OneTrust Review: Does it Deliver on Governance, Risk, and Compliance?

OneTrust is a Governance, Risk, and Compliance (GRC) platform that has become prominent in data privacy. We review the company and its proprietary system, which integrates technology protected by 140 patents. 

What is OneTrust?

OneTrust was founded in 2016 by Kabir Barday, who is still its CEO. This is a US business, based in Atlanta. However, the impetus for the company’s creation came from the European Union. Barday deduced that the newly-introduced General Data Protection Regulations (GDPR) would create an administrative headache for all businesses around the world and that opened up opportunities that could manage data policies to meet the requirements of the Regulations. 

GDPR is one of a growing list of regulations that require companies to protect data and record corporate activity to provide innocence or best efforts when things go wrong. It is impossible to ensure that a business won’t ever be attacked by data thieves. However, regulations encourage businesses to keep track of such security breaches and notify the authorities and all of the people who were the subjects of the data if that event results in the loss of data.

OneTrust now offers solutions to protect data and comply with an ever-growing list of data privacy rules. The OneTrust platform's business functions extend to marketing, data collection, data storage, usage, and security. Data has to be verified as accurate and the people that data is about have the right to see the information held and correct it if it is wrong. 

Regulations require IT systems to record all activities and preserve those records for auditing to ensure that companies don't lie or cover up their mistakes or security weaknesses. 

OneTrust GRC

OneTrust operates in the field of GRC. These initials stand for “governance, risk, and compliance.” The term encapsulates all of the work that needs to be done for a company to avoid being fined under one of the data privacy regulations. In other cases, breaking an industry standard will lose a company its clients and they will be blocked from applying to supply goods or services because they have lost the required credentials. 

The “R” of “GRC” covers risk management this is an investigative process that identifies which data could get the company in trouble if it isn’t protected. “C” stands for compliance and it describes systems that ensure that risk is managed to the satisfaction of any relevant standard. “G” is for governance – in this case, “data governance.” The broader field of governance ensures that the business’s goals are met ethically. 

OneTrust Review Methodology

In this review, we are going to examine the purpose of GRC, which is to comply with a range of standards. Companies are driven toward buying a GRC system for three reasons:

• The fear of being fined by the government 
• The need to avoid being sued by other companies or private individuals because of data disclosure or misuse
• The need to comply with an industry standard to gain business

So, buyers need to know whether the compliance software that they buy will enforce the specific standard that they have to follow. 

The core of this review will examine each of the data standards that OneTrust can enforce and the elements of the platform that implement compliance. It could be that you operate in a business that only requires partial compliance with a particular standard. 

OneTrust Compliance Management 

The OneTrust system’s GRC functions were constructed to enforce GDPR. This standard requires that personally identifiable information (PII) should be kept accurate, used appropriately, and protected against theft. 

GDPR isn’t the only PII protection system that OneTrust can apply. The list of this category of regulations includes:

• General Data Protection Regulation (GDRP), 2016 – EU
• California Consumer Privacy Act (CCPA), 2018 and California Privacy Rights Act (CPRA), 2023 – USA
• Virginia Consumer Data Protection Act (VCDPA), 2023 – USA
• Lei Geral de Proteção de Dados Pessoais (LGPD), 2020 – Brazil
• Personal Information Protection and Electronic Documents Act (PIPEDA), 2000 – Canada
• Quebec Law 25, 2023 – Canada

OneTrust covers some financial regulations, such as the Sarbanes-Oxley Act, better known as SOX, which came into effect in the USA in 2002. Another is SOC 2, a voluntary accounting standard that helps companies ensure they have properly protected data.  

The Payment Card Industry Data Security Standard (PCI DSS) applies to any company in the USA that accepts payment by credit or debit card. This is one of the standards that OneTrust provides compliance with. Another is the Health Insurance Portability and Accountability Act (HIPAA) and it relates to protected health information (PHI) Any business that operates in the healthcare sector in the USA and handles PHI needs to comply with this standard. 

Assessment focus

Examining OneTrust’s GRC features for all of these standards would take a long time, so this review will focus on just three of them and how OneTrust addresses them. We will look at:

• GDPR Compliance Solutions
• Law 25 Compliance Solutions
• CCPA Compliance Solutions

We will also look at the OneTrust platform, its ease of use, and its relevance to eCommerce businesses. Finally, we will examine what existing customers say about the platform, how much it costs, and what its strengths and weaknesses are.

