Neha: The pleasure is all mine! Today we want to delve deeply into your practical experiences with the privacy management software OneTrust. A tool that is absolutely indispensable in today's data-driven world to ensure compliance, especially with the GDPR. Let's start right away with a core element, the Data Protection Impact Assessment, or DPIA. Rahul, how did you concretely set up a workflow for a DPIA according to Article 35 GDPR in OneTrust?

Rahul: Exactly, the starting point is always a template tailored directly to the requirements of Article 35. I then configure a detailed questionnaire where the business units must provide information on the categories of data processed, the purposes of processing, the recipients, and any transfers to third countries. Based on these inputs, the system then automatically assesses the risk – so low, medium, or high.

Neha: And for high-risk assessments, an automatic escalation mechanism hopefully kicks in, right? Because that's the critical point.

Rahul: Absolutely. That's precisely why you set up an automatic escalation to the Data Protection Officer. The final report is archived and is immediately available for a potential inquiry from the supervisory authority. I carried out this entire process, for example, at my former employer, for a clinical trial platform. We were processing highly sensitive health data there, and OneTrust helped us identify the risks early on.

Neha: That's a perfect example. What concrete measures were you able to take as a result?

Rahul: OneTrust enabled us to act proactively. As a result, we introduced pseudonymization and enhanced 'Human Oversight', among other things. This not only fulfilled the requirements of Art. 35 GDPR but also acted in the spirit of the Google Spain case, where the ECJ emphasized the need for particularly careful balancing of interests.

Neha: Very important. But OneTrust is more than just DPIAs. A huge topic is vendor risk management. How did you use the tool to automate third-party risk assessments and the management of Standard Contractual Clauses, the SCCs?

Rahul: Right, that's a central use case. I configured automated questionnaires that are sent directly to the third-party vendors. These check their technical and organizational measures, the TOMs, and the data flows. The system evaluates the answers and immediately marks missing safeguards or risky data transfers outside the EU without SCCs in red. Subsequently, I integrated the SCCs according to Article 46 GDPR into the contracts and documented this process meticulously in OneTrust.

Neha: Meticulous documentation was, especially after the Schrems II ruling by the ECJ, no longer just nice-to-have but absolutely critical.

Rahul: Exactly. At MetLife, I oversaw over 200 such vendor assessments. After Schrems II (July 2020), it was vital for survival that we not only implemented the SCCs but also meticulously documented their implementation. To get an even more comprehensive picture, I often used TrustArc additionally to be able to comparatively evaluate international vendors against both U.S. and EU standards.

Neha: Very prudent. Let's come to a topic where every second counts: Incident Response. The 72-hour notification duty for data breaches is a tremendous challenge. How does OneTrust support that in practice?

Rahul: By rehearsing the processes beforehand. I configured so-called breach simulations in OneTrust. If an incident is logged, the system automatically classifies its severity and – this is crucial – a 72-hour timer starts immediately. In parallel, the software already generates drafts for the notifications to the supervisory authorities and the data subjects, as required by Articles 33 and 34 GDPR.

Neha: It sounds like you can save valuable hours and minutes in an emergency that way.

Rahul: Precisely. At MetLife, we practice...

***

Read German text here:

https://docs.google.com/document/d/1oEspwKpwMcjlN5BkId5-KTNIs7pywqDbp8g1lYnU2fg/edit?usp=sharing

***

Neha: Hello dear listeners! A warm welcome to a new episode of our mini-series about Rahul's key achievements as Senior IT Counsel since 2010. Today we're focusing on international AI governance – a field requiring deep cross-border expertise. Rahul, you collaborated with teams in Germany, India, and the USA to shape global AI governance. What makes this cross-border collaboration so complex?

Rahul: The core lies in the extremely divergent legal frameworks, Neha. Compare just the EU with its strict AI approach, India's data protection laws still emerging until 2023, and the fragmented US regulatory environment. A prime example: WhatsApp's challenges in 2021 – the EU enforced privacy policy changes while Indian regulators questioned the same policy. Genuine collaboration can cushion such divergences.

