OneTrust GRC Reviews

We use this solution for the management of our Privacy Program with a single solution. It helps to show compliance with regulations like GDPR, or CCPA. Vendor Risk Management was one of the main modules we wanted, but having the benefit of additional solutions within the same platform was what convinced us to go with OneTrust.

In particular, we were interested in Application inventory, Records of Processing Activities, Website Scanning and Cookie Compliance, Incident Response, Data Mapping, and Assessment Automation.

The Data Subject Request Module is very helpful to deal with requests and automate data collection. OneTrust also includes Maturity and Benchmark assessments.

We are still at the beginning, but OneTrust will help us to tie all of the components together for our Privacy Program. Vendors can be assessed and rated out of the tool, and assessments can be scheduled for updates at certain intervals. We can tie the Applications and Processing activities to the vendor to obtain a complete picture.

The biggest plus for us is that everything we need for our Privacy Program is in one single tool. There is no switching between different applications, or merging data from different tools, needed to generate our reports. It is a single platform with everything we need.

OneTrust is also very easy and intuitive to use. The Vendorpedia library is very useful when adding new vendors, as it contains information about the Privacy Shield status and other risk framework certificates. OneTrust offers to assess vendors on behalf of the customer, which offloads the follow-up work with vendors on assessments.

For the Vendor Risk Module I see only minor functionality improvements needed. Many are already being addressed and OneTrust is very responsive to customer feedback and suggestions. The Vendor Risk dashboard has seen a lot of improvement and is now interactive. Release frequency is three to four weeks.

Eight months.

We have not seen any stability issues. This includes both before and after version upgrades.

So far, the product seems to scale very well.

The support team is very responsive to requests and questions, although we haven't had major issues that would necessitate having to fully use it. They quickly add escalation resources to overcome challenges.

We did not use a different solution. We chose OneTrust to build our Privacy Program including Vendor Risk Management.

This initial setup of this solution was easy. The data import depends on the quality and completeness of your data, but that would be the same for every tool.

We used vendor resources to perform the basic configuration and help with the initial data import. I have no complaints with their knowledge and expertise, and the team is very responsive.

We have a lot of different functionality and automation in one single tool. This helps a small team to tackle different areas easily.

I found the pricing and setup cost very reasonable.

We looked at RSA Archer and MetricStream. Both were very good at what they do, but we wanted the additional options that OneTrust gave us in areas outside of Vendor Risk in the same tool. Pricing did play a role, as well as ease of use. 

You always need to do your homework and determine what you need. With that, you can go out and compare products to determine what the best fit is for your organization. For us, having many different modules in one solution was a big plus.

We use OneTrust GRC to evaluate internal and external projects for risk.

It does help in the automation of our privacy impact assessments.

The product itself, and perhaps most importantly, is not truly designed to fit the way people and users do their work.

There are limitations to customized workflow automation, and they need to increase both the available automation and the customized workflow.

I have been using OneTrust GRC for one year.

We are working with Athena, which is a specialized version of the OneTrust GRC platform.

OneTrust GRC is quite stable.

I would rate the stability of OneTrust GRC an eight out of ten.

OneTrust GRC is a scalable product.

I would rate the scalability of this solution an eight out of ten.

Technical support could be improved.

I would rate the technical support a three out of ten.

There are weaknesses in the implementation team, just getting up and running is difficult.

I am not aware of the pricing. I am not involved in the budgeting process.

They need to evaluate it carefully because not all of the different functionalities are developed to the same level of sophistication.

I would rate OneTrust GRC a six out of ten.

Initially, we used the product to ensure our company in Brazil followed the recent data protection guidelines. Brazil has data protection laws very similar to GDPR in Europe. We focus on managing data usage and management policies.

The product helps us streamline audit and incident management processes. There's also a focus on third-party risk management.

The workflow approval process is valuable.

The product is not that easy to set up. It is also not easy to get used to the naming convention. It requires in-depth training.

I have been using the solution for three months. I am using the latest version of the solution.

I rate the solution’s stability a nine out of ten.

The tool is very, very scalable. I rate the scalability a nine out of ten.

The solution is deployed on the cloud. The initial setup is very, very hard.

We see a return on investment. We manage our console much faster.

The solution is expensive.

I would recommend the product to others. It's not a silver bullet. If someone doesn’t have the process in place, the tool won't help them. Overall, I rate the solution a nine out of ten.

