Environmental, social, and governance (ESG) strategies are now central to doing business. Investors, customers, and the public at large all want to work with companies that follow socially responsible practices. ESG plans have spiked in popularity in recent years, spurred by public and regulatory pressure for businesses to demonstrate their commitment to corporate responsibility. 

A growing number of investors are adopting an ESG investing strategy. Ninety-six percent of chief investment officers say that ESG initiatives can play a role in investment decisions. And a significant majority say they’re willing to pay a premium for companies that demonstrate a connection between the corporate ESG strategy and financial performance. 

Regulators are also showing increased interest in ESG plans. The European Union enacted the Corporate Sustainability Reporting Directive (CSRD) in early 2023 and the Securities and Exchange Commission (SEC) recently proposed new rules to enhance climate reporting requirements. Companies are also expected to comply with a growing number of regulations, ranging from sustainability measures to pay equity requirements, that fall under the ESG umbrella. 

To create an ESG strategy that effectively meets the expectations of investors and regulators, reliable  data must be available at every step of the journey, from planning to day-to-day business activities to reporting accurate results. 

An Effective ESG Strategy Starts with Good Data

An effective corporate strategy — even if to simply comply with regulatory reporting requirements — should be built on data that clarifies objectives and promotes accountability throughout the organization. This requires a large data collection and analysis process, involving stakeholders from all parts of the business. That data will play a central role in every stage of the strategy-making process and is crucial for complying with ESG regulations. At each stage, stakeholders need access to accurate data to meet disclosure requirements and promote the integrity of decision-making and reporting. 

Establishing Your Baseline

Establishing your current baseline for ESG performance metrics requires you to collect far-reaching data. Example metrics may include your carbon footprint, energy consumption, diversity and inclusion efforts, product safety, and employee health and safety. It’s important to be thorough at this stage, since your baseline will help you tell an accurate story and meet regulatory requirements as you progress through your ESG journey.  

Setting S.M.A.R.T. Goals

With your baseline in place, now you can set specific, measurable, achievable, relevant and time-bound (S.M.A.R.T.) goals. Your baseline metrics, along with data specific to each initiative, will play a key role in setting these goals. For example, an energy efficiency goal will be based on your current consumption and the potential outcomes you can expect to achieve from a particular approach (such as energy-efficient lighting) in a set time frame. 

Assessing Your Risks

Your ESG plans shouldn’t be undermined by avoidable or manageable risks. Considering that these plans can be complex, being able to accurately gather and analyze data is essential to truly understanding the risk of any ESG initiative. The better your data capabilities, the better you will be at quantifying and prioritizing risk, as well as modeling the impact of various scenarios.

Validate Claims

As you make claims about your ESG initiatives, it’s reasonable for investors and regulators to seek proof of those assertions. For instance, if you claim to reduce carbon emissions by 3%, you’ll need to show the data to prove it. This will likely involve large swaths of detailed data, so it’s important to have strong data capabilities in place so you can respond accordingly. 

Empower Employees to Execute and Report on Your Corporate ESG Strategy

Data is a critical component of ESG planning and execution, but it doesn’t exist in a silo. People, processes, and technology must work in concert to gain the insights needed to drive a successful ESG strategy. 

Employees throughout the company must be able to leverage data to make decisions that align with your strategy. Fleet managers need routing analytics to reduce fuel consumption. Hiring managers and HR need compensation intelligence to ensure employees are paid fairly. Facility managers need building performance insights to reduce energy consumption.

The data gathered from these day-to-day business decisions must be consolidated and sent to the company’s ESG officer, the board, and any other stakeholders responsible for generating accurate, complete ESG reports. These reports aren’t just for investors and regulators. They also help the company track progress and refine ESG plans over time. 

The Role of Data Warehousing in Your Corporate ESG Strategy

Because of the sheer scale and complexity of the data involved in ESG planning and execution, it’s essential to have a modern data warehouse solution in place. Modern data warehouses can manage large volumes of data from multiple sources and feed the advanced reporting and analytics tools required for ESG planning. With these capabilities, along with a data governance model to ensure the accuracy of your data, you can achieve better outcomes from your data. 

