OneTrust GRC Reviews

I use OneTrust specifically for incident management. For my company, I helped to create the incident management program that we currently use, particularly with gathering the information and sending out assessments to different vendors to collect information for further research and discovery. 

I also use the platform for processing privacy requests that our company receives. OneTrust is just one of the platforms we use, and we receive privacy requests through multiple channels, such as email and occasionally, phone calls. 

However, any kind of request we receive is still filtered through OneTrust using their platform to track the request and process it all the way through from the initial notification to the end when it's finally processed. We send out notifications and collect information, all done through OneTrust.

OneTrust has streamlined the process of sending notifications to clients, consumers, and stakeholders. It allows tracking of all information within the platform itself, so there is no need to go outside of OneTrust to gather or find information.

The privacy impact assessment automation tool and the incident management tool are very user-friendly. They are excellent at mapping out the processes for establishing a framework for incident processing. OneTrust is very good at linking with different platforms, managing resources for information gathering, and centralizing them into one platform.

I wish there were more customization options, particularly within the privacy rights automation module. More customization on the backend would allow for adjusting specific category labels tailored to our objectives. While they allow for some customization and adding of different categories, some predetermined categories are not modifiable.

I've been using OneTrust for about two years. I had prior experience before my current position, so it has been closer to three years.

It's been quite stable, with very few occasions of major bugs or breakdowns. The stability would be a nine out of ten. Any issues were quickly resolved with a fast turnaround.

The scalability is relatively good, making it easy to create programs that streamline processes. However, some modules are restricted, and achieving tasks within the platform's confines can be tricky for hyper-specific needs.

Their support team is very responsive and knowledgeable. If an expert doesn't know how to address a question, they find someone who can help. They go to great lengths to find a solution if resources or specific representatives aren't available.

Positive

The modules can be restrictive and require working within the platform's confines for certain tasks. This can be tricky for hyper-specific projects.

I don't have specifics on pricing. I know it's not very cheap, but the budget aspect is outside my wheelhouse.

I recommend OneTrust because, despite limited customization, the options they have are top-tier. They offer a lot of good resources for streamlining processes to fit your initiative.

I'd rate the solution nine out of ten.

I used OneTrust GRC for a holistic view of our compliance program, automation of everything from policy creation, edits, reviews, annual acknowledgment by staff, third-party risk management program, reporting deliverables, metrics, and incident management. We also had an anonymous reporting hotline.

OneTrust GRC helped us achieve IPO status at several different organizations because of the visibility it provides in our compliance program. 

It also contributed significantly to successfully achieving our SOC 2 Type 2 during the first iteration.

I value the ability to immediately begin building a compliance program from the ground up. The platform is especially useful in startup environments where we're typically starting from scratch.

The implementation of OneTrust could have been smoother, particularly in terms of scoping for those outside of governance, risk, and compliance. It can be confusing for individuals who need to understand the scope of regulatory controls and requirements. This complexity can be frustrating both internally and with implementation experts. Additionally, scalability can be overwhelming for smaller organizations.

I used OneTrust GRC for about three and a half to four years across different organizations. Recently, I switched to Vanta after working with OneTrust for approximately nine to ten months at my current organization.

The stability of OneTrust GRC is excellent. We never faced any issues with latency or breakdowns, and the solution adheres to SLAs for uptime, which is impressive.

The scalability of OneTrust GRC could be overwhelming for smaller organizations. I would rate it around six on a scale to represent that partially.

The customer service and support from OneTrust are commendable, with responsive assistance within twenty-four hours. The follow-up post-resolution is also excellent.

Positive

Prior to using OneTrust GRC, our company used JupyterOne, which had a limited compliance product and focused on vulnerability management. We fixed a GitHub integration with OneTrust.

The initial setup was head-down, fully focused, and determined. We had an aggressive turnaround time of about three months.

I worked very closely with account executives from OneTrust GRC. This collaboration led to feedback that was incorporated into future sprints to enhance reporting capabilities.

Despite some costs, the return on investment from OneTrust GRC is substantial, offering great value overall. We negotiated terms effectively to achieve the desired price points.

The pricing of OneTrust GRC was not as expensive as Archer yet was slightly pricey. However, the investment is justified by the return and negotiations that were possible.

Our company evaluated JupyterOne and the decision to switch was based on budget constraints as OneTrust is slightly more expensive.

