Discogs is the popular music discovery and record collecting platform that connects millions of buyers and hundreds of thousands of sellers of vinyl records, CDs, and more across the globe. With millions of international buyers come millions of privacy and compliance challenges.
Sam Moss, the Privacy Program & Vendor Management Lead at Discogs, inherited an existing third-party privacy and vendor management platform when he started. He quickly identified several critical problems that were costing Discogs valuable time and resources.
33 → 4 days
“We reduced our vendor review process timing because TerraTrue pulls all the stakeholders into one launch page that is easily accessible and gets the review going."
— Sam Moss / Privacy Program & Vendor Management Lead
THE CHALLENGE
Tedious workflows and disconnected systems
Like many other creative companies, Discogs didn't fit perfectly into the typical "one size fits all" privacy and security platform. Vendor and review management felt messy, with lots of moving parts and wasted time. Moss relied heavily on email replies from stakeholders, and quick turnaround times felt light years away.
- Time-consuming reviews
Vendor reviews took up to four weeks on average to complete. - Manual, email-heavy process
Moss was constantly sending back-and-forth emails for clarifications with internal business partners. There wasn't any way to comment within the platform. - Overly complex assessments
Privacy questionnaires contained up to 90 questions, many not relevant to the review, creating unnecessary work and slowing things down.
"People would email us saying, 'Hey, I want this vendor onboarded,' and then I would have to create an intake questionnaire with our provider. There wasn't any way to comment — we would have to email back and forth with the internal business to get any information out of it. It was very tedious."
— Sam Moss / Privacy Program & Vendor Management Lead
THE SOLUTION
Consolidating privacy and vendor management in one platform
With renewal time approaching and a growing concern about capacity, Moss knew there had to be a more efficient way to meet Discogs' complex privacy needs and speed up vendor onboarding. The goal was to adopt a solution that saved time and money instead of creating more work.
"We were looking for tools that could not only solve the vendor intake process but also handle our privacy and RoPA-related requirements. We decided on TerraTrue specifically because it checked both boxes — it handled vendor intake and third-party risk management, and the RoPA was integrated into TerraTrue, along with the privacy assessments that come out of the box."
— Sam Moss / Privacy Program & Vendor Management Lead
What Discogs was looking for
Flexibility
The ability to easily adapt the software to fit the Discogs ecosystem and vendor management policies.
Reminders and scheduling
Better tools for managing regular reviews and fewer emails to get there.
Integrated functionality
A solution that covered both vendor management and privacy compliance.
“We saw TerraTrue's PIA and we thought, 'This is exactly what we need.' We needed something that checks the regulatory requirements but is also easy to use and shorter."
— Sam Moss / Privacy Program & Vendor Management Lead
IMPLEMENTATION
Full migration in under four weeks
How easy is it to move your entire vendor management and privacy operations for a global business to a new platform? Moss was determined to find out, with his North Star being "as quickly as possible."
The entire migration process — exporting all reports from the previous platform, creating and adapting new vendor requests inside TerraTrue, and training team members — took just under four weeks.
THE RESULTS
Faster reviews, simpler processes, and employee buy-in
Faster review times
Vendor review time dropped from 33 days to 4 days by pulling all stakeholders into one accessible launch page.
Employee confidence
People know where to go now. If they want to use a new product or create a new feature, they can go in themselves and create the launch. It's very approachable.
Speedy compliance progress
Moss completed privacy impact assessments for over half of their processing activities, with a goal to complete all 95 in the coming quarter.
“If they want to use a new product or create a new feature on our website, they can actually just go in themselves, create the Launch with the Screener and the Data Spec, and then we just do the Privacy Worksheet. It's very approachable."
— Sam Moss / Privacy Program & Vendor Management Lead
“Stakeholders clearly see a difference in how fast the review turnaround time is."
— Sam Moss / Privacy Program & Vendor Management Lead
KEY TAKEAWAYS
Lessons for privacy and compliance leads
- Break down silos between privacy and vendor management. If you have multiple teams involved in vendor onboarding or privacy, find a way to bring them all together.
- Prioritize user experience for better adoption. Simpler, more approachable tools lead to higher adoption rates across departments.
- Measure what matters. Track specific metrics like review cycle times, risk levels, and completion rates to demonstrate the value of your privacy program to leadership.
- Automate the repetitive aspects of compliance. Having TerraTrue automatically determine when a DPIA is needed saves cognitive load for privacy teams.
- Focus on cross-functional collaboration. Bringing finance, legal, and business teams into a single workflow improved efficiency and saved resources in the long run.