We encounter difficulties creating multiple platforms or interfaces and manual processes for changing certain settings. Additionally, they could work on the issue related to a controller release in the development environment.

We have been using OneTrust GRC for three years.

The platform is stable.

We have around more than 20 OneTrust GRC users in our organization.

The technical support services are good.

Positive

The initial setup process is simple.

The platform is expensive.

The product's feature for automation assists them in workflow management. We receive notifications or cases and prioritize them accordingly, which helps us address issues promptly. It keeps them informed about the company's activities at all times.

Overall, I rate it an eight out of ten.

I use the solution when internal customers want to engage with a third party through some type of cloud-based system. Right away I start reviewing from that perspective and I get the vendor's information that they are looking to engage with, I input the information into this solution. This solution has a process where I can send questionnaires out to the new prospective vendor. That prospective vendor will provision themselves into the solution by inputting all their information. This prevents me from inputting any information incorrectly. 

At this stage, I review all the information. The vendor will also upload all of their security documentation. This includes anything they can show that they are performing security best practices on behalf of their customers like us. This solution gives me the ability to double-check that information. I can do a risk review and risk rate it. There is a backend that will do a crowdsourcing type feature. For example, if there are other customers that have reviewed this particular vendor before, I can actually piggyback on that collected information and make my own judgment on whether or not it is a good fit for our environment.

By using this solution it has allowed me to free up some of my time and use my resources in other areas. Prior to using this solution, everything was done through a spreadsheet. Now with this solution, a lot of it is relational databases rather than a spreadsheet flat table. This solution also allows automation. You can start automating a lot of your processes as opposed to the manual process of using spreadsheets.

One of the valuable features of this solution is it has the ability to review fourth and fifth parties to the nth degree. 

What this means is, a vendor that is going to engage with us is called a third party. However, sometimes these vendors have their own vendors. The first example, this solution is a third party to us, but this solution uses Azure as their backend database, this is the fourth party to us. I am fine with this because I know Azure is doing its best due diligence with security best practices.

The comparative example, this solution wanted to start using an unknown company, such as Mike and Bob's server farm in Bob's garage as a vendor. I do not know who Mike and Bob are, if they had followed security best practices, do they close that garage door at the end of the night, or do they leave it wide open. All of our data could be sitting on those servers in that garage exposed. I would want to review that fourth party.

As vendors, as our internal customers are bringing these vendors on board with us, they go through this committee. I look at the third party level and question if they have any significant fourth parties. I do not really care about all the small little vendors, such as the person that mows their lawn outside of their office building. However, I do care about a significant fourth party, for example, someone that may be hosting our data on behalf of this third party. This solution allows me to go deep into that information, where other third party risk management platforms that we have reviewed are not able to do. They typically only do the third party level and not the fourth.

They could improve by offering free help. A solution, a lot of times, is not just the use of the solution. For example, it is the overall engagement, how well do they support the system, what is their SLA, and how long their response time is to an issue. It would be beneficial if they had some type of professional services where they offer the first five hours of professional services a year for free. That would be a substantial benefit rather than having to buy professional services or professional services packages.

I have been using the solution for two months.

I have not had any issue with the stability of the solution.

The solution is in the cloud which allows it to scale very well.

The initial installation is straightforward. However, it can be as complex as you want to make it depending on how many internal systems you want to add. The time for installation typically takes three weeks.

We have evaluated other similar solutions and we choose this solution because it allows reviews of more than just the third party vendors.

I rate OneTrust GRC a ten out of ten.

I mainly use OneTrust GRC for our incident response workflow and third-party risk management.

OneTrust GRC's workflows aren't automated and need to be manually driven. Its audit and compliance also aren't very flexible, and the integration between its different modules isn't 100% and needs to be improved.

I've been using OneTrust GRC for about a year and a half.

OneTrust GRC is stable. 

OneTrust's technical support is very helpful and open to feedback, but their workflow means that their response can take anywhere from a week to months, depending on the issue.

OneTrust GRC's initial setup wasn't difficult, but the problems with integration make it cumbersome.

OneTrust GRC's licensing costs about $15,000 per module.

I would advise those thinking of implementing OneTrust GRC to make sure they have all their requirements clearly defined and make sure they're met, bearing in mind that OneTrust GRC is not a mature tool. I would give OneTrust GRC a rating of six out of ten.