Remove Data Silos

Because ESG planning requires you to collect data from throughout the company, it’s common to encounter data silos. These siloes slow down data aggregation efforts and increase the likelihood of inaccuracy and incompleteness. Using a modern data warehouse allows you to centralize large volumes of information. These platforms are meant to scale with you, even as your data sets grow exponentially. This allows you to capture the expansive data needed for ESG planning and reporting and feed the applications that enable employees to execute on your ESG strategy. 

Explore Unstructured Data

Some data warehouses are capable of housing unstructured data, while others are used alongside a data lake. In either case, having access to unstructured data provides you with the opportunity to surface new insights to support your ESG strategy. Because ESG standards are still taking shape, it’s hard to know what you need to know. There is a wealth of information relevant to your ESG strategy in your unstructured data. It’s important to capture it so you can have it when you need it. 

Leverage Advanced Analytics Platforms

You have a powerful set of business intelligence tools at your disposal for analyzing your ESG baseline, setting goals, and measuring risk. The key is to feed them with high-quality, comprehensive data. Using these analytics tools alongside a modern data warehouse and following consistent data governance and data management practices across platforms will position you for successful ESG tracking and reporting. 

This addresses a number of the common hurdles companies encounter when setting their corporate ESG strategy:

• Visualize ESG data to support better decision-making and communication with stakeholders.
• Reuse the same data structures across disparate business applications and ESG reporting platforms. 
• Reduce the complexity of business intelligence platforms, making them easier to manage and use for ESG stakeholders.

Shape Your ESG Strategy With Stronger Data

The effectiveness of your ESG strategy depends on your data. With a modern data warehouse, supported by formal data governance and management practices, you can uncover actionable ESG insights. You can also empower your employees to take tangible steps to meet your ESG goals and track your progress accurately. 

With the help of Kenway’s data consultants, you can modernize your data practices to meet the pressures of ESG planning and reporting. We provide modern data consulting services to firms that want to leverage the full capabilities of their data. Our data experts ensure that high-quality data is readily available to your employees, while implementing tools that can scale with you over time. 

To learn more about how we can help you leverage analytics more effectively for ESG planning, schedule a consultation with us: [email protected] 

ESG Strategy FAQs:

What data analysis is involved in developing an ESG strategy?

Developing an ESG strategy involves an intensive data analysis process. Data plays a key role in the following phases of ESG planning and execution:

• Perform a materiality assessment to uncover which priorities and initiatives are right for your business.
• Perform a baseline analysis that allows you to understand where you stand on current ESG metrics.
• Determine which metrics will paint the most accurate, complete picture of your progress.

What role does data play in setting ESG goals and KPIs?

When establishing ESG goals, data enables you to understand your current baseline, identify which opportunities will be most impactful, and determine the KPIs that will best measure your progress. 

What role does data transparency play in ESG reporting?

Data transparency is critical to providing stakeholders with assurance that your ESG claims are accurate. This is especially important for organizations that are subject to ESG regulations. They, along with investors, customers, and employees, associate the validity of your claims with the integrity of your business.

To avoid investigations, fines, and the legal implications of data security incidents, it’s critical for organizations to make data protection a top priority. Data protection laws have been around in some form for decades now and they have entered a new era. With an abundance of personally identifiable information (PII) being constantly shared, regulators are addressing the ethical implications of PII storage and use. The rights of individuals to dictate how their data is being used is of particular concern.

The first major data privacy law in more than 20 years, the General Data Protection Regulation (GDPR), changed the landscape by providing broad-scale protections for consumer data. Since then, new data protection laws have been established or proposed at the state, federal, and international levels. The number of laws will only continue to grow, and existing regulations will evolve quickly.

One of the biggest challenges in remaining compliant with any data privacy law is ensuring your organization has a full understanding of your data. Knowing the business purpose for collecting each data element and having a complete understanding of where your data is stored, where it comes from, and where it goes are all critical components of an implementation plan. Data mapping and advanced planning should be a focus for all organizations that are impacted by data privacy regulations.  

At Kenway, we’ve worked with many companies to help them implement changes to their business processes and to their data management framework to ensure they have the infrastructure needed to support regulatory compliance. We thought it would be helpful to provide a running list of the most prominent and recent data privacy laws to help you stay informed. We’ll be updating this page regularly, so be sure to check back for updates as new regulations are passed and current laws are amended!