The OneTrust Platform

OneTrust describes its services as four clouds. However, they are all hosted on the same servers and you can access them all through a single account. OneTrust doesn’t offer plans, which is annoying for small businesses that don’t know where to start. For example, a company that has been told it needs to implement GDPR would probably look for “a GDPR package.”  

Confusingly, a buyer doesn’t have to take on all of the modules in a OneTrust cloud and doesn’t have to stick to selecting modules from just one cloud. So, the “clouds” are just menus of services. Probably, the company introduced this concept of four groups to make the menu easier to read through.

The four clouds are:

• Privacy and Data Governance

• Privacy Management
• Data Discovery and Security
• Consent and Preferences
• Responsible AI

• Ethics and Compliance

• Ethics Program Management
• Speak-Up Program Management
• Third-Party Due Diligence

• GRC and Security Assurance

• Technology Risk and Compliance
• Third-Party Risk
• Internal Audit Management

• ESG and Sustainability

• ESG Program Management
• Supplier Sustainability and Responsibility

Most businesses will be trying to work out the minimum number of modules that they will need in order to gain accreditation with a specific standard. 

PII Compliance

Typically, a company following GDPR, CCPA/CPRA, and Law 25 would need Privacy Management, Data Discovery and Security, and Consent and Preferences from the Privacy and Data Governance cloud and Technology Risk and Compliance, Third-Party Risk, and Internal Audit Management from the GRC and Security Assurance cloud. It would be nice if OneTrust could just package these units together.

Here’s how a company would use this system for PII compliance:

Risk assessment

The first task of getting compliant for GDCPR, CCPA/CPRA, or Law 25 is to look at your entire system and find security weaknesses. This involves the Technology Risk and Compliance module from the GRC and Security Assurance cloud. 

You will also need to engage the Third-Party Risk unit. This module checks on the security of your suppliers and is particularly important if you store data on the cloud. A breach at your data hosting service will be counted as a black mark against your company, even if your data isn’t accessed by the intruder. 

A traditional approach to third-party risk analysis is to send each service provider a questionnaire. OneTrust supplies these forms. However, the platform has another tool for this task, called the Third-Party Risk Exchange, which is a key feature that we will examine in detail later.

The last part of risk relates to the PII in your system – this is the target that attracts data thieves and will get you into trouble if it is stolen. So, you need the Data Discovery and Security unit to find exactly where that PII is stored and classify it. 

The definition of PII is roughly the same for all protection standards. So, whether you need to follow GDPR, CCPA, or Law 25, the Data Discovery scanner will be looking for the same information. You next need to protect the files that contain PII, which is where the “Security” part of Data Discovery and Security comes in. 

OneTrust Third-Party Risk Exchange

The Third-Party Risk Exchange was originally called Vendorpedia. It is a database of risk assessments of 70,.000 businesses. The companies in the database are periodically asked to resubmit their details for rescoring. Subscribers to the service register an interest in a vendor and get a notification whenever a score is updated. 

Scores in the database relate to a specific type of data for a specific product, not one company-wide rating. For example, a company could have a score for PII another for PHI, and another for payment card data. Thus, the Third-Party Risk Exchange is suitable for use in risk assessment for HIPAA and PCI DSS as well as for PII-related standards. 

The value of this package is that a company going through a third-party risk exercise will get immediate answers. Sometimes vendors can take a while to complete the risk questionnaire and there are times when the vendor doesn’t want to do it. This service removes the pitfalls of the assessment process. However, not every company in the world is registered in the OneTrust database and there is a strong chance that most of those required for a particular company’s compliance won’t be available.  

The Third-party Risk Exchange is a SIG database. SIG stands for “standardized information gathering.” Inclusion in the list is voluntary and each company is assessed and scored by OneTrust analysts. 

The database details security breaches at each company. This might seem to be bad publicity, however, data protection standards don’t expect complete immunity from attacks in order to be accredited – that is an impossible requirement. Reporting a breach is part of the process and, although it is a bad advertisement, it keeps the business in compliance and evades fines. 

An advantage for users of the OneTrust GRC and Security Assurance cloud is that the Risk Exchange can feed data directly into the platform’s Third-Party Risk module. It is possible to identify risk through layers, assessing the suppliers of suppliers to build up a supply chain risk assessment. 

Compliance management

Compliance management involves ongoing protection for data through systems that record all events to provide an audit trail. This task runs continuously and involves all of the modules that have already been deployed for risk assessment. 