Neha: Fascinating! You mentioned sharing knowledge through company-wide GDPR implementation. How does this create a unified foundation?

Rahul: By establishing GDPR as a global benchmark – even for India and the US. Another key issue: Data transfers post-"Schrems II". We formed task forces to manage EU-India/US transfers via Standard Contractual Clauses. That's lived legal collaboration.

Neha: This extends beyond pure legal aspects, right? You mentioned cultural differences, like employee involvement.

Rahul: Exactly! German works councils must be consulted for AI monitoring – not required in India. I ensured German requirements like employee notifications were respected worldwide. Similar to how Microsoft extended GDPR rights globally.

Neha: Let's explore your practical example. At your former company with customers and stakeholders in Germany and the USA – how did you structure AI governance?

Rahul: The Bi-national "AI Governance Council" with legal and technical experts from both regions was crucial. Together we developed a unified policy aligned with the strictest standard – GDPR plus the upcoming EU AI Act as baseline.

Neha: What advantage did this offer regions with more lenient laws like India at that time?

Rahul: Even the Indian office followed high privacy and transparency standards – though not locally required. This prevented fragmentation and prepared us for new laws like India's DPDP Act 2023.

Neha: How did knowledge exchange work concretely in the council?

Rahul: The German team shared DPIA methods for AI, and the US team shared NIST risk management practices. This ensured AI models were built to GDPR principles from inception – no retrofitting needed.

Neha: Practical benefit during problems? Say, a bias incident in Germany.

Rahul: Precisely! If bias was detected in Germany through an AI audit, the global team used these findings for preventive correction in all regions. This avoided potential US lawsuits or Indian regulatory proceedings – global synergy instead of silos.

Neha: Which legal foundations support this approach?

Rahul: No direct "collaboration law," but: GDPR became a de facto global standard. OECD AI Principles and GPAI promote international ethics consistency. We leveraged these "soft laws" to create internal policies meeting Germany's strictness while influencing India/US early.

Neha: How do you respond to different supervisory bodies – EU Data Protection Board, India's new Data Protection Authority,or US’s FTC?

Rahul: A unified global policy is key here! It demonstrates we apply high standards worldwide. Also regarding employee rights: We reduced disparities between German co-determination and US regulations – minimizing conflict risks.

Neha: So fundamentally: Leadership through proactive harmonization?

Rahul: Yes! We smoothed regulatory differences and were prepared when laws caught up in more lenient jurisdictions. This forward-looking risk management builds trust with regulators – potentially even milder sanctions if issues arise.

***

Read German text here:

https://docs.google.com/document/d/1oEspwKpwMcjlN5BkId5-KTNIs7pywqDbp8g1lYnU2fg/edit?usp=sharing

***

Neha: Also, du hast von 2022 bis 2024 als Head of Contracting bei einer deutschen Firma gearbeitet. Erzähl unseren Zuhörern etwas über deine aktuelle Tätigkeit bei Sigal SMS GmbH in Leipzig.

Rahul: Gerne. Bei Sigal SMS, einem deutschlandweiten Netzwerk von Studienzentren für klinische Forschung, leitete ich seit Anfang 2022 die Vertragsabteilung. Dort habe ich zum Beispiel unsere Vertragsprozesse komplett neu aufgesetzt, um sie DSGVO-konform zu machen. Wir haben dafür unter anderem ein Contract Lifecycle Management eingeführt, zum Beispiel DocuSign CLM, und standardisierte Vorlagen erstellt. Das hat die Bearbeitungszeit für Verträge um etwa 40 % verkürzt.

Neha: 40 % schnellere Abläufe durch eine neue CLM-Implementierung – das ist beeindruckend. Welche weiteren konkreten Maßnahmen hast du bei Sigal SMS umgesetzt?

