It was used to manage IT and control risks, specifically around network infrastructure and particular assets.

We use OneTrust GRC to evaluate internal and external projects for risk.

Initially, we used the product to ensure our company in Brazil followed the recent data protection guidelines. Brazil has data protection laws very similar to GDPR in Europe. We focus on managing data usage and management policies.

I use the solution when internal customers want to engage with a third party through some type of cloud-based system. Right away I start reviewing from that perspective and I get the vendor's information that they are looking to engage with, I input the information into this solution. This solution has a process where I can send questionnaires out to the new prospective vendor. That prospective vendor will provision themselves into the solution by inputting all their information. This prevents me from inputting any information incorrectly. 

At this stage, I review all the information. The vendor will also upload all of their security documentation. This includes anything they can show that they are performing security best practices on behalf of their customers like us. This solution gives me the ability to double-check that information. I can do a risk review and risk rate it. There is a backend that will do a crowdsourcing type feature. For example, if there are other customers that have reviewed this particular vendor before, I can actually piggyback on that collected information and make my own judgment on whether or not it is a good fit for our environment.

We use this solution for the management of our Privacy Program with a single solution. It helps to show compliance with regulations like GDPR, or CCPA. Vendor Risk Management was one of the main modules we wanted, but having the benefit of additional solutions within the same platform was what convinced us to go with OneTrust.

In particular, we were interested in Application inventory, Records of Processing Activities, Website Scanning and Cookie Compliance, Incident Response, Data Mapping, and Assessment Automation.

The Data Subject Request Module is very helpful to deal with requests and automate data collection. OneTrust also includes Maturity and Benchmark assessments.

I mainly use OneTrust GRC for our incident response workflow and third-party risk management.