DataGrail in Action: Risk Register Product Demo

Kendall Lovett: Hello, everyone.

Kendall Lovett: Thanks for joining us.

Kendall Lovett: This November, Morning, afternoon, evening?

Kendall Lovett: We're gonna give it just a second for a few more people to trickle in here.

Kendall Lovett: And then we will get rolling.

Kendall Lovett: Alright.
Kendall Lovett: Let's get started.

Kendall Lovett: This is going to be a quick, live webinar today. We're going to take about 30 minutes to give you an overview of some new DataGrill

Kendall Lovett: product capabilities, in a product called Risk Register. My name's Kendall, love it. I run product marketing at DataGrail. I'm going to give you a brief introduction and sort of level set a little bit, and then Lisa Wang is with us today. She is our product manager, over all things risk and, data mapping.

Kendall Lovett: at Data Grail. We're thrilled to have her. She's going to walk you through what's available in the product today, as well as some additional exciting roadmap capabilities coming soon. So, Lisa, thank you so much for being here.

Lisa Wang: Excited to be here. Hi, everyone.

Kendall Lovett: Alright.

Kendall Lovett: Let's get into it.

Kendall Lovett: So…

Kendall Lovett: you know, we're just gonna… like I said, this is a short webinar, we're gonna dive in here. I think…

Kendall Lovett: One of the trends that we're seeing in 2026 is that privacy risk has really evolved, and the visibility of it has also increased for a couple of different reasons. And so when we think about what executive teams care about, these are two interesting reports from Gartner that you're seeing on the screen, whereas we look at

Kendall Lovett: First, from the CIO perspective, You know, managing cybersecurity and other technology risks, which include privacy risk.

Kendall Lovett: is a big deal for CIOs in 2025. It will continue to be into 2026. Obviously, a very big driver of that is AI adoption and AI usage, and we're seeing, overwhelmingly privacy playing a more

Kendall Lovett: prominent role there. We're also seeing, and I'll talk about this in a little bit more in a slide in a second, but there's been an evolution of what is…

Kendall Lovett: risk even mean for privacy? And we'll talk through the details of that today, and how DataGrill is approaching that and helping privacy teams

Kendall Lovett: Reduce and eliminate, identify, reduce and eliminate that risk.

Kendall Lovett: But obviously, this is a top concern for CIOs.

Kendall Lovett: In 2025, going into 2026. The other thing that's really interesting here is CEOs. So this is from a Gartner report. For the first time since 2021, risk management cracks the top 10 for CEOs.

Kendall Lovett: According to Gardner's study, and I think that, you know, delta of a 52% increase there on the number 10 slot is really telling.

Kendall Lovett: And from the Gartner.

Kendall Lovett: 2025 CEO survey, the quote was, you know, risk is back in the top 10 priorities for the first time, I'll add, for CEOs since 2021, as regulatory changes and cybersecurity threats challenge competitiveness.

Kendall Lovett: So this is, not a privacy-specific report. They weren't asking specifically about privacy questions. This is just a general overview of what are the strategic business priorities for CEOs in 2026, and, you know, risk management enters the top 10, and it's a huge increase. And a big driver for that

Kendall Lovett: is regulation, but that's not the only thing, as we're going to talk about, in just a minute. So just wanted to call that out.

Kendall Lovett: When we think about, you know, what is driving privacy risk.

Kendall Lovett: IDC also, in their recent MarketScape report for privacy management, called out that while a lot of organizations are concerned about what we'll call front-end or customer-facing privacy risks, these are very visible risks, like

Kendall Lovett: Consent, you know, banner compliance, dark patterns, Properly respecting opt-outs and,

Kendall Lovett: you know, do not sell or share and non-tracking signals. This is what's top of mind for folks, but there are a lot of internal risks that, again, as we implement new AI projects, as we expand what the data ecosystem looks like, as we increase

Kendall Lovett: sharing…

Kendall Lovett: and, you know, data pipelines that include third-party vendors that are using AI subprocessors. This is just becoming really complex, and what we've seen, you know, what Lisa and I see as we talk with

Kendall Lovett: Privacy teams, as we talk with customers that are looking to solve these challenges, is in general, there's a feeling of, number one, a lack of visibility.

