Today, Inspiring Legal is joined by Jonathan Keen, the Head of Legal at powerhouse software company Figma. Listen in as Stine and Jonathan dive into Figma's legal operations, their approach to privacy, and Jonathan's own Legal journey.
Get insights, learn from peers, life lessons from some of the most influential GCs. If it's related to inhouse legal, we cover it. For more inspiration, go to openli.com/community.
Stine: So today I am joined by Jonathan and you'll get to hear more from him in a second. But Jonathan is working for Figma, a fast growing, amazing tool. If you ever used it, you know what it is and you know how good it is.
But Jonathan also has a background working for tech companies that are growing fast. And today Jonathan is joining me to have a conversation about privacy, expanding into new markets and how you're managing that when you're working for a company both headquartered out of the US, but also working in Europe. So welcome, Jonathan.
Jonathan: Hi, thank you for the warm welcome. I'm delighted to be here.
Stine: So Jonathan, for the listeners out there that don't know you, I think they should get to know you a little better.
Jonathan: Sure. So where am I from? I'm based out of London in the UK and have been for some time. And I guess my legal career started in a traditional way.
I worked for a well-established English firm to do my training contract, which is a two year kind of training period, which we do in the UK, before qualifying into a number of US law firms in their London office, but headquartered in New York. So I had that exposure to working with US organizations very early on in my career. So I had kind of that insight into working to tight deadlines and to working with a US centric kind of work culture and kind of the pace and the requirements of that entail. So the first US firm I worked for was Milbank, Tweed, Hadley & McCloy.
They're one of the big white shoe New York firms. And when I was working for them, we were in the middle of the financial crisis in , then it was the - financial crisis. And I joined kind of towards the end of that. And they were actually the official counsel to the Lehman Brothers Chapter . So working on really high profile corporate insolvency work as part of their financial restructuring team, which was hugely interesting. And a lot of new case law was made at the time because obviously a bank of the size and complexity of Lehman Brothers had never gone insolvent before. So it's a hugely interesting project and I'm delighted to play a very small part in that. Subsequently, I realized that kind of in the long term, private practice wasn't really the area for me.
I am interested in studying new areas of law. I'm interested in a breadth of work. And that doesn't really traditionally tie up with a private practice career. So relatively early on in my career, I made the move in-house working for a portfolio technology company,
a very small bespoke software house working in the energy sector, and then gradually made my way into into the West Coast technology scene where I've kind of been specializing for the last five years, helping West Coast typically headquartered hyper growth SAS companies expand into the international market.
So I've been the first non-US lawyer now. The last two organizations I've worked for. And the first kind of pair of feet on the ground outside the US. And I'm there to help enable that rapid growth into Europe and beyond for these for these companies. And yeah, Figma has been my home for the last months and seen a exceptional pace of growth. We've opened offices in London, Berlin, Paris, Tokyo, and now Singapore is next on the list during that time. So kind of the we have this phrase that kind of a month in Figma is like a year at other companies because so much, so much changes.
And that's part of the excitement, but also presents its own challenges as well. I'm normally saying working at a tech scale up is kind of like dog years. So you're multiplying it by seven. Here we're multiplying it by twelve.
Stine: And I think it kind of gives a good understanding of the growth of Figma and where Figma is going. So if you don't know about Figma out there, take a look, because if you're working at a tech company, you are most likely using their products. And if not, most likely going to, especially the product teams and the dev teams are madly in love with it.
And I'm not getting commissioned for saying this, and I don't use your product, but my dev team does. I am not creative. I'm not able to do anything that just resembles something smart when it comes to technology. But I know from my UX designer and from my CPO that they are in love with your product, which was also why we reached out to you, Jonathan. But also because of those challenges and but also exciting times that come with working for such a company.
Jonathan: Yeah, it's been hugely exciting. It's come in two phases, really. There's the initial six months where it was just me. So I didn't have a team. So and kind of covering off so many different areas. So primarily new business, negotiating SAS contracts with with our existing and expanding customers, but also kind of doing the corporate foundational work, incorporating entities in France and Germany and all of that good stuff and helping enable the rapid growth in headcounts. We were only people in Europe and now we're plus. So a huge amount of growth in terms of personnel, but also in terms of revenue as well.