Rahul: Neben den neuen Templates habe ich rund 200 interne Risikoprüfungen geleitet. Dabei haben wir maßgeschneiderte Datenschutz- und Compliance-Klauseln entwickelt und in die Verträge integriert. Dadurch konnten wir die Verhandlungszeiten um weitere 30 % senken.

Neha: Das klingt nach intensivem Stakeholder-Management. Mit welchen Teams und Abteilungen hast du dafür zusammengearbeitet?

Rahul: Ich habe eng mit unseren technischen und finanziellen Teams sowie mit dem klinischen Studienmanagement zusammengearbeitet. Da Sigal SMS auch international tätig ist, koordinierten wir parallel in Europa und den USA. Wir nutzten Tools wie SharePoint für das Dokumentenmanagement, um alle auf dem gleichen Stand zu halten.

Neha: Du hast erwähnt, dass Sigal SMS sich um klinische Studien kümmert. Wie wichtig ist dabei die Einhaltung von Datenschutzrichtlinien?

Rahul: Sehr wichtig. In klinischen Studien verarbeiten wir besonders schützenswerte Gesundheitsdaten. Daher war es essenziell, DSGVO-konforme Prozesse einzuführen – zum Beispiel standardisierte Vereinbarungen mit Ärzten und Sponsoren, die alle Datenschutzbestimmungen enthalten. Das war Teil unserer 40 %-Effizienzsteigerung.

Neha: Spannend. Und bevor du zu Sigal SMS kamst, warst du bei MetLife, einer Fortune 500 Firma aus den USA tätig?

Rahul: Ja, von 2016 bis 2020 war ich Lead Procurements Counsel bei MetLife in Indien. Dort war ich für Beschaffungsverträge im IT- und Cloud-Bereich zuständig.

Neha: Über 400 IT-Verträge – das war in deinem Lebenslauf zu lesen. Wie sah diese Aufgabe genau aus?

Rahul: Genau, ich habe über 400 Cloud- und IT-Beschaffungsverträge mitgestaltet und verhandelt. Dabei habe ich unsere Beschaffungsvorlagen so angepasst, dass sie DSGVO- und KI-Compliance-Klauseln enthalten. Außerdem haben wir auf aktuelle rechtliche Entwicklungen reagiert, zum Beispiel nach Schrems II, indem wir neue Standardvertragsklauseln eingebunden haben.

Neha: Und wie war es, in einem amerikanischen Konzern zu arbeiten? War das ein großer Unterschied für dich im Vergleich zu deiner Arbeit in Deutschland?

Rahul: Der kulturelle Unterschied war zwar da, aber als Jurist, der bei internationalen Projekten arbeitet, war ich es gewohnt. Bei MetLife habe ich vor allem mit Lieferanten verhandelt und eng mit den Rechtsabteilungen in Europa zusammengearbeitet, zum Beispiel um US-Datenschutzstandards mit der DSGVO zu verbinden. Das hat mir gezeigt, wie wichtig globale Compliance ist.

Neha: Außerdem hast du dort Junior-Juristen betreut, richtig?

Rahul: Richtig, ich habe On-the-Job-Schulungen für über zehn Nachwuchsjuristen durchgeführt und sie bei ihrer Karriere-entwicklung unterstützt. Das hat mir geholfen, Führungsaufgaben zu übernehmen.

Neha: Früher warst du bei Thomson Reuters. Was waren dort deine Aufgaben?

Rahul: Bei Thomson Reuters war ich zwischen 2013 und 2016 als Assistant Manager in der Vertragsgestaltung tätig. Ich habe über 200 IT-Softwareverträge verhandelt, insbesondere SaaS- und KI-Lizenzverträge. Im Fokus standen dabei IP-Klauseln und Nutzungsrechte...

***

Read full text here:

https://docs.google.com/document/d/1oEspwKpwMcjlN5BkId5-KTNIs7pywqDbp8g1lYnU2fg/edit?usp=sharing

***