In aiding more than 2,500 companies mature their privacy and security compliance programs, we’ve heard one question more than any other: “How do I keep my data map up to date?” 

There are many methods to maintaining an evergreen data map, such as with integrations and assessment automation. But emerging techniques, ones that use the OneTrust Vendor Risk Management platform in combination with our data mapping tool, are helping companies sustain an up-to-date data map and automate alerts and actions. Here’s how: 

Auto-populate vendor information with Vendorpedia 

Gathering information about vendors doesn’t have to require a dozen Google searches. Companies are leveraging Vendorpedia, OneTrust’s Third-Party Risk Exchange, as a quick way to auto-populate information into their data map. OneTrust aggregates critical vendor information into Vendorpedia, and with a click of a button, you can link it to your data map. This research would typically take valuable resources away from more high-priority projects. Third-party information that can be added to your data map from Vendorpedia includes: 

  • In-depth Vendor Details: Company name, vendor contact information (phone, email, address), type of data collected, purpose of data collection, and covered entities  
  • Certifications & Validations: Common security and privacy certificates at a vendor and service-level, such as Privacy Shield, FedRAMP, and many more 
  • Services: All relevant services (e.g. Microsoft Azure, Microsoft Office, etc.) offered by the third-party 
  • Controls: Using certifications and validations as guides, customers can bulk add controls to related vendors and assets within their data map

Build automated reassessment triggers 

Within the OneTrust Vendor Risk Management tool, you can configure reassessment rules. These rules use triggers to send out assessments, which feed the latest information into your data map. For example, build reassessment triggers based on:  

  • Inventory: Send assessment if an inventory item has not been updated in a set number of days 
  • Time: Set a recurring assessment cycle based on a specific number of days 
  • Contract Expiration: Send a risk assessment as contract expiration dates near 
  • Last Assessment: Trigger a reassessment based on the date of the last completed assessment 
  • Alerts: Reassess vendors based on alerts, such as a third-party data breach or regulatory change  
  • Risk Score: Configure an assessment to send when a vendor’s risk score reaches a certain threshold 

When a reassessment is sent, answers from the previous assessment are pre-populated, making the reassessment process much simpler and efficient. 

 Sync third-party risks with related processing activities & assets 

OneTrust Vendor Risk Management and the Data Inventory & Mapping tool work in synchronicity, adding business context while helping risks tied to your data map remain accurate. Any third-party risks identified via the OneTrust Vendor Risk Management tool are linked and synced to related processing activities and assets within your data map. And as these vendor risks are mitigated, your data map updates dynamically. To summarize, risks within your data map are: 

  • Pulled and synced directly from third-party risk assessments 
  • Auto-associated with related processing activities and assets 
  • Mapped to known vendor controls to simplify risks scoring 
  • Generate an activity trail for simplified auditing 

 Add the latest contracts & DPAs to relevant assets and processing activities 

As new laws place greater emphasis on data processing agreements (DPAs) and specific clauses in contracts, companies are seeking to ensure that processing activities fall within the scope of a contract. By leveraging OneTrust Vendor Risk Management, your team can automatically link your DPAs and contracts to processing activities within your data map. This helps your team:  

  • Confirm processing activities fall within the scope of your contract 
  • Hold third-party vendors accountable to their DPAs 
  • Maintain a defensible audit posture in the event of an inquiry

Request a demo today or contact your OneTrust representative to learn more about how OneTrust Vendor Risk Management can help your company build a more complete and up-to-date data map.