The Privacy Management unit of the OneTrust platform provides an overview of all measures that are carried out to keep within the guidelines of your chosen data privacy standard. The unit checks on all of the measures that you have implemented in order to get your data privacy protection system in place. OneTrust updates this module’s compliance database if regulations change. So, it will adapt to new requirements.

Operational security requires user training and testing. These measures are logged in the Privacy Management guide. The module isn’t a standalone service because it doesn’t actually implement anything. It is more of a central documentation library. It provides a checklist of tasks to be performed, security measures that need to be in place, and monitoring systems that you need to install in order to track activity. 

Consent management

The Consent and Preferences unit deals with the issues of interacting with the public. The package gathers approval from the people that you hold data about, who are referred to as “data subjects.” Those responses need to be recorded and linked to the specific data elements that are in your files. 

GDPR, CCPA, and Law 25 require that the data subject can request a copy of the information that your business holds on that person. Part of the logic behind this stipulation is that your data might be wrong and interacting with the data subject gives you the opportunity to correct any errors. 

The data subject has the right to see that data and request corrections but doesn’t have the right to demand complete removal. The process of asking for that information is called a Data Subject Access Request (DSAR) and the Consent and Preferences unit of OneTrust provides procedures for managing this responsibility.

Cookie consent management

The Consent and Preferences module implements cookie consent management and deals with consent for data retention. This responsibility includes scanning a website to discover the presence of cookie-generating code. The process identifies which cookies are native to the website's functional flow and which are stored by third parties for statistics gathering or tracking purposes. Discovered cookies are categorized according to their purpose.

The Consent and Preference package includes templates for cookie notifications and consent-seeking popups. This library includes formats that include sliders to allow users to reject a particular category of cookie specifically.

The consent form templates are available in 250 languages and come with triggers that enable them to be automatically applied to a Web page based on the visitor's detected location. Other customizations available are a choice of style and the ability to add logos and other branding features.

The module includes a default blocking strategy for non-essential cookies. It won’t disable your site’s features by blocking all cookies. The cookie blocker will then allow through non-essential categories if the user has approved their tagged categories. 

The unit can extend cookie consent management to mobile apps, set-top boxes, and smart TVs. The system allows users to define a different consent profile on each device. It is also possible to unify a user’s preferences by engaging the Universal Consent and Preference Management service of the OneTrust platform. This requires the creation of a central database in which each user is represented by an ID rather than a name.  

Privacy training

Operational security compliance requires that best practices are in place and that employees are trained to be aware of them and to follow them.OneTrust has a Privacy Training division, which provides general data privacy awareness with extra courses for role-specific issues, such as for Marketing, HR,  and Finance. 

Courses are delivered online at the learner’s pace. They are charged for individually and don’t form part of any of the modules on the cloud platform. The training provides a general overview of working practices for data privacy and there aren’t any certification courses for data managers or consultants. 

Other education features in the OneTrust system include a knowledgebase and guidance within the screens on each task explains the requirements of the standard that is being implemented. 

Data governance

The OneTrust platform ensures data governance with the Internal Audit Management unit of the GRC and Security Assurance cloud. This unit provides the goal for full compliance. The internal audit process ensures that the system is fit to pass an external audit – compliance auditing is the final test to gain accreditation. 

The assessment leads to three evaluations:

1. Overall Readiness
2. Assessment Summary of Questions
3. Compliance Gaps

Clearly, if the assessment results in a list of compliance gaps, you will need to go back and fix those problems and then run the audit again. 

Once the audit has been passed, the GRC platform provides a series of reports that can be run and stored in PDF format.

OneTrust Pro Review

OneTrust offers a menu of website services that provide just those functions of its very large platform of GRC services. The company divides its market into two divisions: one for businesses with 500 or fewer employees and the other for larger businesses. The smaller package for websites is called OneTrust Pro, and the other is for large businesses. 

Web services are implemented through APIs, which involves adding one or two lines to the top of a Web page or app – the services can be applied to mobile apps as well as to websites. 

A site that only provides information will still need policy statements, such as Terms of Service to protect against the risk of being sued for misinformation. Sites that use cookies need a cookie consent tracking service and those that collect data for services, such as mailing lists need to add on data privacy management.  

