Neha: The pleasure is all mine! Today we want to delve deeply into your practical experiences with the privacy management software OneTrust. A tool that is absolutely indispensable in today's data-driven world to ensure compliance, especially with the GDPR. Let's start right away with a core element, the Data Protection Impact Assessment, or DPIA. Rahul, how did you concretely set up a workflow for a DPIA according to Article 35 GDPR in OneTrust?

Rahul: Exactly, the starting point is always a template tailored directly to the requirements of Article 35. I then configure a detailed questionnaire where the business units must provide information on the categories of data processed, the purposes of processing, the recipients, and any transfers to third countries. Based on these inputs, the system then automatically assesses the risk – so low, medium, or high.

Neha: And for high-risk assessments, an automatic escalation mechanism hopefully kicks in, right? Because that's the critical point.

Rahul: Absolutely. That's precisely why you set up an automatic escalation to the Data Protection Officer. The final report is archived and is immediately available for a potential inquiry from the supervisory authority. I carried out this entire process, for example, at my former employer, for a clinical trial platform. We were processing highly sensitive health data there, and OneTrust helped us identify the risks early on.

Neha: That's a perfect example. What concrete measures were you able to take as a result?

Rahul: OneTrust enabled us to act proactively. As a result, we introduced pseudonymization and enhanced 'Human Oversight', among other things. This not only fulfilled the requirements of Art. 35 GDPR but also acted in the spirit of the Google Spain case, where the ECJ emphasized the need for particularly careful balancing of interests.

Neha: Very important. But OneTrust is more than just DPIAs. A huge topic is vendor risk management. How did you use the tool to automate third-party risk assessments and the management of Standard Contractual Clauses, the SCCs?

Rahul: Right, that's a central use case. I configured automated questionnaires that are sent directly to the third-party vendors. These check their technical and organizational measures, the TOMs, and the data flows. The system evaluates the answers and immediately marks missing safeguards or risky data transfers outside the EU without SCCs in red. Subsequently, I integrated the SCCs according to Article 46 GDPR into the contracts and documented this process meticulously in OneTrust.

Neha: Meticulous documentation was, especially after the Schrems II ruling by the ECJ, no longer just nice-to-have but absolutely critical.

Rahul: Exactly. At MetLife, I oversaw over 200 such vendor assessments. After Schrems II (July 2020), it was vital for survival that we not only implemented the SCCs but also meticulously documented their implementation. To get an even more comprehensive picture, I often used TrustArc additionally to be able to comparatively evaluate international vendors against both U.S. and EU standards.

Neha: Very prudent. Let's come to a topic where every second counts: Incident Response. The 72-hour notification duty for data breaches is a tremendous challenge. How does OneTrust support that in practice?

Rahul: By rehearsing the processes beforehand. I configured so-called breach simulations in OneTrust. If an incident is logged, the system automatically classifies its severity and – this is crucial – a 72-hour timer starts immediately. In parallel, the software already generates drafts for the notifications to the supervisory authorities and the data subjects, as required by Articles 33 and 34 GDPR.

Neha: It sounds like you can save valuable hours and minutes in an emergency that way.

Rahul: Precisely. At MetLife, we practice...

***

Read German text here:

https://docs.google.com/document/d/1oEspwKpwMcjlN5BkId5-KTNIs7pywqDbp8g1lYnU2fg/edit?usp=sharing

***