Kendall Lovett: So I don't even know what I don't know about, you know, where privacy risk is in my business, and what exactly these risks are.

Kendall Lovett: And even if I did know.

Kendall Lovett: then it's difficult to know how to prioritize them. And even if I did know that, it's difficult to know how to take action to actually resolve them. And so I think, you know, if we, paint this picture of the challenge of privacy risk, this is what we're seeing today.

Kendall Lovett: And what does that actually mean? So I alluded to the fact that, you know, a few years back, when you think about privacy risk, and when most… again, we were just talking about CEOs and CIOs.

Kendall Lovett: when I think about privacy risk, we're mostly talking about GDPR fines for a select few organizations, mostly very large, you know, conglomerates, or enterprises, or tech organizations like Meta, and it feels sort of like a lightning strike, right? That may happen, but…

Kendall Lovett: It probably won't happen to us, and if it does, you know, we're willing to accept that risk.

Kendall Lovett: The risk of not staying on top of privacy and not managing

Kendall Lovett: you know, privacy demands is becoming greater, and it's not just about a GDPR fine anymore. So, a couple of call-outs here.

Kendall Lovett: you know, we're seeing an increase in litigation. This is private litigation and class action enforcement. So, according to a recent study from… a survey from Norton Rose Fulbright, depending on what type of

Kendall Lovett: company size you are and what type of industry you're in. In the US, organizations can expect around a 20-40% chance that they will be litigated for a privacy,

Kendall Lovett: you know, for, privacy noncompliance in 2026. And while this litigation can take a lot of different,

Kendall Lovett: It can take a lot of different forms. Primarily, what we're seeing is litigation around, again, consent compliance, these sort of very public, visible areas.

Kendall Lovett: In addition, those can be,

Kendall Lovett: anywhere from annoying to a legal team to detrimental to a brand. We have seen cases where these become very public, they become much larger than just an enforcement, or sorry, a, you know, litigation fine or settlement, and they can become, they can damage the brand and cause a negative impact there to

Kendall Lovett: customer attrition. That's what we see down below. That's a study from Google. This is primarily looking at consumer brands, but, you know, Google did a privacy by design report where they identified that, you know, 41… 49% of customers said, yeah, you know, if somebody offered a significantly better

Kendall Lovett: privacy experience, I would switch to the closest competitor, and I'm happy to share the details of that study.

Kendall Lovett: But again, I don't think every organization should expect to see a 49% customer attrition, but it is helpful as we think about how to position

Kendall Lovett: The risk of privacy, especially privacy practitioners who are trying to evangelize the need for this in our businesses, to understand that this is something that customers care about, and this is something that they are willing to switch to our competition if they provide a significantly better experience.

Kendall Lovett: We're all, I think, very aware of enforcements from, you know, California, CPPA, Texas, additional U.S. regulations coming out. This 900K average enforcement fine, intentionally excludes the large tech

Kendall Lovett: companies. This does not include recent, enforcements from, you know, towards Alphabet or Meta or those like that. This is just looking at non-tech brands. That average enforcement fine is $900K. And then.

Kendall Lovett: I think the last one that is maybe interesting and not as visible to folks is that

Kendall Lovett: there's a lot of AI investment going on right now, and a lot of the concern, in fact, the top concern, according to an S&P Global Voice of the Enterprise, report, the top concern and the top reason that AI projects are failing is privacy. It's that we don't know

Kendall Lovett: what, permissions we have. We don't know where sensitive personal information is, and where PII is, and what we can do with it, and that is slowing down and impacting the ability to roll out successful AI projects. So, this feels,

Kendall Lovett: you know, these are definitely negative impacts. There's a lot of challenge going on here. The reason that we're highlighting this in today's webinar is because we want to make sure to open the aperture a little bit, and help

Kendall Lovett: Our business leaders think about the fact that when we talk about privacy risk.

Kendall Lovett: We're not just talking about a GDPR fine. And, of course, there is a flip side to this. There are a lot of strong positives that come out of a strong privacy program, and I think we know that inherently. We know that… that, driving strong privacy can increase and does increase, you know, consumer trust.