General Data Protection Regulation (GDPR)

As the first major data privacy regulation in the European Union (EU)​​ since the 1990s, the General Data Protection Regulation (GDPR) serves as a model for other data privacy laws around the world and in the U.S. GDPR covers the data of all residents of the EU’s member states, regardless of where the entity collecting the data is located.

Some of GDPR’s most notable requirements include:

• Fines can reach up to €20 million or 4% of global revenue (whichever is higher) and individuals have the right to seek compensation for damages. 
• Data controllers must demonstrate compliance by taking actions such as designating GDPR responsibilities to employees, maintaining documentation of data collection practices, or appointing a Data Protection Officer.
• Organizations must demonstrate “appropriate technical and organizational measures” to manage data security. 
• Organizations can only collect or process personal information when they can justify the business needs as defined under the terms set forth by the law. 
• Individuals must give consent for their data to be processed. 
• Individuals are protected by eight privacy rights, such as the right of access and the right of erasure. 

The Federal Trade Commission Act (FTC Act)

While there are currently no data protection laws specific to the U.S., the Federal Trade Commission (FTC) does hold broad authority to enforce consumer protections. As it relates to data privacy, the FTC Act gives the agency the right to prevent deceptive practices, seek monetary redress and relief for conduct that harms consumers, and conduct investigations on entities engaged in commerce. 

Here are some of the instances in which the FTC may use this authority to investigate and take action against organizations:

• Violations of consumers’ privacy rights
• Failure to follow the published privacy policy, or transferring data in a manner not disclosed in the privacy policy
• Misleading consumers by failing to maintain security for sensitive information

California Consumer Privacy Act (CCPA)

When it passed in 2018, the California Consumer Privacy Act (CCPA) was the first significant statewide data privacy law in the U.S. It provides consumers who are California residents with greater protections and rights in respect to their personal data. The CCPA applies to businesses that collect consumers’ personal data, do business in the state of California, and either meet certain revenue thresholds or sell personal information. 

Some notable provisions are outlined below:

• Businesses that violate the CCPA may be liable for a penalty of up to $2,500 for each unintentional violation and $7,500 for each intentional violation.
• Consumers whose data "is subject to an unauthorized access and exfiltration, theft, or disclosure" as a result of a business' violation of CCPA can recover damages of $100-$750 or the amount of actual damages, whichever is greater.
• Consumers may request that a business delete their personal information and/or provide details on the personal data they store. 

California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA) expands the scope of the CCPA. One of its most notable provisions is the creation of an enforcement agency, the California Privacy Protection Agency, to take action against organizations that violate the CCPA. It also expands the definition of protected data to include employee and vendor information.

As of January 1, 2023, the CPRA also requires that:

• Any personal information on any California resident is subject to the law, not just consumers.
• Any California resident can request to change incorrect information, in addition to removing it.
• Companies may only retain personal information for the amount of time necessary and proportionate to the reason it was collected in the first place.
• Companies that use third party vendors must require those vendors to exercise the same level of data protection over the shared data as the first party. 
• Companies must regularly perform privacy assessments.

For more guidance on the tools available to  implement CPRA, read this guide. 

Québec Privacy Law - Bill 64

The first set of requirements under Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, went into effect on September 22, 2022. The bill makes significant amendments to existing privacy rules covered by various existing laws, most notably the Private Sector Act and the Public Sector Act. It’s expected to have a drastic impact on privacy practices within Québec and may provide a clue to how federal legislation will take shape in Canada. Here are some of the most notable provisions by effective date.

Effective September 22, 2022

• Private entities can be fined up to $25,000,000, or an amount equaling 4% of worldwide turnover for the preceding fiscal year, whichever is greater, for failing to meet compliance requirements.
• Individuals can be fined up to $100,000 for noncompliance.
• Both public and private sector entities must report data breaches, notify those who were affected, and keep a register of confidentiality incidents.
• Organizations must designate an individual responsible for privacy legislation.

Effective September 22, 2023

• Regulators have up to five years after the date of infraction to take action against offenders. 
• Under certain circumstances, individuals may request that entities delete some of their personal information or de-index any hyperlink attached to their name.
• Upon the collection of personal information, businesses must inform the individual of the purposes of the collection, the means by which the information is collected, the names of third parties that information will be shared with, and the person's right of access, rectification, and withdrawal of consent.

