Neha: Hello and a warm welcome to the seventh episode of our mini-series "Rahul’s Key Achievements as Senior IT Counsel since 2010" – Episode 220 of our podcast. Today, we’re discussing GDPR implementation, specifically privacy-by-design, vendor data processing agreements (DPAs), and data transfer safeguards. Rahul, you’ve often emphasized that companies like Microsoft or Salesforce set benchmarks when the GDPR took effect. But what does this mean practically?

Rahul: Thanks, Neha. Exactly, these companies integrated privacy-by-design into their development processes and signed GDPR-compliant agreements with all vendors processing EU personal data by the deadline. A negative example is the Marriott data breach in 2019: The UK ICO imposed an £18 million fine because Marriott neither vetted a vendor’s security nor had contractual safeguards. I avoided such risks at my former employer by aligning our vendor DPAs and safeguards with companies like Novartis or Pfizer – both clients of my former employer.

Neha: That’s a key point! You also mention privacy-by-design as technical implementation – similar to Apple’s iOS, where privacy is built-in via differential privacy or on-device data processing. How did you implement this at your former employer?

Rahul: I instructed engineering and procurement to integrate data minimization and encryption from the outset. I also contractually obligated vendors to do the same. A concrete example: When designing our platform, I advocated collecting only data necessary for trial outcomes. I also recommended hashing patient IDs so vendors never see direct identifiers – real-world privacy-by-design in practice.

Neha: Fascinating! Another major event was Schrems II in 2020, which invalidated the EU-US Privacy Shield. Many companies scrambled to secure data transfers. How did you preempt this?

Rahul: At my former employer, we worked with a US cloud host and an Indian data analytics provider. For the US vendor, I implemented Standard Contractual Clauses (SCCs), activated EU data centers, and added end-to-end encryption as an "additional measure" per EDPB guidance post-Schrems II. The Indian vendor similarly followed SCCs plus pseudonymization. This allowed our clinical trials to continue smoothly, even when other firms halted EU-US data transfers.

Neha: Practical! This avoids fines like WhatsApp’s €225 million penalty in 2021 for inadequate transparency and operational hiccups. You even mention a specific situation at your former employer...

Rahul: Yes! When a trial participant exercised their GDPR right to erasure, we could flow the request to all vendors thanks to robust contractual clauses. Without this prep – as in the Dedalus case – it could have led to complaints. In short: My measures aligned with both the letter and spirit of GDPR (Arts. 25, 28, 44-49) and shielded us from audits, like those by CNIL for pharma companies or the Bavarian DPA, which criticized US cloud usage without extra safeguards in 2020.
Neha: A comprehensive approach – thanks, Rahul! Next time, we’ll cover AI-specific compliance challenges. Until then, Good Bye!

***

Read German text here:

https://docs.google.com/document/d/1oEspwKpwMcjlN5BkId5-KTNIs7pywqDbp8g1lYnU2fg/edit?pli=1&tab=t.0

***