My advice for newcomers is to have a project plan ready for implementation once you sign the agreement. Know exactly what your compliance program requires and check system integration capabilities with OneTrust beforehand to avoid additional costs.

I'd rate the solution eight out of ten.

One of the most beneficial features of the product has been its cloud-based IT and vendor risk management tools, along with built-in templates for GDPR and ISO compliance. These tools streamline risk assessments across jurisdictions, which is crucial for multinational operations.

They could enhance the product's functionalities like audit management and ensure consistency across modules. 

I've implemented OneTrust GRC for various clients over the past five years.

The platform has demonstrated exceptional stability with minimal downtime. I rate it a ten for reliability.

I rate the platform scalability a ten. 

The technical support services are good. 

Positive

I have experience with various GRC tools like Prisma before implementing OneTrust GRC.

The platform is accessible within an hour post-contract signing, facilitated by their streamlined deployment processes.

I recently implemented the platform for a large multinational client operating in 28 countries with diverse risk management needs across privacy, cyber, and group strategy. Its configurable nature allowed us to tailor risk attributes and visibility filters specific to each organizational unit, enhancing compliance effectiveness.

Automation has significantly optimized compliance processes. For example, automating vendor risk assessments at a global jewelry company reduced process time and dependencies among legal, cyber, and ESG teams, enhancing agility and efficiency.

OneTrust's CyberScores and Security Scorecard feature provided independent risk assessments for vendors, facilitating informed decisions. This capability was instrumental in aligning IT risk management with privacy team requirements, ensuring robust vendor evaluations.

Integration with existing systems was smooth overall, leveraging robust API for customized reporting. However, managing custom attributes required additional effort to align with reporting needs, necessitating a translation mechanism in tools like Power BI.

I would recommend it and rate it a nine.

I primarily use OneTrust GRC for GRC, which involves vendor management aspects. It helps ascertain levels of compliance concerning vendors.

OneTrust GRC simplifies the deployment of our policies, making them easy to achieve. It has also made policies deploy with ease, aligning with intended organizational goals.

The simplicity of OneTrust GRC, particularly its user interface, is valuable as it makes it easy to use and not complex.

There could be enhancements related to AI. Any improvements AI could provide to make the automation process more efficient would be beneficial. Additionally, machine learning could be included to better assess vendor security posture.

I've been exposed to OneTrust GRC for about a year.

The stability is just fine. It meets the need, and there are no stability issues.

The solution is scalable and can increase capacity to meet our demands.

I have not escalated any questions to tech support yet.

Positive

I have no experience working with any other GRC products apart from OneTrust.

My onboarding was straightforward, with no challenges.

I am not familiar with the pricing, setup cost, or licensing of OneTrust GRC.

OneTrust is recommended for those who need something simplified and effective to achieve policies without excess difficulty.

I'd rate the solution nine out of ten.

On the privacy front, we used the solution to meet many GDPR requirements, like maintaining a record of processing. We used the OneTrust data processing component or module to keep all the processing activity records. On the GRC front, we used the risk management and audit modules to manage risk assessments and IT audits within the organization.

OneTrust GRC is a SaaS (software as a service) platform. As an implementer, you don't need to do many technical configurations. Instead, you do the functional configurations, like setting up the rulesets to ensure they adapt to the rules within the organization. The solution was quite valuable because it included almost all the worldwide privacy regulations, such as GDPR and CCPA. You can configure the functional rules against the entity or country where the client may be located.

The organization I worked with operated in 35 African countries, with an office in France. So, GDPR was relevant, and these 35 countries where they have data protection laws were also relevant. The most valuable feature of the solution is that it already has visibility about all the data protection regulations or other cybersecurity regulations related to several countries.

The platform was not built in a way that allowed multinational entities to use it seamlessly. You could only create one organization. So you create the organization, and then you need to create countries. Suppose a bank had affiliates in Ghana and Kenya. We couldn't use the solution to ensure that a person in Kenya would only have access to things related to Kenya.

We had to improvise to do it, but it was quite obvious that the architecture was not designed for multinational companies like the bank I worked for, which had affiliates in 35 countries.

Another issue I had with the tool was regarding the controls. Suppose you have to audit an organization in the risk assessment against ISO 27001 or some other regulation. In some instances, the solution won't have the copyright or the license for a particular regulation. Even though you see ISO 27001 in the tool, you, as an entity, are supposed to buy those controls into the platform.

