Commercial Transactions · Privacy · AI Governance

Charles
Daum

California Bar · CIPP/US Certified

I am an enterprise technology attorney with 15+ years negotiating complex commercial deals, building privacy programs, and governing AI risk, in-house and at scale, alongside the sales and product teams responsible for the outcomes. This site is designed to give you a more complete picture of that experience than a resume can. Browse my domain expertise, use the AI-powered chat to ask me anything about my background, or interact with a governance workflow I built as a live demonstration of how I use frontier AI models in legal practice.

Ask About My Background Get in Touch
Charles Daum
15+
Years at enterprise technology companies
3,000+
Transactions managed annually at Oracle Marketing Cloud
2,700+
Higher-ed institutions served as privacy counsel at Ellucian
Education
J.D., cum laude — Case Western Reserve University School of Law
B.A., Art History — Oberlin College
Certification
CIPP/US — Certified Information Privacy Professional
Bar Admission
California State Bar
What I Do

Experience by Domain

Click on the cards below to learn more about my experience and expertise in a variety of legal domains.

Commercial Transactions & Deal Strategy
Click to expand
  • Negotiation
  • Served as primary commercial negotiator for the Oracle Financial Services GBU, closing a landmark $80M professional services agreement with a top-4 global bank through three days of in-person executive negotiations in London Oracle FSGBU, Operations Senior Manager
  • Represented Oracle Marketing Cloud in a seven-figure customer settlement negotiation at the customer's corporate headquarters alongside the GM and VP of Professional Services Oracle Marketing Cloud
  • Resolved privacy and data protection objections that had stalled enterprise deals with major public universities, including novel SaaS adoption agreements with institutions subject to state procurement rules, FERPA obligations, and provincial Canadian privacy frameworks Ellucian
  • Deal Operations & Governance
  • Led a team of eight supporting 3,000+ complex enterprise transactions annually across SaaS, data, licensing, and professional services at Oracle Marketing Cloud, personally owning the highest-value and highest-risk deals Oracle Marketing Cloud, Director of Deal Strategy
  • Designed and operationalized a unified global quote-to-order and contracting process across five acquired companies, enabling a coherent GTM strategy and scalable enterprise execution Oracle Marketing Cloud
Privacy & Data Governance
Click to expand
  • Program Management
  • Rebuilt Ellucian's global privacy program from the ground up as one of two in-house privacy attorneys serving 2,700+ higher education institutions across nearly 50 countries Ellucian, Senior Privacy Counsel
  • Built privacy-by-design review processes embedded in the product development lifecycle, including data use governance frameworks and risk escalation workflows across a global product portfolio Ellucian
  • Regulatory Compliance
  • Negotiated complex cross-border data protection agreements under GDPR, CCPA/CPRA, FERPA, PIPEDA, and provincial Canadian privacy frameworks, including novel SaaS adoption agreements with risk-averse academic institutions Ellucian
  • Managed cross-border transfer mechanisms including EU SCCs and UK IDTA; advised on breach notification obligations across multiple jurisdictions Ellucian
  • Policies & Day-to-Day Practice
  • Overhauled global privacy policy framework including customer-facing notices, employee notices, and standard DPA templates, materially reducing friction in enterprise contract negotiations Ellucian
  • Handled all data subject access requests, data use agreements, privacy impact assessments, DPIAs, and data sharing arrangements including research partnerships and third-party integrations Ellucian
AI Governance
Click to expand
  • Framework & Policy
  • Built Ellucian's AI governance framework from scratch: AI Acceptable Use Policy, vendor risk assessment methodology, and internal review process aligned to the NIST AI RMF and emerging EU AI Act requirements Ellucian
  • Operational Review
  • Served as sole legal member of Ellucian's AI Review Board, personally conducting use-case intake and risk assessments for all inbound vendors and internal product initiatives as generative AI entered the enterprise market Ellucian, Senior Privacy Counsel
  • Enablement & Innovation
  • Produced AI and privacy law playbooks, contract templates, and sales enablement materials that allowed commercial and product teams to move quickly without escalating every question to legal Ellucian
  • Built a five-skill AI governance workflow system using Claude: master router, pre-ship governance review, DPIA assessment, post-ship monitoring, and report assembly, demonstrated live on this site Independent development
M&A Integration & Commercial Governance
Click to expand
  • Diligence
  • Conducted acquisition diligence at Ellucian: led target evaluation calls, built financial projections, identified operational synergies, and presented findings to the CEO, CFO, CPO, and private equity owners Ellucian, Senior Director Business Transformation
  • Joined Oracle's M&A Global Business Practices team to conduct pre-integration commercial diligence on acquisition targets, reviewing GTM models and agreement structures to identify risk and incompatibility with Oracle systems before close Oracle, Director M&A Global Business Practices
  • Integration
  • Embedded inside Eloqua post-close as Oracle's commercial governance lead, building the deal review and approval function from scratch before operational integration to address challenges encountered in prior SaaS acquisitions Oracle Marketing Cloud
  • Led commercial governance integration across Eloqua, Responsys, BlueKai, and Maxymiser, each requiring a distinct approach given differences in business model, customer base, and legacy contract structure Oracle Marketing Cloud / Oracle M&A GBP
  • Drove value creation planning at Ellucian during the Vista Equity Partners and Blackstone acquisition, coordinating directly with PE asset managers and the full C-suite to align the organization around post-acquisition priorities Ellucian, Senior Director Business Transformation
AI-Assisted Practice