Virginia Consumer Data Protection Act (VCDPA)

Effective as of January 1, 2023, the Virginia Consumer Data Protection Act (VCDPA) is the second statewide data privacy law in the U.S. Though it’s built on the same framework as the CCPA, it’s less expansive in scope. 

• Residents are protected in an individual household context (such as home internet browsing), but not in a commercial or employment context (such as a job application).
• Businesses have a right to data that they believe was lawfully made available to the public, such as information posted on social media. 
• The sale of personal data is defined solely as an exchange for monetary compensation. Businesses can still transfer personal data to an affiliated or controlled company, have a third party process personal data on their behalf, and disclose personal data if a consumer requests a product or service.
• Businesses can also retain the data of consumers who opt out for the purposes of measuring the effectiveness and reach of marketing efforts. 

Colorado Privacy Act (CPA)

The Colorado Privacy Act (CPA) provides many of the similar rights and requirements as the CCPA and the VCDPA, however its approach is different. Covered entities are defined as controllers and processors instead of businesses and service providers. Controllers make the primary decisions to manage, collect, and utilize data. Processors maintain and process consumer personal data on behalf of a controller.

Here are some other ways the CPA differs from other state laws:

• District attorneys can enforce the law, in addition to the state’s attorney general. 
• Businesses that process the personal data of 25,000 consumers and receive any revenue or discount from the sale of data are covered, regardless of whether that company derives less than 50% of its gross annual revenue from selling data.
• The law doesn’t contain a specific provision for fines. Since a violation is considered a deceptive trade practice, penalties are governed by the Colorado Consumer Protection Act. Under that law, noncompliance can lead to a potentially $20,000 fine per violation.

American Data Privacy Protection Act (ADPPA)

The American Data Privacy Protection Act isn’t the law of the land yet, but it’s the first comprehensive federal data protection law in the U.S. to gain significant bipartisan support. The sweeping legislation covers for-profit and nonprofit entities, with different obligations and exemptions for some organizations. Even if it doesn’t pass as currently written, it does give you a good idea of what federal legislators are focused on. The bill not only addresses data privacy protections, but it also addresses the potentially discriminatory impacts of algorithms.

Notable provisions of the proposed data privacy regulation are:

• Information that “identifies or is linked or reasonably linkable” to an individual or a device identifying an individual is protected.
• Employee data and publicly available information are excluded. 
• Covered entities must adopt practices that ensure data security and prevent discrimination and harm by the use of data and algorithms.
• The FTC, state attorneys general, and state privacy authorities are granted authority to enforce the law. 
• Individuals can sue for violations.

Compliance Isn’t Easy. We Can Help.

Because we’re in a new era for data privacy and protection, there’s a lot to learn about the nuances of each regulation and what it means for your business. Even when you understand the requirements of data protection laws, operationalizing compliance is a completely different challenge. 

At Kenway, we help organizations get a clear view of their data ecosystem so they can properly identify and protect sensitive data, maintain practices needed for compliance, and report to regulators with confidence. We help you develop a strategic plan for compliance that incorporates data governance, data management, and business processes designed to empower your teams to handle information properly and avoid risks. 

Contact our experts to make compliance less complicated. 

Data Privacy Laws: FAQs

How long after a data privacy law is enacted does my company have to become compliant?

The amount of time you have to become compliant depends on the effective date defined by the data privacy law. For example, the Colorado Privacy Act (CPA) was signed into law on July 7, 2021 with a July 1, 2023 effective date. Therefore, organizations covered under the law were given roughly two years to put compliance measures in place. 

What teams in my organization need to be involved with ensuring compliance with new data privacy law(s)?

The team involved in ensuring compliance should come from several departments throughout the company:

• Legal -  Interpret the law and confirm that implemented solutions meet its requirements
• Data -  Define the data lineage (the flow of the data) and the data map (a visualization of how data flows). 
• Technology - Build process and procedures needed to be able to respond to requests.
• Project Managers - Help drive the project to become compliant. These projects span across all technical assets of an organization and involve multiple departments with cross team dependencies that have to be managed. Having someone keeping things organized and keeping the project on track is critical with a project of this scale.

How do I know if a data privacy law impacts my company’s practices? How can I ensure my company remains compliant, despite all the changes to these laws and new privacy regulations being implemented?