That made things difficult for us because now we needed to launch another request for a quotation or another RFT to get those regulations bought into the platform.

I have been using OneTrust GRC for two years.

OneTrust owns the platform's hosting, and we have no visibility over the computer or background resources they manage. There were instances when we were working on the tool, and it froze. We had to send a ticket to OneTrust to look at it for us, whether it was our tenant's fault or a general problem across all tenants for all their clients.

I rate the solution an eight out of ten for stability.

Privacy is in everything, and many organizations are trying to build platforms around it. A lot of them are also in the formative stages.

I rate the solution's scalability a six out of ten.

The solution's technical support is quite good. The support team responds whenever you reach out to them.

Positive

Creating the rules in the OneTrust GRC platform requires a lot of technical knowledge of the product, which we didn't have. The solution didn't have a lot of training packages as part of the implementation. We were directed to the academy to enroll in some programs, but they did not fit our organization. It was quite a general training.

Because of the nature of our requirements, we thought the tool would tailor some training to train us properly so that we wouldn't face many issues while implementing or maintaining the tool within our environment. However, we didn't really have that. The training knowledge or training content that is better dedicated or aligned for a particular client was lacking. So, it was pretty difficult.

On a scale from one to ten, where one is difficult and ten is easy, I rate the solution's initial setup a six out of ten.

The solution's deployment took a long time, about six to ten months. We started in December and completed it around July.

To deploy the solution, we fed it with our own data. It's like training a model. We create a tenant for you that has nothing in it. You have to create your own organizational parameters. We needed to develop the rules for each of the solution's modules. OneTrust did well in terms of giving us a road map for each of the module's deployments.

The tasks were divided between whatever the OneTrust engineer would do and what our engineers would do. We worked according to that plan, but some modules depended on others. For example, you cannot deploy another module if you've not deployed a particular module.

The deployment model was based on a shared plan between OneTrust engineers and our engineers. We had to feed a lot of information to the platform and create a lot of templates and rules that were suitable or only meant for our environment.

The solution saved us a lot of time. We did many things with Excel templates and other things we had created ourselves. OneTrust GRC allowed us to automate many things and saved us a lot of time for other tasks.

OneTrust GRC is an expensive solution. OneTrust told us that the solution's pricing given on their website is for one entity coming to them. They told us that if the price of a module is 4,000 dollars, and we buy it for use in about 35 different countries, it's not a good bargain for them. For us, they did a different negotiation.

They treated us as a wholesaler or an enterprise customer even though the product didn't make room for that. OneTrust GRC is a very simple product that doesn't have small and medium business modules and enterprise modules. It was the same solution, but they negotiated a different cost for us because we were an enterprise client. It was quite expensive, and we spent around 200 to 300 thousand dollars.

On a scale from one to ten, where one is cheap and ten is expensive, I rate the solution's pricing an eight out of ten.

Before choosing OneTrust GRC, we evaluated other options, but most of them were limited in their scope. Some of them only did privacy and not data governance. Some of them are doing GRC, but they are not doing privacy or data governance.

The value we saw in OneTrust was that it attempted to deal with all these areas of concern for organizations. These areas included privacy, consent and preferences, data governance, data discovery, third-party risk, GRC, attacks and compliance, and sustainability. OneTrust GRC had all these modules, and it made a lot of sense to go with it instead of buying other solutions.

OneTrust GRC is a SaaS (software as a service) platform. You can create a profile for your organization. The solution is updated with new features from the back end.

The solution has different modules within it, including a module that allows us to do a risk assessment. The one very important thing the solution has is building templates. If you want to conduct a risk assessment, you have to create a template for that risk assessment.

The template will consist of a questionnaire-type approach in which you build some rules. When you initiate an assessment, you are required to answer the questionnaire based on the organization or that particular risk assessment.

OneTrust has to mature the product, improve its understanding of how multinational organizations operate, and build an architecture to suit them. Multinational companies that have branches in different countries would struggle with the solution. I recommend an enterprise version mainly targeted at multinational entities or big enterprises.

Overall, I rate the solution a seven out of ten.

It was used to manage IT and control risks, specifically around network infrastructure and particular assets.

As a solution for IT risks, it is a very good product. I think it's structured in a way that makes it good to track IT-specific risks and controls.