So that first six months I was really doing everything from a legal perspective, employment as well, privacy. It was really fascinating, but also it's a challenge on your resources when you're doing all of that. So you have to ruthlessly triage and prioritize what is kind of key for the business and turn your attention to it. And you're very much kind of doing baseline compliance in some areas and focusing on the real high risk areas and putting your time into that.
So everyone at Figma has done it. It's kind of the six months initial trial, almost where you kind of head of HR did the same, where you're kind of coming in and you're, you're building things just on your own and looking after everything and then you start recruiting and then things become more manageable. And then it's a focus on the on the kind of the value add and the strategic rather than just the tactical. So when you not have only done this once, you've done it twice.
Stine: I think you are almost a veteran when it comes to really scaling a US company into Europe. And one of the challenges that are then I could pursue is maybe around privacy and getting that ingrained and bridging the US with the EU and working with that.
Jonathan: Yeah, this is the second time I've done this. So before Figma, I was at a company called Zero who did identity management and a very similar growth trajectory to Figma. And then we were acquired by Opta for six and a half billion. A couple of years ago now. So this is my second time around, which makes it easier because you're following a certain playbook and you've seen you've seen things happen once before. But the scale of Figma, I would say, is what makes it so unique. The challenge we're growing at a pace that is really quite unprecedented.
And the way you speak about the product is fantastic because we have that passion from all of all of our Figma customers and we have a we're a community led business like Zero was. So we kind of our business strategy was to go in and become popular with designers who would then by word of mouth, almost kind of spread the news about Figma and then generate a huge organic following that kind of then flows back up through the business, which is a brilliant way of doing business because you're kind of selling to the people who really use the product on a daily basis rather than top down.
So yeah, delighted to hear that your team are big fans. But yeah, coming back to the privacy question, this is something that is becoming, ever since the Shrems decision, and kind of the death of privacy shield. This is an area that we're spending a lot of time on with new business negotiations. So almost like duplicating the amounts of time we're spending negotiating with customers because not only are we negotiating the software licensing agreement or the MSA but then we're also negotiating the terms of the data processing and then more DPA on top of that.
It's such a slightly gray area at the moment as well in terms of what is permitted transfer, and hopefully that's going to be addressed soon with the EU and US agreeing some kind of new regime. I have my fingers crossed that these details will be announced soon.
I'm sure Mr. Shrems will want to challenge that as well. So I kind of can't rely on that too much because it's got to be tested through the courts. But yeah, this is something that's kind of adding a third to half the time again into new business negotiations. So when it comes to working with privacy, it's something that is also very close to my heart and I know it is to you too.
Stine: My own experience in the early days of GDPR was a big resistance, especially from US companies. Due to the fact that GDPR was just super complex and not adding any value, where I'm starting to see now a shift and also seeing that it's something that is used and leveraged in many ways during sales negotiations and sales processes, showing how the companies are taking GDPR seriously and working with privacy. What has been your experience during your career working both from Auth and now also with Figma?
Jonathan: Yeah, it's two very different approaches. So Auth, we had a local deployment option where you could use your Auth platform of AWS data centers within the EU. And that had all the usual caveats, the kind of like customer support, etc. that's outside of that. And we also had a private cloud deployment option, which you could use to give even greater levels of data residency. So we were pretty flexible in terms of where you wanted to host your data. Figma has traditionally been a US hosted company. So currently we only deploy the platform on AWS data centers in the US.
Now, the difference in approach is that Figma uses very minimal personal data. So it's all zero, it's stored passwords and kind of critical username and identity data where data residency was essential in order to do business. Figma is personal data lite in terms of the functionality. You only really need an email to access the platform and the rest as your product team will know, the materials you create and store in Figma are like visual, their UX, their websites, their apps. So it's a non-personal data kind of flow and repository. And we don't encourage customers to use it to host large amounts of data.
So that's how we position ourselves from a privacy perspective. That said, we're finding that now even though it's a very light touch platform for personal data angle, there are still those countries within the EU and we're seeing actually attitudes can be vastly different even within the European Union, depending on the attitudes of the supervisory authorities and the risk appetite of each sector that you're operating in.
The data residency is becoming an increasingly important subject for them and particularly in the regulated sectors like finance and insurance and medical. So, yeah, that's something we're exploring as a business and looking to potentially make some product announcements in about this. I know that a lot of our community members are seeing privacy as taking up more and more of their time.
So not only is it sales that are driving a lot of costs when it comes to legal resources internally, but it is also privacy in the sales process as well. I think the community report showed that more than % of the members were using more and more time on privacy.