Kendall Lovett: So there's a flip side to a lot of these factors, but as we're thinking about risk, we want to make sure that we're painting a complete picture and educating our business leaders on, you know, where the potential impacts are going to be to them.

Kendall Lovett: And so that's the reason the data grill is taking a…

Kendall Lovett: unified risk intelligence approach. DataGrow is a complete privacy platform. We cover all of the major use cases for privacy teams, from data mapping and discovery, data subject request management, consent management, and now, you know, risk assessments, PIAs, DPIAs, but with our latest

Kendall Lovett: Launch, expanding that to privacy risk management.

Kendall Lovett: And ultimately, each of these, use cases is a means to an end. And what is that end? That end is that we can identify, privacy needs throughout the business.

Kendall Lovett: Strengthen our privacy posture so that we can reduce risk.

Kendall Lovett: And improve, you know, business impacts through consumer trust.

Kendall Lovett: and brand trust. These are ultimately what we're striving to do. And so, that is the approach Data Girl takes. We have a unique position in the sense that we have built a platform over the last several years

Kendall Lovett: that is already very integrated and connected into your environment. So we have 2,500 plus out-of-the-box, you know, data grail-built and maintained integrations that help us get instant visibility into

Kendall Lovett: Things like AI sub-processing, sensitive personal information collection across your business. So unlike some of the other tools in the market, when you connect a third-party app to DataGrill, or

Kendall Lovett: when we use our patented system detection to discover and connect an app to DataGrail, like, let's take an example like BambooHR or, you know, Shopify, name your app.

Kendall Lovett: Without needing to go and run a scan, we can automatically give you detailed information about the…

Kendall Lovett: privacy intent, the processing activities, and the risks associated with that third-party vendor. We can also do deep data discovery and classification for internal systems.

Kendall Lovett: And for highly configur… configurable systems, things like Salesforce or HubSpot, where you may be collecting all sorts of information that we don't know out of the box, and we need to go run a,

Kendall Lovett: you know, run data discovery to determine that. And then again, with that information, it makes sense that we would then help move towards automating

Kendall Lovett: Action to resolve those, any challenges that we identify.

Kendall Lovett: And then, giving you that complete visibility. And so, this newest product that Lisa's gonna walk us through in just a second, Risk Register, is really a natural evolution of that, and something that we haven't seen enough of in the market, and so we're excited to bring that

Kendall Lovett: Two privacy teams, and help them really, number one, make an impact on the business by reducing that risk, and two, demonstrate that to their business leaders to help identify where and how the privacy team is positively impacting the business.

Kendall Lovett: And so, you know, I won't spend too much time on this slide, I want to make sure I give Lisa time to walk through the platform, but just to tie off on that, the reason that we're able to do that, uniquely

Kendall Lovett: is that we've built a complete privacy automation platform, so I already talked about our ability to integrate with third-party systems as well as internal systems, and then automate common privacy use cases

Kendall Lovett: Such as DSR management, opt-out management, consent management, data mapping, ROPA, automated ROPA generation, across that.

Kendall Lovett: And then, on top of that, I've already mentioned that centralized AI-powered risk management, which includes visibility and,

Kendall Lovett: context.

Kendall Lovett: And then, from that, you know, consumer-facing end, ensuring that we are able to deliver continuous compliance with responsive enforcement.

Kendall Lovett: And all of that is really underpinned by responsible, privacy-first AI.

Kendall Lovett: We won't go into, too much detail on the,

Kendall Lovett: on how we deliver that today, we'd love to have a conversation with you to walk through that in more detail if you're interested, but suffice it to say, we take a very…

Kendall Lovett: privacy-first approach to the way that we utilize AI and the platform. We do not train, or expose your customer data to,

Kendall Lovett: any outside model that's all contained internally. We take a lot of approaches to safeguard and make sure that we're applying privacy in a… or sorry, AI in a pragmatic

Kendall Lovett: Privacy-first way.

Kendall Lovett: And with that, I will, hand it over to Lisa to actually get into what this looks like.