Speaking about the room for improvement in the solution, I mainly feel that it is not a GRC tool. So, I think that it is more of an IT risk management tool. Basically, it's very good at IT business management. It's not a good tool for governance risk and compliance beyond IT risk management. If you want to use it for business, financial, reputational, health and safety risks, or any other type of risk relevant to your industry or your organization, it's not ideal, and you probably have to get a different system. In short, it does risk management better than most generic GRP tools. However, most of the good GRC tools that are business focused also do IT risk management well enough, which is why OneTrust GRC is not a good enough solution by itself.

In future releases, the solution should work over its ability to manage business risks by incorporating something like an enterprise risk management module.

I used OneTrust GRC six months ago. Also, I am a customer of the solution who has used it for three years.

I rate the solution's stability an eight on a scale, with one being low stability and ten being high.

I rate the solution's scalability an eight on a scale, with one being low scalability and ten being high. Also, 200 people are using the solution.

I didn't contact the technical support team, and I can't rate them.

Previously, I tried different ones like ServiceNow and several other product lines. Instead of having to choose one, we were looking for alternatives from an IT risk management point of view and found that there were several different tools for businesses. In my new organization, we no longer use OneTrust GRC. Also, I would not recommend my current organization to use OneTrust GRC.

I rate the initial setup a seven on a scale where one is difficult, and ten is easy for IT risk management. For business risk management, I rate it a three. So, the rating depends on what you are using the solution for in your organization.

The deployment process was completed before I joined the organization. In our organization, we require around two people to maintain the solution.

I haven't seen any return on investment using the solution. If I had the opportunity, I would use a different solution. This is because the use cases for the solution are too narrow.

On a scale from one to ten, where one is cheap, and ten is too expensive, I rate the solution a seven since it falls under the pricey side. Our company was making a yearly payment of 250 for the solution's licensing part. Also, there were no additional charges to be paid other than the standard licensing fees. However, the solution's price depends on the modules that one selects.

I would tell those planning to use the solution that they make sure that they are comfortable with the solution and are not duplicating their efforts elsewhere in the business since it would give them the ability to manage risk in all of the areas that they want to manage using the solution. Overall, I rate the solution a five out of ten.

We use the solution for internal governance risk, compliance projects, and tracking internal risk management projects.

Clients might have to adhere to federal regulations for US health organizations and US government organizations and follow ISO 27001 standards. Additionally, compliance requirements vary for UK cyber issues and European automobile standards. Despite the controls remaining the same across different standards, duplicate requests to the business may arise when addressing each compliance perspective. To streamline this process, the GRC tool enables mapping to consolidate requests, reducing redundancy. Furthermore, workflows are automated based on inputs from stakeholders. Responses are analyzed to flag risks for review, and follow-up actions are automated based on review comments, eliminating the need for manual email correspondence.

OneTrust GRC offers policy management, including documentation, distribution, and attestation.

There is room for improvement, like integrating other security tools. Instead of buying additional tools, they could have provided some external security ratings.

I have been using OneTrust GRC as a partner for three years.

The product is stable.

I rate the solution’s stability a ten out of ten.

The solution’s scalability is good. From the admin side, we consist of four people. From the user perspective, the number varies based on the departments we are targeting.

I rate the solution’s scalability an eight out of ten.

The support team is pretty good. They provide self-help tools, such as frequently asked questions or self-help for each functionality. If I don't have time to do that, I'll request support. They would be available in no time.

The initial setup is easy. I do not find any difficulty. It takes a week to deploy completely because it is a plug-and-play tool.

Pricing is expensive, depending on the license.

We were using Keylight and also evaluating Auditboard and ProcessUnity.

The solution has brought a lot of efficiency where prior to onboarding tools, we were tracking through spreadsheets or local repositories. We can store all the documents and then focus on the actual risk identification part rather than chasing people for a piece of evidence because the tool does the job if something is missing.

The impact of regulatory intelligence on our risk management strategy is primarily seen in the reporting aspect, specifically through dashboards. We can customize these dashboards according to management needs. Different department heads often approach us seeking insights into their department's risk exposure. Through the dashboard mechanism, we can apply filters to generate reports tailored to the requirements of each department head.

The integration process is quite straightforward. However, during onboarding, we must identify our customized settings amidst the default ones. Therefore, we rely on GSE export to modify all settings according to our specific requirements. This process demands some intervention and is time-consuming.