Assign someone in your legal organization with the task of keeping up with the data privacy regulations. Alternatively, you can engage an external legal advisor who understands your business and the data privacy landscape.

How much should my company budget for to meet new compliance regulations? 

The budget needed to meet data compliance regulations is dependent on the number of technical assets a company has in its ecosystem and the maturity of an organization's data management structure. If you have a complete understanding of data lineage, implementation can be as little as six months. A large organization that is lower on the maturity curve should plan for an 18-month implementation. 

What are the 7 principles of GDPR?

GDPR was developed with the following principles:

1. Lawfulness, fairness and transparency 
2. Purpose limitation
3. Data minimization
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
7. Accountability

What acts are covered by the Data Privacy Act?

Because there is no single overarching federal legislation in the U.S. dedicated to data privacy, the proposed American Data Privacy Protection Act (ADPPA) may overlap with or override some current regulations. Depending on the language in the final passage of the bill, it may override existing privacy laws like the CCPA. It also may overlap with portions of the Children’s Online Privacy Protection Act (COPPA) and the Kids Online Safety Act (KOSA).

What are the key CPRA requirements for January 2023?

Some of the most notable aspects of the CPRA that go into effect in January 2023 include:

• Any business that shares personal information must comply.
• All California residents are now covered under the law, not just customers.
• People can request that their personal information is changed, not just removed. 

Just when you think you have a handle on data privacy standards, new regulations come along. A slate of new data privacy laws and regulatory updates go into effect in 2023: the Virginia Consumer Data Protection Act, the California Privacy Rights Act (part of the California Consumer Privacy Act, or CCPA), and the Colorado Privacy Act. The California Privacy Rights Act (CPRA) is particularly significant. It expands the scope of what’s considered protected data and whose data is covered, requires more companies to comply, and mandates the creation of a privacy enforcement agency to hold companies accountable for being compliant. 

To get prepared, companies need to map and categorize data and determine the sensitivity of that data. They also have to create processes that allow people to opt-out from tracking and request that their data be deleted or changed. Software eases some of the burdens of implementing these protocols, and many companies choose OneTrust to ensure compliance. If you’re planning your approach to CPRA compliance, OneTrust is probably on your list of items to consider. Here’s what you need to know to use it effectively and ensure implementation runs smoothly. 

What Is OneTrust?

OneTrust is the most widely used data compliance solution on the market. Through a cloud-based platform, OneTrust provides end-to-end privacy management, data governance, and IT risk management solutions. It’s one of the fastest-growing cloud platforms, with more than 12,000 users. 

Why Should You Use OneTrust?

OneTrust offers an unmatched breadth of “trust intelligence” solutions that go beyond data protection and privacy. It also supports environmental, social, and governance (ESG) reporting, sustainability monitoring, and ethics and inclusion program management. As data privacy and protection requirements evolve, OneTrust allows you to scale your processes. 

OneTrust’s popularity also means that it’s been tested more than similar solutions. Because the data privacy space is new, there are many young, unproven players. OneTrust is already widely trusted by thousands of companies, many of which are in highly regulated industries. 

With that being said, every solution has its pros and cons.

Pros

• OneTrust is a comprehensive solution that covers all major data protection regulations, as well as provides support for other related compliance matters like SOX and HIPAA.
• It allows you to centralize data protection and privacy functions in a single platform. 
• The solution also provides guides to help users become more educated about data regulation and use the software more effectively.

Cons

• Implementation can be challenging and requires extensive prerequisite work to organize data. 
• The user interface can be intimidating. Many users have trouble navigating the settings and modules.
• There is a steep learning curve for those who aren’t already knowledgeable about compliance and the workflows required to implement it. 

OneTrust and CPRA 2023 Compliance

With the passage of the CCPA in 2018, California became a leader in data privacy regulations in the U.S. California privacy regulations are set to become even more stringent when the CPRA goes into effect in 2023. The CPRA expands the scope of existing legislation and calls for the creation of a new privacy enforcement agency (the California Privacy Protection Agency). 

Some notable new provisions of the CPRA include:

• Any personal information on any California resident is subject to the law, not just customers.
• Any California resident can request to change incorrect information, in addition to removing it. 
• Companies will have to regularly perform privacy assessments and submit them to the CCPA. 
• Employee and vendor information is now considered protected. 