Kendall Lovett: Actually, Lisa, while you're going, I apologize, I should say that this is a live webinar. We are happy to answer questions, so we do have both a chat feature and a Q&A box on the Zoom webinar. If you have questions, ask them at any time. We just ask that you use the Q&A feature so that we can track and make sure that we

Kendall Lovett: Answer those questions.

Lisa Wang: All right. Hi, everyone. As Kendall mentioned, my name is Lisa. I'm a product manager here at DataCrail, and we're super excited to introduce you to our new Risk Register product.

Lisa Wang: And it's kind of, you know, Kendall kind of touched on, our goal is to really help you move from reactive compliance to proactive risk management. So what does that actually look like? It really comes together right here in our new Risk Register product. Our vision is to build an end-to-end risk management platform that helps you detect and mitigate risks across your entire privacy platform and program.

Lisa Wang: All powered by responsible AI.

Lisa Wang: So it starts with AI-powered risk detection. So, instead of you hunting for risks, our platform will proactively discover and prioritize a full spectrum of privacy risks, everything including AI usage, sensitive data processing, vendor security gaps, all before they become real issues for your business.

Lisa Wang: And by pinpointing and helping you mitigate your most critical risks, our goal is to allow your team to focus its precious time and expertise on the highest impact areas of your organization.

Lisa Wang: And finally, it all feeds into a central source of truth. You'll finally have one place where you can confidently track and manage your organization's most critical privacy risks, and easily be able to demonstrate the ROI of your privacy program, both to auditors as well as internal stakeholders.

Lisa Wang: So, let's dive in and see it in action.

Lisa Wang: So I want you to meet Alex, who is a privacy manager at a fast-growing digital startup. The company is scaling fast, which is really exciting, but with that also comes a lot of chaos. And so what that means for Alex is that she feels like she's spending more time chasing status updates about new vendor reviews and new data use cases than actually managing risk.

Lisa Wang: And when her CISO asks her for a report on the status of the privacy program, it always feels like, you know, a half-day fire drill to pull together a spreadsheet that she doesn't even feel that confident about. So, let's see how the risk register transforms Alex's day from reactive to strategic and impactful.

Lisa Wang: So, like many of us, Alex's day starts with a really important question. What needs my attention right now?

Lisa Wang: Instead of opening a messy spreadsheet or an overflowing inbox, Alex's day starts right here on her DataGrail dashboard, where she has a clear view of her privacy program. She sees her DSAR requests, her systems, her high-risk assets, and most importantly, she's gonna see notifications about newly detected risks that we've flagged to her.

Lisa Wang: And today, she notices that a new system called Insight AI has been detected. And we flagged a really concerning combination of AI usage with sensitive data. So this immediately gets Alex's attention, and she clicks in to learn more about this new system.

Lisa Wang: Alex is taken straight to the Insight AI system profile page. She can see that our AI agent has already done a lot of the heavy lifting for her. There's a description about Insight AI that flags that this tool uses LLMs for hyper-personalized marketing, and the system is also automatically scored as high risk.

Lisa Wang: She sees that we've detected two risks in the system risk table, and now she can dig into the why by reviewing those recommendations.

Lisa Wang: So, the platform has flagged two risks. One is AI and automated decision making, and the other is the processing of sensitive data.

Lisa Wang: Our AI agent has provided some rich and important context on each of these risks. It flags that Inside AI is a high-risk AI system under the EU AI Act, and that its persona-building feature likely processes sensitive data like healthcare data, sexual orientation data, and even race information.

Lisa Wang: And so, you'll see that, it even provides the sources where this information was found, so that Alex can do some digging and validate this herself.

Lisa Wang: Hours of research here are completed in seconds. You know, Alex immediately understands why the system was flagged as high risk, and she agrees that a formal assessment is needed. So she accepts the recommended mitigation plan of completing an AI risk assessment with a single click.

Lisa Wang: And directly from that detected risk, she starts an assessment. The Create Assessment drawer opens up, we've already pre-selected the AI risk assessment template for her, and we pre-filled the system name as Insight AI.

Lisa Wang: She then assigns it to Jessica, who leads the marketing team, and sets a due date for a couple weeks out. And so fast forward a few weeks, Jessica has completed the assessment, Alex gets a notification in her inbox, and reviews Jessica's submission.

