This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Data Privacy

Takeaways from our Launch Event, Privacy Check

DataGrail, November 22, 2022

Going into 2023, there are some big changes on the docket for data privacy. The California Privacy Rights Act (CPRA) will go into effect on January 1, and four states will begin requiring organizations to conduct risk assessments at some point during the year.

To say things have been busy in the world of data privacy — and as a result, at DataGrail — would be an understatement.

Getting privacy professionals ready for 2023 has been a top priority for DataGrail. That’s why we hosted our recent Privacy Check virtual launch event. During the action-packed hour, we broke down current data privacy events with CPRA co-author Rick Arney, shared highly anticipated details on DataGrail’s roadmap with our leadership team, and heard privacy advice from Outreach’s Head of Privacy Heather Wood.

Let’s dive into some of the highlights.

Current Events in Data Privacy

We all know what the California Consumer Privacy Act (CCPA) means, but do you know the story around how it got started? Kicking off the event was a conversation with Rick Arney, co-author of the CCPA and CPRA.

How the CCPA Started

When asked how he got started in privacy, Arney told his story of being an identity theft victim. Someone had cloned his tax return to get his refund. This experience prompted him to think about his options for getting in front of lawmakers.

Alongside his friend, Alastair Mactaggart, Arney created an initiative in California, his home state. An initiative is a process where a citizen can create a law, and if that law meets the signature requirements, it can get placed on a voting ballot. Originally, they created the CCPA as a moderate approach to giving consumers control over what’s happening with their information.

Enforcing the CCPA

When Arney and Mactaggart started with the CCPA, they had an opportunity to essentially test drive this law. It passed, they observed how it was working, and they learned a lot about how they could make it better.

In the many phone calls they received from organizations, they realized that laws are only as good as they can be enforced. But they also knew the California Attorney General’s plate was full and might not get the attention they envisioned. That’s how they formed the California Privacy Protection Agency, which has a focused effort on enforcing California’s privacy laws.

The agency is endowed with its own subpoena, audit, penalty, and investigatory powers, and gives clear action around the laws Arney and Mactaggart put together.

The Future of California’s Privacy Laws

The CCPA’s enhanced regulation, the CPRA, goes into effect on January 1, 2023. One of the new requirements with the CPRA is privacy risk assessments for organizations.

According to Arney, this is important because a risk assessment is one of the first steps an organization can take in their effort to understand their data. During our event, he said that in his experience, every single organization has been surprised by something they find when they assess their data.

Further, he said that the CPRA isn’t meant to be punitive. It’s meant to foster a culture where companies and their people are stewards of privacy — and that culture starts with an information audit.

Get more insights from Arney, including what he predicts will happen with Congress when it comes to a federal privacy law, watch the on-demand version of Privacy. Check.

What’s Next for Data Privacy?

After our conversation with Arney, DataGrail CEO Daniel Barber took the mic to share exciting news: the company recently secured its Series C funding round at $45 million. This investment, led by Third Point Ventures, proves the market is looking for (and needs) a next-generation, integrated privacy solution.

To support this need and the future of DataGrail, the company recently brought on Chief Technology Officer Cathy Polinsky and Chief Revenue Officer Sam East. Both Polinsky and East joined the Privacy Check event to give details on the DataGrail roadmap.

Polinsky shared the company’s three core pillars that are supporting the roadmap: connect, manage, and scale.


Mapping out your data and connecting it across your entire technology ecosystem is the real foundation of a privacy program. Polinsky said that, when it comes to this pillar, DataGrail’s roadmap is focused on building additional APIs that will help bridge internal and external systems.

Data systems, especially internally, are getting more complex. This year, we launched our internal systems agent, which helps customers connect into APIs and relationship databases so they have a single view. Polinsky called this a “key differentiator” for DataGrail and confirmed the company will continue investing in this area.


People have an increased sense of urgency, especially with all the imminent and future privacy laws. After all, it’s not just about risk management — it’s also about building trust. That’s why brands are moving away from antiquated solutions like spreadsheets and moving toward solutions like DataGrail.

To help customers keep up with the user experience and build trust, Polinsky said DataGrail will be leaning into consent. But it’ll be better than just the generic cookie banner that offers a subpar user experience.

We’ll also be investing in risk monitoring. We want to put people in the driver’s seat and make sure they have the proactive insights to understand risk and make managing it easy.


With data privacy being such a hot issue today, it’s no wonder why companies big and small are relying on solutions like DataGrail to help manage and scale their privacy programs. The reality is, no matter the company, they all have the same challenges, just with different levels of complexity.

DataGrail supports companies of all sizes by keeping the solution simple. But we also know enterprises need more customization and flexibility, which is why our roadmap is focused on that. This year, we launched multiple identifiers and intake APIs, and the next big one we’re working on is around flexibility with data discovery.

Introducing Risk Monitor

The Risk Monitor launch was a highlight of this event. Christeene Alcosiba, Principal Product Manager, and Piper Stull-Lane, Director of Product Marketing, chatted about what this product is and how it’ll support DataGrail customers.

Several states have added regulations around risk assessments for 2023, which is why DataGrail decided to develop Risk Monitor. According to Alcosiba, a lot of the existing products in the market are glorified surveys and don’t truly help conduct a risk assessment.

Risk Monitor is different. It gives customers an easier and better way to help reduce risk holistically across their organization.

Four states are implementing required risk assessments in 2023. They all have different names, but they’re all here to accomplish the same goal: to help organizations assess risk when they’re adding or changing things to their software systems, or when they’re doing something that’s considered novel or high risk with those technologies.

The challenge we found for organizations is that there are no regulatory bodies that offer a standard assessment template. But because Europe has had a risk assessment requirement in place for years, we started Risk Monitor using their Data Protection Impact Assessment template as a baseline and mapped our questions from their recommendations. 

This means that our customers using Risk Monitor will be in compliance with all risk assessment regulations, no matter where they’re located.

To learn more about Risk Monitor, hear more highly anticipated details about our roadmap, and get privacy advice from Outreach’s Head of Privacy, watch the on-demand event.

subscribe to GrailMail

Like what you see?

Get data privacy updates sent straight to your inbox.