On this page:
Follow the risk mitigation steps below after you have submitted a data risk assessment (DRA) in OneTrust.
Open and assign assessment
1. If risks are identified, the individual who filled out the DRA will receive an email from Stanford University UPO with the subject “[Stanford University] (Risk Mitigation): Action Required - Task Assigned." Open the email to access the assessment and risk report.
2. Click the button View Alert Center to view your task.
3. To assign the task to a member of your team, click the edit icon that appears when you hover over the space next to Assignee. This would be done if the individual(s) who will complete the risk mitigation process is different from the submitter.
4. If you wish to add individuals/collaborators (e.g., Contracts Manager, PI’s Manager, or other team members) to review your risks, hover over the space next to Collaborators and click the edit icon.
View flagged risks
1. To view your flagged risks, click Notifications on the far left of your screen, and you will be redirected to a page listing out your assessments and tasks.
2. Once redirected, click View next to your assessment. You will be redirected to your assessment page.
3. Click the Risk button (flag icon with a number) at the top right. A new window will pop up allowing you to click through your flagged risks.
4. The list of risks flagged will show on the right side of the screen.
5. Click on each risk to read the details.
View and address risk treatment plans
For each risk, the submitter and the project team must follow these steps:
1. Review the recommended risk treatment plan. This plan outlines how the project team should proceed to mitigate the risk.
2. Once you and your team have mitigated the risk, navigate to the comments and attachments tabs to document the actions you’ve taken to complete the treatment plan.
Add comments: Your comments here are crucial to helping the University Privacy Office and Information Security Office determine the final risk rating.
Add attachments (if applicable): Files that support documented risk mitigation.
Add tasks (if applicable): Tasks can be used to help track and assign action items pertaining to individual treatment plans.
3. Once risk mitigation is complete and the team has added any necessary documentation, click the green Advance button at the bottom.
4. A window will pop up to prompt any final comments before sending the documented actions to the University Privacy Office and the Information Security Office for approval.
5. Repeat these steps for each risk that has been mitigated.
DRA process completion
1. Once the project team has completed the prescribed mitigation treatment, click the tasks icon (check mark) at the top of the screen and Mark as Completed to close the task.
Note: Marking the task as completed does not close the DRA. The University Privacy Office (UPO) and Information Security Office (ISO) may still reach out with follow-up questions. DRA’s are finalized and completed once UPO and ISO have conducted reviews. Submitters will receive DRA completion emails from OneTrust.
2. Export the report as a PDF for your records by clicking the three-dot menu [...] at the top right of the screen.
Next steps
If you successfully avoided all risks and completed the accompanying risk mitigation plans:
- Your project team’s risk mitigation is now complete!
- If you are not working with a third party, your DRA process is complete.
If you are utilizing a third party and a vendor assessment is needed:
- Please follow-up with the third party to ensure they received the assessment (from OneTrust) and are filling it out as soon as possible. Vendors will typically have a deadline of 3 days to complete the assessment once it has been assigned. It may take up to 24 hours for a Vendor Assessment to be assigned.
- If your third party has not received the assessment, please reach out to the University Privacy Office with the following information:
- The name of the vendor
- The name of the project associated as imputed in the DRA
- The email address for the individual within the third party that will be filling out the assessment
Questions and support
- Visit the DRAs in OneTrust webpage to access FAQs and more documentation.
- For OneTrust software and DRA requests/inquiries: contact the University Privacy Office at dra_review@lists.stanford.edu.
- For Vendor Assessments: contact the Information Security Office at security@stanford.edu and University Privacy Office at privacy@stanford.edu.
