# OneTrust MCP

> OneTrust MCP manages your entire data privacy compliance stack. Automate everything from handling Data Subject Access Requests to mapping personal data across systems, assessing vendor risk, and tracking security incidents using natural conversation with any AI client.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** gdpr, ccpa, hipaa, data-privacy, compliance-automation, risk-assessment, consent-management

## Description

Handling data governance used to mean opening a dozen separate dashboards just to get one answer. Now, you can connect your OneTrust account to your preferred AI agent via Vinkius, and manage privacy compliance through simple conversation. Your agent acts as a unified interface for all things sensitive: from managing Data Subject Requests (DSARs) to checking vendor risk profiles. It pulls data on which systems process personal information, reviews required consent purposes, and tracks incident severity levels—all without you having to click through complex menus. This MCP brings together everything needed to prove GDPR or CCPA compliance into one workflow. You simply ask your AI agent for the status of overdue assessments or a list of open DSARs, and it gives you an immediate, actionable summary.

## Tools

### onetrust_get_assessment
Retrieves full details for a specific privacy impact assessment, including identified risks and recommendations.

### onetrust_create_dsar
Registers a new data subject access request (DSAR) on behalf of an individual, calculating the necessary regulatory deadlines.

### onetrust_list_assessments
Lists all completed privacy impact assessments (PIAs/DPIAs), showing their risk score, status, and owner.

### onetrust_list_vendors
Shows a list of third-party vendors, their risk scores, assessment status, and contractual safeguards.

### onetrust_get_dsar
Pulls the complete history and status of one individual's data subject request for detailed investigation or reporting.

### onetrust_list_assets
Generates the full data map by listing every system that holds personal data, its purpose, and legal basis.

### onetrust_list_consent_purposes
Reviews all configured consent purposes in your cookie banner, detailing categories, associated trackers, and default settings.

### onetrust_list_dsars
Provides a dashboard view of all data subject access requests (DSARs), showing their status, deadline, and type.

### onetrust_list_incidents
Lists security and privacy incidents, detailing the severity, affected subjects count, and regulatory notification status.

### onetrust_list_risks
Aggregates all identified enterprise risks from the risk register, including impact level, likelihood score, and treatment plan.

## Prompt Examples

**Prompt:** 
```
How many open data subject requests do we have?
```

**Response:** 
```
You have **7 open DSARs**:

🔴 **2 overdue** — Both are deletion requests (GDPR Art. 17) past the 30-day deadline
🟡 **3 in progress** — 1 access request, 2 portability requests (due in 12, 18, 22 days)
🟢 **2 new** — Submitted today, auto-routed to the Privacy Team

The 2 overdue requests need immediate attention — shall I show the details?
```

**Prompt:** 
```
Which vendors have overdue security assessments?
```

**Response:** 
```
There are currently 4 vendors with overdue security assessments:
1. CloudHost Inc. (High Risk) - Overdue by 15 days
2. DataFlow Analytics (Medium Risk) - Overdue by 8 days
3. MailSender Corp (Low Risk) - Overdue by 3 days
4. CDN Partners (Medium Risk) - Overdue by 1 day
Would you like me to trigger automated reminders for these vendors?
```

**Prompt:** 
```
Show the data map for our CRM system.
```

**Response:** 
```
Here is the data map for the CRM System:
- **Personal Data Processed:** Names, email addresses, phone numbers, purchase history.
- **Purpose:** Customer relationship management, direct marketing.
- **Legal Basis:** Legitimate interest (CRM), Consent (Direct Marketing).
- **Retention Period:** 5 years after last contact.
The CRM system is fully compliant with current policies.
```

## Capabilities

### Audit data subject rights requests
Create, track, and get full details on any privacy request—like deletion or access—for compliance reporting.

### Map personal data flows
List every system that processes personal data, showing its purpose, legal basis, and risk classification.

### Assess third-party vendor security
View the status and risk scores of all connected vendors to verify due diligence requirements.

### Review privacy impact findings
List and retrieve full details on internal assessments, like DPIAs, used to measure project risk.

### Manage security incidents
Track all reported privacy breaches or near-misses, noting the severity and regulatory notification status.

## Use Cases

### Responding to a large data audit request
The Security Manager needs to show auditors that they track all risks and vendor compliance. They ask their agent to 'List privacy and security risks' and then immediately run `onetrust_list_vendors` to prove every partner has an up-to-date assessment.