Lisa Wang: And as Alex is reviewing the assessment, she learns that, you know, this is a new tool that the marketing team has just onboarded.

Lisa Wang: Jessica's assessment also confirmed that the tool will be using some really sensitive data, and although we have our customers' consent to collect this information, internally, we haven't thought about a process in place to monitor the AI's outputs for bias. And so, armed with all of this information and insight, Alex is ready to formally log a risk about this system.

Lisa Wang: So she accepts the detected AI and automated decision-making risk, and approves the suggested mitigation measure of bias testing and model oversight. She assigns

Lisa Wang: this risk mitigation plan to Jessica, who's the owner of the tool, and adds a critical note for the audit trail, really flagging the legal requirement here to monitor this high-risk AI system under the EU AI Act. And with one click, this risk is logged in the risk register. The mitigation plan is assigned to the right owner, and the assessment is linked as a resource.

Lisa Wang: So you can see here how this entire process from detection all the way to accountability is captured in a single, seamless workflow.

Lisa Wang: And as Alex is wrapping up, you know, the inevitable happens, an urgent request from our General Counsel. Hey, Alex, I really need a summary of our top privacy risks for the board's audit committee meeting tomorrow. I'm so sorry for the late notice, but can you please help me out?

Lisa Wang: And Alex, instead of, you know, having to, panic and, you know, deal with another fire drill, she simply navigates to her risk register, her single source of truth for all of her privacy risks.

Lisa Wang: She already sees that new AI and automated decision-making risk is already in there, linked to Inside AI, with an owner assigned and a mitigation plan already in progress. She also has a clear view of some of the other critical risks across her business, like a missing DPA for a key vendor.

Lisa Wang: And the full picture is right there at her fingertips.

Lisa Wang: Alex moves on to the reporting dashboard for a instant visual summary of her entire privacy landscape. She knows that her GC will want to see trends over time. So, for example, a chart that shows a month-over-month view of risks broken down by severity.

Lisa Wang: And she knows another key metric that her GC is looking for is the average amount of time it's taking each department to implement mitigation measures that have been assigned to risks. And she's proud to say that that average time to mitigation has improved significantly over the last quarter.

Lisa Wang: So, in two clicks, Alex reports the dashboard charts, as well as the detailed risk table, and confidently sends that over to her GC, well before her day ends. And that is the transformation. Alex went from, you know, chaotic fire drill to a really confident and controlled workflow.

Lisa Wang: The risk register was able to give her the confidence to manage and report on her privacy program.

Lisa Wang: So, just taking a quick look at the roadmap, you know, our goal is to evolve the risk register from a powerful system of record to an intelligent, proactive system that automates the entire risk management lifecycle. And it all starts this quarter, where we're building on the foundation by launching two of our most requested features, automated risk flagging through assessments, and AI-powered system risk detection.

Lisa Wang: And then as we head into the next year, as Kendall touched on, we'll really be automating risk workflows to help you execute on some of the mitigation plans. By analyzing, you know, each risk in the context, our platform will recommend the best mitigation plan, and then also help you drive towards automated resolution.

Lisa Wang: So imagine a world where complex workflows like creating JIRA tickets or sending escalations to stakeholders are all going to be done automatically on your behalf.

Lisa Wang: And so, our vision, again, is to bring everything together by integrating the risk register with our request manager and consent products to create a truly unified view of risk across your privacy program.

Lisa Wang: And, the best way to understand the impact of our new Risk Register feature is to hear it directly from our beta customers. We're super lucky to have worked with, you know, 7 beta customers to really make sure that we're solving real-life problems, and Monique's feedback here perfectly captures our goal. We want to replace the manual, frustrating process of managing risks in a spreadsheet with a simple, repeatable, and automated workflow.

Lisa Wang: And hearing that, you know, this feature makes life a lot easier, we know that we're on the right track, and so we're really excited to share this with you.

Lisa Wang: All right. Thanks, Lisa.

Kendall Lovett: Yeah, we have about 5 minutes left. Let's answer a few questions. So I think, Dustin asked a question in the chat, which I think is a great one. I answered it in the chat, but I think it's worth double-clicking on.

