OneTrust GRC Reviews

We are using OneTrust to implement data privacy within our organization.

We have data from Jira regarding addiction related to Europe as well as California. Additionally, we have data related to the Indian Data Protection Bill. Therefore, GDPR compliance is highly beneficial. The CPA also benefits from this. Data subjects are granted specific rights, known as DSR, making DSI crucial. With OneTrust, communication with data subjects is streamlined, allowing them to make requests, which we then process and fulfill using Alpha OneTrust. If a supervisory authority requests documentation from our company, we prepare Article 30 documents.

Everything is interconnected. While it might seem overwhelming to select specific digital options, each feature offers benefits. They provide extensive settings and details.

There are several areas for improvement. One is the integration capability. Connecting various DSAR systems can be time-consuming if a single integration takes months to complete. This integration challenge becomes more pronounced as data volumes grow and spread across different systems. One potential solution could be dedicating resources to support integration efforts, preferably individuals familiar with the OneTrust platform and the systems it needs to integrate. This approach could streamline the integration process and mitigate potential missteps, even for non-technical personnel.

I have been using OneTrust GRC for almost two and a half years.

If I'm in a meeting and presenting somebody on OneTrust. It takes some time to load from one page to another page.

I rate the solution's stability an eight out of ten.

Scalability is not an issue.

Technical support is good. Whatever knowledge they have, they are providing us. They come and perform the things we want exactly. We are in between the support of OneTrust and ServiceNow. Each time, we have to contact OneTrust, then the respective system owner. The process could become better than it is now.

Positive

If we use a particular module and find it very beneficial, then it is a good value for the price. There have been instances where we haven't used some modules despite paying for them last year. The pricing is reasonable, but we need to ensure we're maximizing the value of what we're paying for.

OneTrust GRC integration can present some challenges, particularly for those without a technical background. It involves instances that may require some knowledge. Connectivity issues might arise, leading to disruptions. Despite these hurdles, efforts are being made to address and manage these challenges more efficiently.

I recommend the solution because it is cheap and valuable. Also, companies are becoming more aware of privacy. Privacy is directly proportional to these tools. OneTrust provides free certifications.

Overall, I rate the solution a nine out of ten.

We use OneTrust GRC to evaluate internal and external projects for risk.

It does help in the automation of our privacy impact assessments.

The product itself, and perhaps most importantly, is not truly designed to fit the way people and users do their work.

There are limitations to customized workflow automation, and they need to increase both the available automation and the customized workflow.

I have been using OneTrust GRC for one year.

We are working with Athena, which is a specialized version of the OneTrust GRC platform.

OneTrust GRC is quite stable.

I would rate the stability of OneTrust GRC an eight out of ten.

OneTrust GRC is a scalable product.

I would rate the scalability of this solution an eight out of ten.

Technical support could be improved.

I would rate the technical support a three out of ten.

There are weaknesses in the implementation team, just getting up and running is difficult.

I am not aware of the pricing. I am not involved in the budgeting process.

They need to evaluate it carefully because not all of the different functionalities are developed to the same level of sophistication.

I would rate OneTrust GRC a six out of ten.

Initially, we used the product to ensure our company in Brazil followed the recent data protection guidelines. Brazil has data protection laws very similar to GDPR in Europe. We focus on managing data usage and management policies.

The product helps us streamline audit and incident management processes. There's also a focus on third-party risk management.

The workflow approval process is valuable.

The product is not that easy to set up. It is also not easy to get used to the naming convention. It requires in-depth training.

I have been using the solution for three months. I am using the latest version of the solution.

I rate the solution’s stability a nine out of ten.

The tool is very, very scalable. I rate the scalability a nine out of ten.

The solution is deployed on the cloud. The initial setup is very, very hard.

We see a return on investment. We manage our console much faster.

The solution is expensive.

I would recommend the product to others. It's not a silver bullet. If someone doesn’t have the process in place, the tool won't help them. Overall, I rate the solution a nine out of ten.

I use the solution when internal customers want to engage with a third party through some type of cloud-based system. Right away I start reviewing from that perspective and I get the vendor's information that they are looking to engage with, I input the information into this solution. This solution has a process where I can send questionnaires out to the new prospective vendor. That prospective vendor will provision themselves into the solution by inputting all their information. This prevents me from inputting any information incorrectly. 

