How to maintain an up-to-date data map with OneTrust vendor risk management

May 7, 2019

Orange gradient background

In aiding more than 2,500 companies mature their privacy and security compliance programs, we’ve heard one question more than any other: “How do I keep my data map up to date?” 

There are many methods to maintaining an evergreen data map, such as with integrations and assessment automation. But emerging techniques, ones that use the OneTrust Vendor Risk Management platform in combination with our data mapping tool, are helping companies sustain an up-to-date data map and automate alerts and actions. Here’s how: 

Auto-populate vendor information with Vendorpedia

Gathering information about vendors doesn’t have to require a dozen Google searches. Companies are leveraging Vendorpedia, OneTrust’s Third-Party Risk Exchange, as a quick way to auto-populate information into their data map. OneTrust aggregates critical vendor information into Vendorpedia, and with a click of a button, you can link it to your data map. This research would typically take valuable resources away from more high-priority projects. Third-party information that can be added to your data map from Vendorpedia includes: 

  • In-depth Vendor Details: Company name, vendor contact information (phone, email, address), type of data collected, purpose of data collection, and covered entities  
  • Certifications & Validations: Common security and privacy certificates at a vendor and service-level, such as Privacy Shield, FedRAMP, and many more 
  • Services: All relevant services (e.g. Microsoft Azure, Microsoft Office, etc.) offered by the third-party 
  • Controls: Using certifications and validations as guides, customers can bulk add controls to related vendors and assets within their data map

Build automated reassessment triggers

Within the OneTrust Vendor Risk Management tool, you can configure reassessment rules. These rules use triggers to send out assessments, which feed the latest information into your data map. For example, build reassessment triggers based on: 

  • Inventory: Send assessment if an inventory item has not been updated in a set number of days 
  • Time: Set a recurring assessment cycle based on a specific number of days 
  • Contract Expiration: Send a risk assessment as contract expiration dates near 
  • Last Assessment: Trigger a reassessment based on the date of the last completed assessment 
  • Alerts: Reassess vendors based on alerts, such as a third-party data breach or regulatory change  
  • Risk Score: Configure an assessment to send when a vendor’s risk score reaches a certain threshold 

When a reassessment is sent, answers from the previous assessment are pre-populated, making the reassessment process much simpler and efficient. 

Sync third-party risks with related processing activities & assets

OneTrust Vendor Risk Management and the Data Inventory & Mapping tool work in synchronicity, adding business context while helping risks tied to your data map remain accurate. Any third-party risks identified via the OneTrust Vendor Risk Management tool are linked and synced to related processing activities and assets within your data map. And as these vendor risks are mitigated, your data map updates dynamically. To summarize, risks within your data map are: 

  • Pulled and synced directly from third-party risk assessments 
  • Auto-associated with related processing activities and assets 
  • Mapped to known vendor controls to simplify risks scoring 
  • Generate an activity trail for simplified auditing 

Add the latest contracts & DPAs to relevant assets and processing activities

As new laws place greater emphasis on data processing agreements (DPAs) and specific clauses in contracts, companies are seeking to ensure that processing activities fall within the scope of a contract. By leveraging OneTrust Vendor Risk Management, your team can automatically link your DPAs and contracts to processing activities within your data map. This helps your team:  

  • Confirm processing activities fall within the scope of your contract 
  • Hold third-party vendors accountable to their DPAs 
  • Maintain a defensible audit posture in the event of an inquiry

Request a demo today or contact your OneTrust representative to learn more about how OneTrust Vendor Risk Management can help your company build a more complete and up-to-date data map.

You may also like


Ethics Program Management

Ethics Exchange: Risk assessments

Join our risk assessments experts as we discuss best practices, program templates, and how provide an assessment that provides the best value for your organization.

October 25, 2023

Learn more


Third-Party Risk

5 Ways to save time when assessing third parties for privacy and security risks webinar

Join our webinar and learn how to save time and streamline third-party risk assessment throughout the TPRM lifecycle.

October 25, 2023

Learn more


Third-Party Risk

Live demo: Building your third-party risk management program with OneTrust

Explore how OneTrust can help you build an efficient third-party risk management program that streamlines manual processes and uncovers hidden risks.

September 28, 2023

Learn more