Kendall Lovett: what's going on behind the scenes here a little bit. So I'll take a quick stab, and then feel free to, add in Lisa. So…

Kendall Lovett: The beautiful thing about this is that what we're showing you today, most of the underlying technology for this, already exists in Datagrail today. Our customers already have access to it. That includes a patented system detection approach, which, does not need to go scan your network like a Netscope.

Kendall Lovett: We're able to bring in systems through a number of different ways that includes, direct

Kendall Lovett: connection to, like, an SSO provider like Okta, but then also a really innovative approach that includes tracking what apps are connected into other applications. So, for example, let's take this inside AI approach. We don't need

Kendall Lovett: Insight AI that Lisa demonstrated today, it doesn't need to be connected to your SSO provider for DataGrail to find it. There's several other ways that we can detect that, including if someone connects it into a Salesforce

Kendall Lovett: environment, or a, Marketo environment, right? So, we're able to bring those in automatically. And then concerning how we identify

Kendall Lovett: what the system is doing, we don't need to go and scan inset AI

Kendall Lovett: or get credentials, you know, from you to go do that. We use a metadata library that we maintain, where we can, use public and private sources to keep a list of these vendors and what types of data they process.

Kendall Lovett: what types of AI sub-processors they use, what their use cases are. So the moment Insight AI is connected, you're getting those immediate insights about it, and then you can go, as Lisa said, verify yourself that that is… that that's accurate, and take action from there.

Kendall Lovett: Other questions, we've got about, 3 minutes left here, so if anybody has any other questions you'd like to ask.

Kendall Lovett: Go ahead and add them to the Q&A box.

Kendall Lovett: One other thing that I'll call out is that, you know, Lisa pointed to the fact that

Kendall Lovett: there's some agentic AI capabilities… there's already some AI capabilities in the platform today to make recommendations, and she mentioned that in 2026, we're going to be moving towards this Agentic approach. As I mentioned earlier in the call, we understand

Kendall Lovett: you know, we sell a privacy platform. It has always been DataGirl's approach to take a responsible and privacy-first,

Kendall Lovett: approach to new technology, and so this is something where

Kendall Lovett: We intentionally avoid needing to go and expose customer data, wherever possible.

Kendall Lovett: We do not, you know, process your customer data directly in our SaaS applications. That's something that's done in your environment internally, and then we're just tracking metadata from that. So again, happy to go into more detail there, but it's a common question we get asked about how we approach AI, and I'm happy to provide more detail.

Kendall Lovett: Alright, you should have also seen a survey pop up if you would like to learn more.

Kendall Lovett: And have a conversation with our team directly about how you can use this today.

Kendall Lovett: We would be happy to, to continue the conversation.

Kendall Lovett: Another question here, lisa, I'll let you answer this one. So my company is a B2B insurance company. A lot of privacy laws aren't applicable. Can we configure risk assessments and the register based on our industry?

Lisa Wang: That is a great question. So, on our roadmap, we do have plans to really contextualize risk, and I think that's what you're hitting on, right? We have

Lisa Wang: customers, you know, everything from e-commerce companies all the way to, you know, B2B, more focused providers like yourself, and that is something that we consistently, you know, hear about, right? Which is, what's risky to you as a B2B insurance company is different than an e-commerce company. So that's absolutely on the roadmap, which is, you know, also going to involve.

Lisa Wang: you know, better understanding, the context, right, in which these risks are flagged, and so we'll have the ability to allow you to configure, kind of, what triggers a risk, and also, based on those risks that matter to you, what actions, or what, you know, risk scores.

Lisa Wang: Or even, you know, who the owner should be, right? So those are the types of things that we're gonna be building out in the roadmap.

Kendall Lovett: Great question. Yeah, it's always a balance of, making sure that you're getting the right information at the right time and the right alert, and also

Kendall Lovett: not overwhelming, right, with noise or things that aren't really applicable, so that's absolutely something that's top of mind for us and for our customers. That's a great question.

Kendall Lovett: Okay, with that, we are at time. Again, please reach out if you would like to learn more. We appreciate your time today. Thank you so much for joining us.

Lisa Wang: Thanks, everyone.