October 25, 2022
10 minutes read
Technology Solution Delivery

Your Guide to Using OneTrust for CPRA Compliance in 2023

Just when you think you have a handle on data privacy standards, new regulations come along. A slate of new data privacy laws and regulatory updates go into effect in 2023: the Virginia Consumer Data Protection Act, the California Privacy Rights Act (part of the California Consumer Privacy Act, or CCPA), and the Colorado Privacy Act. The California Privacy Rights Act (CPRA) is particularly significant. It expands the scope of what’s considered protected data and whose data is covered, requires more companies to comply, and mandates the creation of a privacy enforcement agency to hold companies accountable for being compliant. 

To get prepared, companies need to map and categorize data and determine the sensitivity of that data. They also have to create processes that allow people to opt-out from tracking and request that their data be deleted or changed. Software eases some of the burdens of implementing these protocols, and many companies choose OneTrust to ensure compliance. If you’re planning your approach to CPRA compliance, OneTrust is probably on your list of items to consider. Here’s what you need to know to use it effectively and ensure implementation runs smoothly. 

What Is OneTrust?

OneTrust is the most widely used data compliance solution on the market. Through a cloud-based platform, OneTrust provides end-to-end privacy management, data governance, and IT risk management solutions. It’s one of the fastest-growing cloud platforms, with more than 12,000 users. 

Why Should You Use OneTrust?

OneTrust offers an unmatched breadth of “trust intelligence” solutions that go beyond data protection and privacy. It also supports environmental, social, and governance (ESG) reporting, sustainability monitoring, and ethics and inclusion program management. As data privacy and protection requirements evolve, OneTrust allows you to scale your processes. 

OneTrust’s popularity also means that it’s been tested more than similar solutions. Because the data privacy space is new, there are many young, unproven players. OneTrust is already widely trusted by thousands of companies, many of which are in highly regulated industries. 

With that being said, every solution has its pros and cons.


  • OneTrust is a comprehensive solution that covers all major data protection regulations, as well as provides support for other related compliance matters like SOX and HIPAA.
  • It allows you to centralize data protection and privacy functions in a single platform. 
  • The solution also provides guides to help users become more educated about data regulation and use the software more effectively.


  • Implementation can be challenging and requires extensive prerequisite work to organize data. 
  • The user interface can be intimidating. Many users have trouble navigating the settings and modules.
  • There is a steep learning curve for those who aren’t already knowledgeable about compliance and the workflows required to implement it. 

OneTrust and CPRA 2023 Compliance

With the passage of the CCPA in 2018, California became a leader in data privacy regulations in the U.S. California privacy regulations are set to become even more stringent when the CPRA goes into effect in 2023. The CPRA expands the scope of existing legislation and calls for the creation of a new privacy enforcement agency (the California Privacy Protection Agency). 

Some notable new provisions of the CPRA include:

  • Any personal information on any California resident is subject to the law, not just customers.
  • Any California resident can request to change incorrect information, in addition to removing it. 
  • Companies will have to regularly perform privacy assessments and submit them to the CCPA. 
  • Employee and vendor information is now considered protected. 

These provisions significantly increase the complexity of compliance. With the creation of a dedicated enforcement agency, companies may be subject to audits, which may or may not be announced in advance.  

OneTrust provides a range of solutions that support CPRA compliance. For example, Privacy Rights (DSAR) Automation streamlines the data subject access request intake process and related workflows. Digital Policy Management allows you to update privacy notices remotely and maintain an audit log of changes to policy language. Assessment Automation enables cross-functional teams to perform privacy impact assessments.

Implementing OneTrust Successfully for CPRA Compliance

Though OneTrust provides robust features that support your data privacy compliance, it’s important to work with experts to avoid its pitfalls and set your organization up for success. Here are four ways introducing a partner can help:

1. Data Preparation

OneTrust solutions are set up based on the assumption that you have a complete inventory of your systems and data, clear ownership of the business purposes as well as the technology, and well-defined process workflows outlining where data is stored and how it flows between systems. If those structural elements aren’t in place, you can’t begin the onboarding process. 

2. Configuration

OneTrust is also highly configurable, which means you can tailor it to your needs. But without knowing exactly what you need, it’s difficult to configure it in a way that will cover your use cases and maintain ease of use.

3. Understanding Compliance

Data privacy laws are complex and can overwhelm IT teams that already have a full load to manage. Interpreting how the laws impact your business can be challenging, especially if your company wasn’t subject to the previous guidance.

4. New Processes

The new regulations require new processes, which can easily spiral into a complicated, unwieldy web of workflows. For the sake of efficiency and scalability, OneTrust processes must be set up with your current resources and future needs in mind. Otherwise, you may have trouble maintaining your processes as your company grows and regulations evolve. 

How Kenway Can Help

OneTrust is a robust tool for compliance, but you’ll still need to do a lot of heavy lifting on your own. Kenway has deep expertise in implementing systems and processes that enable you to be confident in your ability to comply. Our data compliance subject matter experts provide you with the assistance you need to implement it successfully.

Here’s how we can guide you through the OneTrust onboarding process:

  1. Assess your current data privacy practices and advise you on which OneTrust modules are best for your business. 
  2. Build business requirements and a plan to implement a solution.
  3. Organize required inputs by gathering listings of impacted websites, policy notices, systems holding data, listing of owners of processes and assets, and coordinating with system owners to ensure all potential impacts are being considered. This is a critical part of the implementation process since OneTrust assumes all preparation is completed prior to kicking off an implementation program. 
  4. Perform customizations and configure OneTrust tailored to your use cases.
  5. Provide broader data governance and data management support to ensure OneTrust performs optimally:
    • Inventory and map data and data workflows. 
    • Define process workflows for requests.
    • Update privacy notice language and ensure the new language is rolled out properly. 
    • Oversee the change management process, including communication and training for impacted users. 

To learn how we’ve helped one company prepare for data privacy regulations, read this case study. 

The expanding slate of privacy regulations doesn’t have to expand your workload. We do the heavy lifting of coordinating cross-functionally, keeping track of all the assessments, developing your processes, and documenting workflows. Schedule a consultation to learn how Kenway’s experts set you up for OneTrust success. 

CPRA and OneTrust FAQs

What are the key CPRA requirements for January 2023?

Some of the most notable aspects of the CPRA that go into effect in January 2023 include:

  • Any business that shares personal information must comply.
  • All California residents are now covered under the law, not just customers.
  • People can request that their personal information is changed, not just removed. 

What is new with consumer rights for CPRA in January 2023?

The CPRA extends privacy protections to all California residents, not just customers. In addition to requesting removal, they can request that businesses change their personal information if it’s incorrect. The law also calls for the protection of employee and vendor information, which weren’t originally covered under the CCPA.

How can OneTrust support my CPRA compliance program?

OneTrust offers several products, such as privacy rights automation and assessment automation, that help you meet CPRA compliance. 

Are there best practices to prepare data for OneTrust?

Data preparation—cleaning, mapping, normalizing, and structuring your data—is key to ensuring OneTrust success. It’s also a good idea to have a broader data governance strategy to guide how you manage your data. 

Will there be manual gaps in identifying consumer data with OneTrust?

It’s possible for there to be manual gaps when identifying consumer data in OneTrust. That’s why it’s important to coordinate with system owners to gather and organize your data inputs during the implementation process. 

How Can We Help?