Cookie consent management isn’t a straightforward process. The wordings of content forms need to address different data privacy regulations, depending on the location of the site visitor. It is also necessary to list the types of cookies that the user needs to consent to. The OneTrust Cookie Consent system includes a site scanner that identifies exactly which cookies are used by a site, generates a consent form, and then records responses. 

Collecting PII will require DSAR management and compliance with GDPR, and other standards, depending on the location of the site visitor – which gets complicated. The presence of cookies and the need to collect PII extends the site’s requirements for legal notification pages. 

All of these services are available from OneTrust Pro menu but they are not delivered as a unified package. You can pick and choose each service, so if you only need a cookie consent form, you don’t need to take on the whole OneTrust Pro system.

OneTrust Customer Support

The Customer Support offered by OneTrust ranges from regular product usage support through to a legal consultancy service. The OneTrust staff includes researchers who regularly update the controls for compliance that are built into the platform. This is necessary because regulations change and new laws emerge. 

The company employs a total of more than 1,700 expert staff and not all of them are focused on internal contributions to the platform. The company also offers a team of certified privacy, security, ethics, and ESG professionals who are available as consultants. The consultancy arm doesn’t have a set format of service, so there isn’t a contract that can be previewed. Instead, a company in need of advice has to contact the company to discuss requirements. 

OneTrust Customer Reviews

OneTrust serves more than 14,000 customers. The client list of OneTrust includes many of the largest companies in the world. These include Dish Network, Samsung, Puma, Atlassian, Adobe, Pfizer, The World Bank, and Bristol Myer Squibb. 

Review sites present two of the OneTrust divisions for feedback: the Privacy and Data Governance cloud and the GRC and Security Assurance cloud. The majority of reviews are very positive. 

The G2 site has 142 reviews for OneTrust Privacy and Data Governance and only one of those gives the lowest score possible, which is one star; 95 reviewers award the top mark of five stars. 

Reviews praise the ease of use of the dashboard and the convenience of pre-written integrations but are less enthusiastic about the technical performance of the interface. Users are unimpressed by the Customer Support team, who don’t always seem to know what they are doing. 

This review is typical of the comments on G2 about the Privacy and Data Governance cloud:

The reviewer is impressed by the flow of functions in the package and the completeness of the solution. However, he explains that his company hired a consultant to set up the package. That’s an extra expense that perhaps many buyers wouldn’t take into consideration when pricing the solution. The reviewer also states that sometimes the Customer Support team can’t present a solution to a problem. He also notes that the platform can be slow and will sometimes stall for no reason. 

Another reviewer gives the platform no score at all. The biggest source of his dissatisfaction was the lack of assistance from the Customer Support team. This buyer managed more than 15 websites and observed that the system crashed frequently.  

G2 carries 94 reviews of the GRC and Security Assurance cloud and 73 of these award the platform the full five stars; only one gives a one star rating. The reviewer giving that low rating provides an interesting insight into the GRC and Security Assurance platform. OneTrust didn’t develop the product but bought it in October 2021. The system was originally called TugboatLogic and OneTrust acquired its customers with the purchase. Those legacy users are not happy with the changes that OneTrust has introduced to the service:

OneTrust Pricing

There are no prices for the enterprise platforms – the four clouds – of OneTrust. However, the company offers a 14-day free trial of this division of its services.

There are prices available for the OneTrust Pro menu of services that are offered to businesses with fewer than 500 employees. These prices are shown on the main OneTrust website and also on a secondary sales site, called OneTrust Pro. 

Read our detailed blog on OneTrust Pricing for a deeper dive into how much OneTrust costs. 

Roundup: Is OneTrust Worth It?

Is OneTrust an excellent platform for governance, risk, and compliance services? Absolutely. But it still struggles with effective customer support, lengthy migration and onboarding, and unwieldy contract lengths. These can be off-putting for several companies, particularly those without compliance budgets that stretch into the millions of dollars.

If you're reading this, you're likely considering OneTrust as your data privacy partner. Our blog on the best OneTrust alternatives and competitors is another resource you can consult as you evaluate your options.

And while you're here, we'd like to plug that Enzuzo can deliver most of the features of OneTrust at much better terms, monthly contracts, and priority onboarding. Enzuzo powers data privacy compliance for global conglomerates like Lucy Group and it can certainly help others looking for consent management, data governance, data access requests, and other compliance requirements around GDPR & CCPA. 

Book a complimentary, no-obligation 1-1 call today to learn about your options and how Enzuzo can meet your data privacy management needs 👇