AI Governance Workflow Demo

Using AI tools to help manage legal work is no longer a "neat trick," but an essential skill. Below is a live demonstration of a five-skill product counsel governance system I built using Claude. It contains a master router, pre-ship AI governance review, DPIA assessment, post-ship monitoring, and report assembly. The goal was to create a screening tool for an in-house product counsel to use to flag possible compliance risks with new product features, data uses, or AI model feedback (monitoring).

Sample Scenario
We are planning to launch an AI-powered employee performance review tool that will analyze employee communications — including email metadata, Slack message frequency, and meeting attendance patterns — to generate quarterly performance scores that managers will use to make compensation and promotion decisions. The system will be built on a third-party LLM. We operate in the US, UK, and Germany.
ROUTING DECISION: ai-governance-workflow + dpia-process-skill → report-output-summary

Both workflows apply: this is a pre-ship AI system review involving systematic processing of employee personal data. Running sequentially.
Workflow 1: AI Governance Review
High-Risk AI System

EU AI Act Risk Classification: HIGH-RISK

Annex III, Point 4(b): AI systems used to assist in decisions on promotion, compensation, task allocation, and monitoring of performance and behavior. Employment-related AI systems that influence compensation and promotion fall squarely within Annex III. The use of behavioral metadata as proxy performance indicators reinforces this classification.

NIST AI RMF Assessment

GOVERN: No documented ownership or accountability structure is described. It is unclear who is responsible for the system's outputs, who has authority to override a score, and what escalation path exists when a score is disputed. This is a blocking gap.

MAP: Foreseeable risks include disparate impact on protected classes; proxy discrimination via metadata; opacity to employees; vendor dependency on a third-party LLM; and scope creep risk.

MEASURE: No testing, bias detection, or benchmark methodology is described. For a High-Risk system under the EU AI Act, this is a blocking gap.

MANAGE: No mitigation or incident response procedure is described. Required before ship: a human oversight protocol, a dispute/correction mechanism for employees, and a vendor incident notification clause.

Privacy Intersections

Article 22 (Automated Decision-Making): If the system produces scores that managers use without meaningful independent review, this may constitute automated decision-making with legal or similarly significant effects, triggering Article 22 rights. This is the highest-priority legal question for EU/UK deployment.

Data Minimization: Email metadata and Slack message frequency are behavioral proxies. The proportionality argument for using communication volume as a performance indicator is weak without validation evidence.

Purpose Limitation: Email and Slack data were almost certainly collected for communication purposes, not performance evaluation. Repurposing for scoring requires either a compatibility assessment or fresh consent basis in the EU/UK.

Blocking Issues

Must resolve before ship: Article 22 compliance posture; Germany works council co-determination under §87(1)(6) BetrVG; legal basis for processing; third-party LLM DPA; pre-deployment bias audit methodology.

Research Flags

⚠ Whether the company's role as deployer vs. provider of a third-party LLM changes which Annex III obligations attach under the EU AI Act. Reason: emerging legislation — enforcement guidance on deployer vs. provider obligation allocation is not yet settled.
⚠ Whether a manager's use of an AI-generated performance score as a primary input constitutes "solely automated" processing under Article 22 GDPR when the manager has nominal but not substantive discretion. Reason: uncertainty — ICO and EDPB guidance does not resolve the "solely" threshold in cases of de facto managerial deference.
Workflow 2: DPIA Assessment
DPIA Required

Threshold Trigger Assessment: DPIA Required

Five of nine WP248 high-risk criteria are satisfied. DPIA is required when two or more are present.

