German Podcast Episode #224: Rahuls Erfahrung mit OneTrust, der Privacy-Management-Software

Neha: The pleasure is all mine! Today we want to
delve deeply into your practical experiences with the privacy
management software OneTrust. A tool that is absolutely
indispensable in today's data-driven world to ensure compliance,
especially with the GDPR. Let's start right away with a core
element, the Data Protection Impact Assessment, or DPIA. Rahul,
how did you concretely set up a workflow for a DPIA according to
Article 35 GDPR in OneTrust?


Rahul: Exactly, the starting point is always a
template tailored directly to the requirements of Article 35. I
then configure a detailed questionnaire where the business units
must provide information on the categories of data processed, the
purposes of processing, the recipients, and any transfers to
third countries. Based on these inputs, the system then
automatically assesses the risk – so low, medium, or high.


Neha: And for high-risk assessments, an
automatic escalation mechanism hopefully kicks in, right? Because
that's the critical point.


Rahul: Absolutely. That's precisely why you set
up an automatic escalation to the Data Protection Officer. The
final report is archived and is immediately available for a
potential inquiry from the supervisory authority. I carried out
this entire process, for example, at my former employer, for a
clinical trial platform. We were processing highly sensitive
health data there, and OneTrust helped us identify the risks
early on.


Neha: That's a perfect example. What concrete
measures were you able to take as a result?


Rahul: OneTrust enabled us to act proactively.
As a result, we introduced pseudonymization and enhanced 'Human
Oversight', among other things. This not only fulfilled the
requirements of Art. 35 GDPR but also acted in the spirit of the
Google Spain case, where the ECJ emphasized the need for
particularly careful balancing of interests.


Neha: Very important. But OneTrust is more than
just DPIAs. A huge topic is vendor risk management. How did you
use the tool to automate third-party risk assessments and the
management of Standard Contractual Clauses, the SCCs?


Rahul: Right, that's a central use case. I
configured automated questionnaires that are sent directly to the
third-party vendors. These check their technical and
organizational measures, the TOMs, and the data flows. The system
evaluates the answers and immediately marks missing safeguards or
risky data transfers outside the EU without SCCs in red.
Subsequently, I integrated the SCCs according to Article 46 GDPR
into the contracts and documented this process meticulously in
OneTrust.


Neha: Meticulous documentation was, especially
after the Schrems II ruling by the ECJ, no longer just
nice-to-have but absolutely critical.


Rahul: Exactly. At MetLife, I oversaw over 200
such vendor assessments. After Schrems II (July 2020), it was
vital for survival that we not only implemented the SCCs but also
meticulously documented their implementation. To get an even more
comprehensive picture, I often used TrustArc additionally to be
able to comparatively evaluate international vendors against both
U.S. and EU standards.


Neha: Very prudent. Let's come to a topic where
every second counts: Incident Response. The 72-hour notification
duty for data breaches is a tremendous challenge. How does
OneTrust support that in practice?


Rahul: By rehearsing the processes beforehand. I
configured so-called breach simulations in OneTrust. If an
incident is logged, the system automatically classifies its
severity and – this is crucial – a 72-hour timer starts
immediately. In parallel, the software already generates drafts
for the notifications to the supervisory authorities and the data
subjects, as required by Articles 33 and 34 GDPR.


Neha: It sounds like you can save valuable hours
and minutes in an emergency that way.


Rahul: Precisely. At MetLife, we practice...


***


Read German text here:


https://docs.google.com/document/d/1oEspwKpwMcjlN5BkId5-KTNIs7pywqDbp8g1lYnU2fg/edit?usp=sharing


***