Skip to main content

Understanding Data Risk Assessments

A guide to knowing when, why, and how to request DRAs
Update as of February 2024: The DRA process has changed! OneTrust is Stanford's new system to request, request, and automate DRAs. For the most up-to-date information, visit dra.stanford.edu.

As the volume of Stanford data continues to grow exponentially, so do the risks associated with storage, processing, and management. To safeguard sensitive information, the university Information Security Office (ISO) and University Privacy Office (UPO) conduct data risk assessments or DRAs. 

A DRA is a review of whether a proposed transfer of High Risk data to a third-party vendor is consistent with Stanford’s Minimum Security Standards and Minimum Privacy Standards. In other words, before sending or receiving High Risk data to or from a non-Stanford partner, how the data is transferred and used must be evaluated to understand the extent of risk to the university.

How the DRA process works

At Stanford, the DRA process has five parts. After the DRA intake form and all supporting documents are submitted, the process typically takes four to six weeks.

Infographic DRA process steps

  1. Submit the DRA pre-screening form, which should only take one to two minutes. If you aren’t sure whether or not you need a DRA, this form will help. Immediately upon submitting, you’ll receive an email that indicates if you need to continue the DRA process.
  2. Complete steps one through four on the DRA intake form
  3. The third-party form is then automatically sent from the system to the vendor to complete. 
  4. Once the vendor completes their part, you can complete step five and submit the intake form.
  5. ISO and UPO review the form and may request additional details to complete the review. The generated report is emailed to the requestor. 

The delivered report will state whether your proposed data use and transfer results in Low, Medium, or High Risk to Stanford. In some circumstances, the report will include suggestions on specific controls that may mitigate risk. 

💡Tips for speeding up the process

We understand that the process may seem daunting. Take note of the following tips that may help expedite procedures. 

  • Submit the pre-screening form. The DRA process is only required for High Risk data use and transfer. This pre-screening may rule out the need to complete the rest of the process so don’t miss this step!
  • Check the previously vetted vendors list. Stanford already has several established Business Associates Agreements (BAAs) with vendors. If your vendor is on this list, the DRA process will go much quicker. 
  • Have all of your supporting documents ready to submit with the form. Review and prepare the information you’ll need to provide in advance of what an ISO or UPO representative may request from you. 

More support

  • Refer to the DRA webpage for a step-by-step guide and more resources. 
  • Get real-time help during DRA office hours, which are every Wednesday from 11 a.m. to 12 p.m. PT (except for holidays). 
  • You can also email your questions about the DRA intake form or process to dra_review@lists.stanford.edu. For questions after submitting your DRA, contact your assigned ISO and UPO representatives directly.
Share Feedback

DISCLAIMER: UIT News is accurate on the publication date. We do not update information in past news items. We do make every effort to keep our service information pages up-to-date. Please search our service pages at uit.stanford.edu/search.