OneTrust GRC Review

An all-in-one solution for our privacy program that assists with data collection and compliance

What is our primary use case?

We use this solution for the management of our Privacy Program with a single solution. It helps to show compliance with regulations like GDPR, or CCPA. Vendor Risk Management was one of the main modules we wanted, but having the benefit of additional solutions within the same platform was what convinced us to go with OneTrust.

In particular, we were interested in Application inventory, Records of Processing Activities, Website Scanning and Cookie Compliance, Incident Response, Data Mapping, and Assessment Automation.

The Data Subject Request Module is very helpful to deal with requests and automate data collection. OneTrust also includes Maturity and Benchmark assessments.

How has it helped my organization?

We are still at the beginning, but OneTrust will help us to tie all of the components together for our Privacy Program. Vendors can be assessed and rated out of the tool, and assessments can be scheduled for updates at certain intervals. We can tie the Applications and Processing activities to the vendor to obtain a complete picture.

What is most valuable?

The biggest plus for us is that everything we need for our Privacy Program is in one single tool. There is no switching between different applications, or merging data from different tools, needed to generate our reports. It is a single platform with everything we need.

OneTrust is also very easy and intuitive to use. The Vendorpedia library is very useful when adding new vendors, as it contains information about the Privacy Shield status and other risk framework certificates. OneTrust offers to assess vendors on behalf of the customer, which offloads the follow-up work with vendors on assessments.

What needs improvement?

For the Vendor Risk Module I see only minor functionality improvements needed. Many are already being addressed and OneTrust is very responsive to customer feedback and suggestions. The Vendor Risk dashboard has seen a lot of improvement and is now interactive. Release frequency is three to four weeks.

For how long have I used the solution?

Eight months.

What do I think about the stability of the solution?

We have not seen any stability issues. This includes both before and after version upgrades.

What do I think about the scalability of the solution?

So far, the product seems to scale very well.

How are customer service and technical support?

The support team is very responsive to requests and questions, although we haven't had major issues that would necessitate having to fully use it. They quickly add escalation resources to overcome challenges.

Which solution did I use previously and why did I switch?

We did not use a different solution. We chose OneTrust to build our Privacy Program including Vendor Risk Management.

How was the initial setup?

This initial setup of this solution was easy. The data import depends on the quality and completeness of your data, but that would be the same for every tool.

What about the implementation team?

We used vendor resources to perform the basic configuration and help with the initial data import. I have no complaints with their knowledge and expertise, and the team is very responsive.

What was our ROI?

We have a lot of different functionality and automation in one single tool. This helps a small team to tackle different areas easily.

What's my experience with pricing, setup cost, and licensing?

I found the pricing and setup cost very reasonable.

Which other solutions did I evaluate?

We looked at RSA Archer and MetricStream. Both were very good at what they do, but we wanted the additional options that OneTrust gave us in areas outside of Vendor Risk in the same tool. Pricing did play a role, as well as ease of use. 

What other advice do I have?

You always need to do your homework and determine what you need. With that, you can go out and compare products to determine what the best fit is for your organization. For us, having many different modules in one solution was a big plus.

Which deployment model are you using for this solution?

Private Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?


Which version of this solution are you currently using?

**Disclosure: I am a real user, and this review is based on my own experience and opinions.
Add a Comment