These provisions significantly increase the complexity of compliance. With the creation of a dedicated enforcement agency, companies may be subject to audits, which may or may not be announced in advance.  

OneTrust provides a range of solutions that support CPRA compliance. For example, Privacy Rights (DSAR) Automation streamlines the data subject access request intake process and related workflows. Digital Policy Management allows you to update privacy notices remotely and maintain an audit log of changes to policy language. Assessment Automation enables cross-functional teams to perform privacy impact assessments.

Implementing OneTrust Successfully for CPRA Compliance

Though OneTrust provides robust features that support your data privacy compliance, it’s important to work with experts to avoid its pitfalls and set your organization up for success. Here are four ways introducing a partner can help:

1. Data Preparation

OneTrust solutions are set up based on the assumption that you have a complete inventory of your systems and data, clear ownership of the business purposes as well as the technology, and well-defined process workflows outlining where data is stored and how it flows between systems. If those structural elements aren’t in place, you can’t begin the onboarding process. 

2. Configuration

OneTrust is also highly configurable, which means you can tailor it to your needs. But without knowing exactly what you need, it’s difficult to configure it in a way that will cover your use cases and maintain ease of use.

3. Understanding Compliance

Data privacy laws are complex and can overwhelm IT teams that already have a full load to manage. Interpreting how the laws impact your business can be challenging, especially if your company wasn’t subject to the previous guidance.

4. New Processes

The new regulations require new processes, which can easily spiral into a complicated, unwieldy web of workflows. For the sake of efficiency and scalability, OneTrust processes must be set up with your current resources and future needs in mind. Otherwise, you may have trouble maintaining your processes as your company grows and regulations evolve. 

How Kenway Can Help

OneTrust is a robust tool for compliance, but you’ll still need to do a lot of heavy lifting on your own. Kenway has deep expertise in implementing systems and processes that enable you to be confident in your ability to comply. Our data compliance subject matter experts provide you with the assistance you need to implement it successfully.

Here’s how we can guide you through the OneTrust onboarding process:

1. Assess your current data privacy practices and advise you on which OneTrust modules are best for your business. 
2. Build business requirements and a plan to implement a solution.
3. Organize required inputs by gathering listings of impacted websites, policy notices, systems holding data, listing of owners of processes and assets, and coordinating with system owners to ensure all potential impacts are being considered. This is a critical part of the implementation process since OneTrust assumes all preparation is completed prior to kicking off an implementation program. 
4. Perform customizations and configure OneTrust tailored to your use cases.
5. Provide broader data governance and data management support to ensure OneTrust performs optimally:

• • Inventory and map data and data workflows. 
  • Define process workflows for requests.
  • Update privacy notice language and ensure the new language is rolled out properly. 
  • Oversee the change management process, including communication and training for impacted users. 

To learn how we’ve helped one company prepare for data privacy regulations, read this case study. 

The expanding slate of privacy regulations doesn’t have to expand your workload. We do the heavy lifting of coordinating cross-functionally, keeping track of all the assessments, developing your processes, and documenting workflows. Schedule a consultation to learn how Kenway’s experts set you up for OneTrust success. 

CPRA and OneTrust FAQs

What are the key CPRA requirements for January 2023?

Some of the most notable aspects of the CPRA that go into effect in January 2023 include:

• Any business that shares personal information must comply.
• All California residents are now covered under the law, not just customers.
• People can request that their personal information is changed, not just removed. 

What is new with consumer rights for CPRA in January 2023?

The CPRA extends privacy protections to all California residents, not just customers. In addition to requesting removal, they can request that businesses change their personal information if it’s incorrect. The law also calls for the protection of employee and vendor information, which weren’t originally covered under the CCPA.

How can OneTrust support my CPRA compliance program?

OneTrust offers several products, such as privacy rights automation and assessment automation, that help you meet CPRA compliance. 

Are there best practices to prepare data for OneTrust?

Data preparation—cleaning, mapping, normalizing, and structuring your data—is key to ensuring OneTrust success. It’s also a good idea to have a broader data governance strategy to guide how you manage your data. 

Will there be manual gaps in identifying consumer data with OneTrust?

It’s possible for there to be manual gaps when identifying consumer data in OneTrust. That’s why it’s important to coordinate with system owners to gather and organize your data inputs during the implementation process.