### Handling a CCPA deletion request
A user submits a deletion request. Instead of manually opening the system, the agent uses `onetrust_create_dsar` to register it immediately, ensuring the correct 30-day clock starts ticking.

### Mapping new product data flows
The Product Owner needs to know where customer PII is going. They ask the agent to 'List data inventory assets' which generates a clear map of all systems processing personal data and their legal basis.

### Reviewing vendor compliance before signing a contract
The Procurement team needs assurance that a new partner meets standards. They run `onetrust_list_vendors` to check the risk score, assessment status, and if a Data Processing Agreement is signed.

## Benefits

- Eliminate manual dashboard hopping. Instead of opening 5 different reports for DSARs, you simply ask your agent to 'List open DSARs' and get a consolidated status report instantly.
- Prove due diligence easily. You can use `onetrust_list_vendors` to pull risk scores and assessment statuses in minutes, not days, which is crucial for board meetings.
- Know exactly what data you have. Use `onetrust_list_assets` to generate the full data map, showing every system that processes personal data and why—essential for GDPR Article 30 compliance.
- Stay ahead of breaches. If a security incident happens, your agent can use `onetrust_list_incidents` to report severity and track if regulatory notifications are required.
- Streamline consent management. Reviewing cookie banners is easier when you run `onetrust_list_consent_purposes`, seeing exactly which trackers map to which marketing category.

## How It Works

The bottom line is you get an immediate, conversational summary of complex compliance data without ever leaving your AI client.

1. Subscribe to the MCP on Vinkius and enter your OneTrust API token from the Admin Console.
2. Your AI agent connects directly to your OneTrust instance, granting it read/write access to compliance data.
3. Ask a specific question—for example, 'Show me all vendors with overdue assessments' or 'List open DSARs'—and your agent executes the necessary workflow.

## Frequently Asked Questions

**What is the difference between `onetrust_list_assets` and `onetrust_get_dsar`?**
`onetrust_list_assets` gives you a map of your entire data ecosystem—every system that processes PII. `onetrust_get_dsar` provides deep details on one specific request, showing its history and fulfillment steps.

**Can I use OneTrust MCP to check vendor status?**
Yes, you can list third-party vendors using `onetrust_list_vendors`. This tool shows the current risk score and whether their security assessments are overdue or pending a contract.

**How does OneTrust MCP manage data deletion requests?**
You use the `onetrust_create_dsar` tool to log a deletion request. The system automatically tracks the regulatory deadline and initiates the required internal workflow for removal.

**Does this MCP help with security incident reporting?**
Yes, you can use `onetrust_list_incidents` to pull all logged privacy breaches or near-misses. This tool shows severity and whether regulatory notifications are required.

**What is the purpose of running `onetrust_list_risks`?**
`onetrust_list_risks` aggregates your enterprise risk register. It gives you a consolidated view of identified risks, their potential impact, and what treatment plan (like mitigating or accepting) has been assigned.

**How do I get started with OneTrust?**
Subscribe, then enter your OneTrust API token (from **Admin Console → Integration → API Access**) and your base URL (e.g., app.onetrust.com or app-eu.onetrust.com). Your AI agent connects instantly. No code, no SDK — just connect and start managing privacy compliance.

**Can my AI agent handle GDPR data subject access requests?**
Yes. Create DSARs directly from conversation — specify the subject's name, email, and request type (access, deletion, rectification, portability, opt-out). OneTrust automatically calculates regulatory deadlines (30 days for GDPR, 45 days for CCPA) and routes the request to the right handler.

**How do I check which vendors have overdue security assessments?**
Ask your agent "show me vendors with overdue assessments" and it lists every third-party vendor with their risk score, questionnaire status, and last review date. You see exactly which processors need follow-up — all without logging into OneTrust or switching tabs.

**Is this suitable for multi-regulation compliance (GDPR + CCPA + HIPAA)?**
Absolutely. OneTrust is built for multi-regulation environments. Browse your entire data inventory mapped to processing purposes and legal bases, track DSARs across any regulation, manage privacy impact assessments, and monitor incidents with regulatory notification requirements — perfect for enterprises, healthcare organizations, and global companies operating across jurisdictions.