trigger Assessment: DPIA Required

Five of nine WP248 high-risk criteria are satisfied. DPIA is required when two or more are present.

  • Evaluation or scoring: systematic generation of performance scores from behavioral data
  • Automated decision-making with legal or similarly significant effects: scores directly inform compensation and promotion
  • Systematic monitoring: ongoing collection of communication metadata in a workplace context
  • Vulnerable data subjects: employees in a dependency relationship with the employer
  • Innovative use of technology: LLM-based behavioral inference in employment decisions is novel
  • Data matching or combining: email metadata + Slack frequency + meeting attendance combined to infer performance

Risk Matrix

RiskScoreResidual
Disparate impact via proxy metricsCriticalMedium
Article 22 violationCriticalMedium
Germany §87 BetrVG non-complianceCriticalLow (if works council engaged)
Employee opacity/contestation failureHighMedium
LLM vendor DPA missingHighLow
Article 9 latent exposureHighMedium

Article 36 Consultation

If residual risk remains HIGH or CRITICAL after mitigation, prior consultation with the relevant supervisory authority (ICO for UK, Landesbeauftragter for Germany) is required under Article 36 GDPR before processing begins. On current facts, consultation may be required even with mitigations in place.

Consolidated Report: Executive Summary
Aggregate: Critical

This system is a High-Risk AI system under the EU AI Act and triggers mandatory DPIA obligations under GDPR Article 35. Three CRITICAL-level risks are present: structural proxy discrimination through behavioral metadata, potential Article 22 automated decision-making violations, and a hard legal block on German deployment absent works council consent under §87 BetrVG.

The system cannot legally launch in Germany without works council approval, which must be obtained before deployment, not after. In the EU and UK, the Article 22 compliance posture — specifically whether manager review of AI-generated scores constitutes meaningful human oversight — is unresolved and must be designed into the product before launch.

Pre-deployment bias auditing is required both as a matter of EU AI Act compliance and as a practical defense against disparate impact claims. Four legal research questions are flagged as requiring external verification before this review can be finalized.

This product should not advance to launch without legal sign-off on all blocking items.

Immediate Action Items

  • Initiate works council engagement under §87(1)(6) BetrVG — Germany deployment is legally blocked until consent is obtained
  • Design and document the Article 22 human review protocol — define what "meaningful" review requires operationally
  • Execute GDPR-compliant DPA with the LLM vendor; confirm transfer mechanism for cross-border data flows
  • Commission pre-deployment bias audit across protected class proxies before any scoring run
  • Document lawful basis for processing in each jurisdiction
  • Complete this DPIA and determine whether Article 36 supervisory authority consultation is required

Select a pre-loaded scenario or describe your own. The router will determine which workflow applies and run a condensed analysis.

This demo runs a condensed version of the workflow. Full stack output includes detailed risk matrices, consolidated action items, and cross-workflow research flags.

Interactive

Ask about my background

Have a question about my experience, skills, or fit for a specific role? Ask below. This is powered by AI and trained on my actual background. Try it the way a recruiter or hiring manager would.

Chat with Charles's Background
CD
Hi. I'm an AI assistant with detailed knowledge of Charles Daum's background, experience, and skills. Ask me anything about his commercial contracting experience, privacy law expertise, AI governance work, or how he might fit a specific role. What would you like to know?
Beyond the Office

What I do when I'm not lawyering

The same qualities that make me effective as a lawyer show up everywhere else: a drive to understand things deeply, a preference for doing over observing, and a habit of not stopping once I start.

🥋
Kenpo & Powerlifting
I was a powerlifter for years and am now a serious student of Kenpo karate. Both disciplines reward the same things: sustained commitment, technical precision, and a willingness to keep showing up. I approach both as a lifelong student, not someone checking a box.
🥁
Music
I began playing cello at age five and performed seriously through college. Since then I've added acoustic guitar, electric guitar, and drums to my practice, and I'm currently pursuing drum study most seriously. Music has always been a discipline I return to rather than leave behind.
🔧
Auto Mechanics
In my twenties I decided I wanted to understand how vehicles actually work. I started with a motorcycle and kept going. I now perform my own maintenance and track preparation on a vintage Porsche. It's the same instinct that drives my legal work: if something matters, understand it from the ground up.
Get in Touch

Let's connect

I'm currently exploring new opportunities in commercial technology transactions, privacy, and AI governance. If you're looking for counsel who combines deep legal expertise with genuine operational fluency, someone who has managed hundreds of deals and can engage as a business partner rather than just an advisor, I'd welcome the conversation.

cfdaum@gmail.com
in
LinkedIn Profile