There's no issue because the business continuity is robust, and OneTrust provides advanced notifications in case of maintenance. During maintenance, I continue working on critical tasks even if the tool is down. If I have to work on weekends and encounter issues, I contact support. 

I recommend and advise that if the client is seeking additional functionalities, such as external security ratings, OneTrust may not be able to provide that. They would need to purchase additional tools. This, however, comes with additional costs, but it eliminates the need to manage multiple tools.

Overall, I rate the solution a ten out of ten.

We are using OneTrust to implement data privacy within our organization.

We have data from Jira regarding addiction related to Europe as well as California. Additionally, we have data related to the Indian Data Protection Bill. Therefore, GDPR compliance is highly beneficial. The CPA also benefits from this. Data subjects are granted specific rights, known as DSR, making DSI crucial. With OneTrust, communication with data subjects is streamlined, allowing them to make requests, which we then process and fulfill using Alpha OneTrust. If a supervisory authority requests documentation from our company, we prepare Article 30 documents.

Everything is interconnected. While it might seem overwhelming to select specific digital options, each feature offers benefits. They provide extensive settings and details.

There are several areas for improvement. One is the integration capability. Connecting various DSAR systems can be time-consuming if a single integration takes months to complete. This integration challenge becomes more pronounced as data volumes grow and spread across different systems. One potential solution could be dedicating resources to support integration efforts, preferably individuals familiar with the OneTrust platform and the systems it needs to integrate. This approach could streamline the integration process and mitigate potential missteps, even for non-technical personnel.

I have been using OneTrust GRC for almost two and a half years.

If I'm in a meeting and presenting somebody on OneTrust. It takes some time to load from one page to another page.

I rate the solution's stability an eight out of ten.

Scalability is not an issue.

Technical support is good. Whatever knowledge they have, they are providing us. They come and perform the things we want exactly. We are in between the support of OneTrust and ServiceNow. Each time, we have to contact OneTrust, then the respective system owner. The process could become better than it is now.

Positive

If we use a particular module and find it very beneficial, then it is a good value for the price. There have been instances where we haven't used some modules despite paying for them last year. The pricing is reasonable, but we need to ensure we're maximizing the value of what we're paying for.

OneTrust GRC integration can present some challenges, particularly for those without a technical background. It involves instances that may require some knowledge. Connectivity issues might arise, leading to disruptions. Despite these hurdles, efforts are being made to address and manage these challenges more efficiently.

I recommend the solution because it is cheap and valuable. Also, companies are becoming more aware of privacy. Privacy is directly proportional to these tools. OneTrust provides free certifications.

Overall, I rate the solution a nine out of ten.

Initially, we used the product to ensure our company in Brazil followed the recent data protection guidelines. Brazil has data protection laws very similar to GDPR in Europe. We focus on managing data usage and management policies.

The product helps us streamline audit and incident management processes. There's also a focus on third-party risk management.

The workflow approval process is valuable.

The product is not that easy to set up. It is also not easy to get used to the naming convention. It requires in-depth training.

I have been using the solution for three months. I am using the latest version of the solution.

I rate the solution’s stability a nine out of ten.

The tool is very, very scalable. I rate the scalability a nine out of ten.

The solution is deployed on the cloud. The initial setup is very, very hard.

We see a return on investment. We manage our console much faster.

The solution is expensive.

I would recommend the product to others. It's not a silver bullet. If someone doesn’t have the process in place, the tool won't help them. Overall, I rate the solution a nine out of ten.

We use OneTrust GRC to evaluate internal and external projects for risk.

It does help in the automation of our privacy impact assessments.

The product itself, and perhaps most importantly, is not truly designed to fit the way people and users do their work.

There are limitations to customized workflow automation, and they need to increase both the available automation and the customized workflow.

I have been using OneTrust GRC for one year.

We are working with Athena, which is a specialized version of the OneTrust GRC platform.

OneTrust GRC is quite stable.

I would rate the stability of OneTrust GRC an eight out of ten.

OneTrust GRC is a scalable product.

I would rate the scalability of this solution an eight out of ten.

Technical support could be improved.

I would rate the technical support a three out of ten.

There are weaknesses in the implementation team, just getting up and running is difficult.

I am not aware of the pricing. I am not involved in the budgeting process.

They need to evaluate it carefully because not all of the different functionalities are developed to the same level of sophistication.

I would rate OneTrust GRC a six out of ten.