  • Evaluation or scoring: systematic generation of performance scores from behavioral data
  • Automated decision-making with legal or similarly significant effects: scores directly inform compensation and promotion
  • Systematic monitoring: ongoing collection of communication metadata in a workplace context
  • Vulnerable data subjects: employees in a dependency relationship with the employer
  • Innovative use of technology: LLM-based behavioral inference in employment decisions is novel
  • Data matching or combining: email metadata + Slack frequency + meeting attendance combined to infer performance

Risk Matrix

RiskScoreResidual
Disparate impact via proxy metricsCriticalMedium
Article 22 violationCriticalMedium
Germany §87 BetrVG non-complianceCriticalLow (if works council engaged)
Employee opacity/contestation failureHighMedium
LLM vendor DPA missingHighLow
Article 9 latent exposureHighMedium

Article 36 Consultation

If residual risk remains HIGH or CRITICAL after mitigation, prior consultation with the relevant supervisory authority (ICO for UK, Landesbeauftragter for Germany) is required under Article 36 GDPR before processing begins. On current facts, consultation may be required even with mitigations in place.

Consolidated Report: Executive Summary
Aggregate: Critical

This system is a High-Risk AI system under the EU AI Act and triggers mandatory DPIA obligations under GDPR Article 35. Three CRITICAL-level risks are present: structural proxy discrimination through behavioral metadata, potential Article 22 automated decision-making violations, and a hard legal block on German deployment absent works council consent under §87 BetrVG.

The system cannot legally launch in Germany without works council approval, which must be obtained before deployment, not after. In the EU and UK, the Article 22 compliance posture — specifically whether manager review of AI-generated scores constitutes meaningful human oversight — is unresolved and must be designed into the product before launch.

Pre-deployment bias auditing is required both as a matter of EU AI Act compliance and as a practical defense against disparate impact claims. Four legal research questions are flagged as requiring external verification before this review can be finalized.

This product should not advance to launch without legal sign-off on all blocking items.

Immediate Action Items

  • Initiate works council engagement under §87(1)(6) BetrVG — Germany deployment is legally blocked until consent is obtained
  • Design and document the Article 22 human review protocol — define what "meaningful" review requires operationally
  • Execute GDPR-compliant DPA with the LLM vendor; confirm transfer mechanism for cross-border data flows
  • Commission pre-deployment bias audit across protected class proxies before any scoring run
  • Document lawful basis for processing in each jurisdiction
  • Complete this DPIA and determine whether Article 36 supervisory authority consultation is required

Select a pre-loaded scenario or describe your own. The router will determine which workflow applies and run a condensed analysis.

This demo runs a condensed version of the workflow. Full stack output includes detailed risk matrices, consolidated action items, and cross-workflow research flags.

Interactive

Ask about my background

Have a question about my experience, skills, or fit for a specific role? Ask below. This is powered by AI and trained on my actual background. Try it the way a recruiter or hiring manager would.

Chat with Charles's Background
CD
Hi. I'm an AI assistant with detailed knowledge of Charles Daum's background, experience, and skills. Ask me anything about his commercial contracting experience, privacy law expertise, AI governance work, or how he might fit a specific role. What would you like to know?
Personal Interests

Outside of Work

Music
I began playing cello at age five and continued to perform through college. Since then I've continued to explore other instruments, including acoustic guitar and electric guitar, mandolin, and drums. I'm currently pursuing drum study most seriously. I have always enjoyed the challenge that trying to master an instrument presents, and the reward of making progress and getting closer to being able to express myself fully through performance.
Kenpo
As an adult I came to appreciate physical development as seriously as intellectual development, and I now study Kenpo karate under Sifu Phil Desrosiers. It is a discipline that rewards sustained commitment and a tolerance of repeated failure with technical precision and a genuine understanding of how bodies move and respond to each other.
Auto Mechanics
From an early age I've been fascinated with motor vehicles. In my twenties I decided I wanted to understand how they really work, and started my self-education by learning to work on a motorcycle. I kept developing my knowledge and skills and now perform my own maintenance and track preparation on a vintage Porsche.
Get in Touch

Let's connect

If you are looking for counsel with deep legal expertise and the operational fluency of someone who has managed hundreds of deals and can engage as a genuine business partner, I would welcome the conversation.

cfdaum@gmail.com
in
LinkedIn Profile