Stine: And it's something that people are focusing on scaling.
Jonathan: It's a good question and my approach is that I always want the sales team to be able to self-serve as much as possible in terms of their legal and privacy resources because resourcing is one of the biggest challenges of a hyper growth company. So giving our sales team first class privacy materials that have been created by legal with conjunction with privacy professionals as well.
Jonathan: Well, for me, the priority was reviewing our DPA, making sure it reflected best practice, making sure that we had kind of the supplemental measures required under SHREMS. And alongside that, providing privacy and data protection, frequently asked questions, FAQs, documents, getting that translated into French and German so that our sales team could send that out in their first round of correspondence with the customer.
So we're already addressing the most commonly raised issues, which doesn't always clear those questions. But what it does is it sets the tone with the customer as to where we're answering all the essential questions. Then we can discuss it in more depth and nothing is new to the customer. So, yeah, giving our sales team up to date and accurate and clearly understood kind of privacy documentation was a real priority for me.
Stine: I can mention that we've as part of our platform have been in communication with Figma about your privacy efforts on behalf of several customers and received very nice responses. And I personally got a sense that it's something that they are trained in, in a good way.
Because I know that is again something that is on the mind of many in-house because you want to maybe scale your efforts and that could also be by educating so people are able to take on some of the conversations themselves.
Jonathan: Yeah, continuous education is something that we do and continuous training with the sales team. We work really closely with them and we have regular quarterly sessions where we'll be training new joiners. So we have like a new joiner program where they'll be legally certified within a certain amount of time of joining Figma.
And then we have regular updates as well. And what we'll do is look at case studies so talk through and it's not just me I will often partner with a senior sales leader, and we'll talk through how we navigated these privacy challenges with a particular customer. Typically, Germany is the focus of those because it's a very robust jurisdiction, and we tend to dive into the most detail with our German customers.
We'll talk through like how do we address this, how do we navigate issues that don't have necessarily a perfect answer on both sides, given the kind of the weird world we live in, post-SCHREMS too, and until that's cleared up, we have to live with that ambiguity. So that's really key for me is that giving the customer as much information as possible, and then informing them why a tool like Figma is relatively low risk because of the minimum amount of personal data, and then reassuring them that in addition to our privacy measures like we have our SOC, we have our ISO certifications as well.
So the data is secure, not just from a privacy perspective but from a technical perspective. And I think changing the narrative of the question to kind of point towards security of data where we're really, really strong is helpful as well. Because I don't think you can really separate privacy and security really, when it comes down to the fundamentals. I think that getting those certifications have been helpful.
And again, I know that it's on the mind of many, because often you're asked what additional security measures have you taken and in terms of the DPA you're obligated to show that you have appropriate security measures in place. So I think the certifications helped also from a legal standpoint, made those conversations go smoother. And then when you've got someone, we work closely with our security team as well so often we'll be on a call, it'll be myself, someone in security and someone in sales, so working as a team.
I think that's where the standards and everything else seem in context, less of an issue when you know that we are audited, and that we have these standards that are certifiable by third parties. So we have our EU cloud code of conduct certification through Scope Europe and I think it's the only officially approved code of conduct recognized by the Belgian data protection authorities. So we've made that register, and it's a publicly accessible register.
And it's like a self regulation so anyone who joins will commit to these common standards. And we're finding that is helping build credibility and trust with our European customers as well. So I'll put a few out there when we're talking about SOC2. That's really the American security standard that is used, especially in the US. Just a little bit of advice, a SOC type 2 is better than a SOC type 2. That's why when you're hearing that they have a SOC Type 2, you know they've been audited. You know they've gotten their approvals and that they're living up to a certain standard.
Stine: So when Jonathan is talking about that, I can easily imagine, and it's also part of my own internal checklist, do I know if they have their security in order? Well, if they have their SOC Type 2, well, they're off to a good start.
So Jonathan, if you were to kind of like put a few words or maybe share a few tricks or tips to the listeners out there, what have been some of the best kind of, let's call it quick wins for you when it came to privacy and getting on boarded with Figma and then having to support sales teams when it came to privacy?
Jonathan: Yeah, so quick wins. I think treating privacy and data protection as something that is a prerequisite rather than something that might come up with a customer. So equipping the sales team to deal with it from the start on most of our European deals, because that's in reality, that's how it works. It's something that we should proactively address.