At this stage, I review all the information. The vendor will also upload all of their security documentation. This includes anything they can show that they are performing security best practices on behalf of their customers like us. This solution gives me the ability to double-check that information. I can do a risk review and risk rate it. There is a backend that will do a crowdsourcing type feature. For example, if there are other customers that have reviewed this particular vendor before, I can actually piggyback on that collected information and make my own judgment on whether or not it is a good fit for our environment.

By using this solution it has allowed me to free up some of my time and use my resources in other areas. Prior to using this solution, everything was done through a spreadsheet. Now with this solution, a lot of it is relational databases rather than a spreadsheet flat table. This solution also allows automation. You can start automating a lot of your processes as opposed to the manual process of using spreadsheets.

One of the valuable features of this solution is it has the ability to review fourth and fifth parties to the nth degree. 

What this means is, a vendor that is going to engage with us is called a third party. However, sometimes these vendors have their own vendors. The first example, this solution is a third party to us, but this solution uses Azure as their backend database, this is the fourth party to us. I am fine with this because I know Azure is doing its best due diligence with security best practices.

The comparative example, this solution wanted to start using an unknown company, such as Mike and Bob's server farm in Bob's garage as a vendor. I do not know who Mike and Bob are, if they had followed security best practices, do they close that garage door at the end of the night, or do they leave it wide open. All of our data could be sitting on those servers in that garage exposed. I would want to review that fourth party.

As vendors, as our internal customers are bringing these vendors on board with us, they go through this committee. I look at the third party level and question if they have any significant fourth parties. I do not really care about all the small little vendors, such as the person that mows their lawn outside of their office building. However, I do care about a significant fourth party, for example, someone that may be hosting our data on behalf of this third party. This solution allows me to go deep into that information, where other third party risk management platforms that we have reviewed are not able to do. They typically only do the third party level and not the fourth.

They could improve by offering free help. A solution, a lot of times, is not just the use of the solution. For example, it is the overall engagement, how well do they support the system, what is their SLA, and how long their response time is to an issue. It would be beneficial if they had some type of professional services where they offer the first five hours of professional services a year for free. That would be a substantial benefit rather than having to buy professional services or professional services packages.

I have been using the solution for two months.

I have not had any issue with the stability of the solution.

The solution is in the cloud which allows it to scale very well.

The initial installation is straightforward. However, it can be as complex as you want to make it depending on how many internal systems you want to add. The time for installation typically takes three weeks.

We have evaluated other similar solutions and we choose this solution because it allows reviews of more than just the third party vendors.

I rate OneTrust GRC a ten out of ten.

We encounter difficulties creating multiple platforms or interfaces and manual processes for changing certain settings. Additionally, they could work on the issue related to a controller release in the development environment.

We have been using OneTrust GRC for three years.

The platform is stable.

We have around more than 20 OneTrust GRC users in our organization.

The technical support services are good.

Positive

The initial setup process is simple.

The platform is expensive.

The product's feature for automation assists them in workflow management. We receive notifications or cases and prioritize them accordingly, which helps us address issues promptly. It keeps them informed about the company's activities at all times.

Overall, I rate it an eight out of ten.

I mainly use OneTrust GRC for our incident response workflow and third-party risk management.

OneTrust GRC's workflows aren't automated and need to be manually driven. Its audit and compliance also aren't very flexible, and the integration between its different modules isn't 100% and needs to be improved.

I've been using OneTrust GRC for about a year and a half.

OneTrust GRC is stable. 

OneTrust's technical support is very helpful and open to feedback, but their workflow means that their response can take anywhere from a week to months, depending on the issue.

OneTrust GRC's initial setup wasn't difficult, but the problems with integration make it cumbersome.

OneTrust GRC's licensing costs about $15,000 per module.

I would advise those thinking of implementing OneTrust GRC to make sure they have all their requirements clearly defined and make sure they're met, bearing in mind that OneTrust GRC is not a mature tool. I would give OneTrust GRC a rating of six out of ten.