And that's what I, the message I've translated to our sales team as well. I don't be afraid of talking about it. And the way that you can address that is by education and by providing easily understandable materials in local languages as well. And really helping the sales team to talk about these things in a more informed way. And I think that I don't think there are too many easy wins because it is such a complex topic.
The easy win for me is just to get me on a call because you can explain so much more on a call than you can in exchange of emails. And I think a radical honesty approach to privacy is let the customer know where we host our data, which is in the US, which is not ideal for all of our customers, but explain why we think that isn't a high-risk activity given the nature of the solution, given the minimal personal data and given our really high security standards. So that's been my approach. Get me involved as much as possible as early on in those discussions.
So it's not coming as a last-minute deal blocker. That's where you get issues when people get up against the clock and the deal has to close tomorrow and suddenly you've only started the data security, the privacy review that week.
Stine: So giving it appropriate runway and getting good materials in place. When it then comes to looking forward, where do you see, like firstly, you said you're hoping for the Biden executive order to hopefully make life a little easier, but what is your then maybe upcoming focus for the next.
Jonathan: Yeah, sure. So yeah, I'm hopeful there's going to be some kind of new deal announced by Biden and Mandelinda and a successor to Privacy Shield, but I'm a bit skeptical because even if that's announced, we've got to wait for a, there's going to inevitably be an appeal and that's going to take years to go through the courts, unless the EU takes some kind of proactive, the commission makes some proactive statement that this, giving direction to the courts, which I can't see happening. So I think even if there is a great new scheme announced, it's still going to take time for that to be tested.
So we've got to continue as we are going in the interim. I can see the potential for more localization as well. And then it's like, which parts do you localize of the solution first? Because it's not a copy and paste job, particularly for a product as sophisticated and deep as the Figma product.
And then there's various elements to it, like customer support. You want to provide customer support on a seven basis, but that means you're going to have to have a geographically dispersed customer support team. Then metadata as well, which it's about finding out which parts of the data map that customers really care about. And then basing our localization decisions off the back of that.
Stine: So for you, when you are looking at the people that are inspiring you, are there anyone you could kind of highlight for other people either to get inspired by or follow on LinkedIn?The community is very much about learning from each other. It's about working smarter and really leveraging other people's great ideas.
Jonathan: Yeah, there's so many LinkedIn kind of celebrities now, particularly in the legal operations sphere. But I think Alex Su at Ironclad is someone who always makes me laugh.
I love his memes. I think they're excellent. And having followed a similar trajectory, like working for kind of a traditional US law firm and then going in-house, that's quite like a lot of the issues that he highlights ring a bell and are relevant to me and my experience as well. So he's fantastic from a purely like humor and comedy perspective. But also I was fortunate enough to do a course, a leadership course in corporate counsel, which was the first kind of post-grad course offered in the world for in-house counsel at Harvard Law School.
That I did about four or five years ago now. And I was fortunate to meet some really inspiring general counsels on that course, one of whom is Anna Lysinski, who was the general counsel for L'Oreal, who has subsequently moved on to become a coach for in-house lawyers and written her own book. And she was a real trailblazer for legal operations, particularly in the APAC area of the world.
So yeah, they're two people who are active on LinkedIn, who are very inspirational fordifferent reasons. Yeah, I'm also very grateful to kind of former general counsel who I've worked under, particularly my first, so my first move in-house, I was in a, from a finance M&A background doing insolvency financial restructuring work.
It took a huge amount of faith to give me my first job in tech. So I'll always be grateful for the very first general counsel I worked for, who was someone called Deborah Morgan, who was actually, and the reason she took that gamble is because she had done a similar thing.
She'd gone from being general counsel at Barclays Capital, which was the investment bank at the time, a branch of Barclays Bank. And she had gone into software later on in her career. So I think she saw a similar career path and the core skills that you could translate, but generally that's a pretty difficult jump.
So I'll always be eternally grateful for her showing the confidence in me. And yeah, she was the first female general counsel in the investment bank in the UK. And she's a, yeah, she's a real trailblazer and someone who I still consult for advice. So with those types of trailblazers, as you said, Jonathan, you have been that for us as well.
Stine: So thank you so much for joining us today and for sharing your background, your journey and your take on privacy for great companies like Figma.
Thank you so much for listening to Inspiring Legal. Remember to subscribe and if you want more information, you can always go to openli.com/community.