How the World's Largest Music Marketplace Cuts Vendor Review Time from 33 Days to 4 Days
“We reduced our vendor review process timing because TerraTrue pulls all the stakeholders into one launch page that is easily accessible and gets the review going. One of the outcomes is just employee confidence. People know where to go now. If they want to use a new product or create a new feature on our website, they can actually just go in themselves, create the Launch with the Screener and the Data Spec, and then we just do the Privacy Worksheet. It's very approachable.”
Sam Moss
/
Privacy Program & Vendor Management Lead, Discogs
From Bottleneck to Breakthrough:
The Discogs Story
Discogs, the popular music discovery and record collecting platform, connects millions of buyers and a couple hundred thousand sellers of vinyl records, CDs, and more across the globe. With millions of international buyers come millions of privacy and compliance challenges. Sam Moss, the Privacy Program & Vendor Management Lead at Discogs, and an avid guitar collector, inherited an existing third party privacy and vendor management platform when he started at Discogs.
Moss quickly identified several critical problems with the platform that were costing Discogs valuable time and resources:
- Time-consuming reviews: Vendor reviews took up to four weeks on average to complete
- Manual, email-heavy process: Moss was constantly sending back-and-forth emails for clarifications with internal business partners
- Overly complex assessments: Privacy questionnaires contained up to 90 questions, many that were not relevant to the review, creating unnecessary work and slowing things down
With renewal time approaching and a growing concern about capacity, Moss knew there had to be a more efficient way to meet Discogs’ complex privacy needs and speed up vendor onboarding. Four weeks later, Moss condensed vendor onboarding time. How’d they do it? Keep reading.
THE CHALLENGE
Tedious Workflows and Disconnected Systems
Like many other creative companies, Discogs didn’t fit perfectly into the typical “one size fits all” privacy and security platform. Vendor and review management felt messy, with lots of moving parts and wasted time. Moss relied heavily on email replies from the stakeholders—quick turnaround times and dynamic collaboration felt light years away with the existing platform.
"People would email us saying, 'Hey, I want this vendor onboarded,' and then I would have to create an intake questionnaire with our provider. There wasn't any way to comment—we would have to email back and forth with the internal business to get any information out of it. It was very tedious.”
– Sam Moss, Privacy Program & Vendor Management Lead, Discogs
This created real problems for the business. Moss frequently had to chase down business units when information was missing or didn't match up. What should have been a simple process turned into a maze of back-and-forth emails, slowing down both vendor onboarding and privacy reviews.
"Frequently, I would have to go back to the business and say, 'Hey, the data elements don't line up with what's in the DPA. It was a messy process that involved a lot of back-and-forth emails and was not streamlined enough."
– Sam Moss, Privacy Program & Vendor Management Lead, Discogs
The icing on the cake? Privacy assessments were too complex, with some questionnaires containing over 90 questions.
THE SOLUTION
Conserve Resources by Consolidating Privacy and Vendor Management
Discogs knew it was time to look at other options to win back time, resources, and the brain power required for 90-question forms. The goal was to adopt a solution that saved time and money instead of creating more work and time to get up-and-running.
"We were looking for tools that could not only solve the vendor intake process but also handle our privacy and RoPA-related requirements. We decided on TerraTrue specifically because it checked both boxes—it handled vendor intake and third-party risk management, and the RoPA was integrated into TerraTrue, along with the privacy assessments that come out of the box."
– Sam Moss, Privacy Program & Vendor Management Lead, Discogs
What was the Discogs team looking for in a privacy platform partner?
- Flexibility: The ability to easily adapt the partner’s software to fit the Discogs' ecosystem and vendor management policies
- Reminders and scheduling: Better tools for managing regular reviews and fewer emails to get there
- Integrated functionality: A solution that covered both vendor management and privacy compliance
Moss quickly landed on TerraTrue.
"We saw TerraTrue's PIA and we thought, 'This is exactly what we need.’ We needed something that checks the regulatory requirements but is also easy to use and shorter.”
– Sam Moss, Privacy Program & Vendor Management Lead, Discogs
Unlike other vendors that specialized in either privacy or vendor management, TerraTrue offered an all-in-one solution. The ability to automatically trigger the right assessments based on data inputs was especially helpful, and a big improvement from Discogs’ previous partner.
“TerraTrue automatically detects if a DPIA is needed because of specific criteria. I don't have to put my thought into that—it does it for me, which is amazing. It's saving that mental energy because I have other things to think about.”
– Sam Moss, Privacy Program & Vendor Management Lead, Discogs
Added bonus: Automatic assessments and no 90-question forms ✔️
THE IMPLEMENTATION
Testing the Speed Limit of Platform Migration
How easy is it to move your entire vendor management and privacy operations for a global business to a new platform? Moss was determined to find out, with his North Star being “as quickly as possible.”
The result? The entire migration process took just under four weeks—an impressive timeline for companies much smaller than Discogs. But as Moss sees it, you can’t halt operations to accommodate a platform change. The 🎵 music keeps playing…
"The reason we were so fast on migrating is because we have vendor requests coming in all the time, and we needed it up and running as quickly as possible."
– Sam Moss, Privacy Program & Vendor Management Lead, Discogs
What does moving from one platform to the next involve for companies?
- Exporting all reports from the previous partner and adapting them to TerraTrue's structure
- Creating and adapting new vendor requests inside of TerraTrue
- Training team members and helping users learn the new system
As fast as possible? Check.
THE FINALE
Faster Reviews, Simpler Processes, and Employee Buy-in
After team training, the effects of switching to TerraTrue were substantial and measurable:
⏱️ Faster review times:
"We reduced our vendor review process timing because TerraTrue pulls on the stakeholders into one launch page that is easily accessible and gets the review going."
– Sam Moss, Privacy Program & Vendor Management Lead, Discogs
🎯 Employee buy-in:
"One of the outcomes is just employee confidence. People know where to go now.”
– Sam Moss, Privacy Program & Vendor Management Lead, Discogs
TerraTrue’s user-friendly interface makes it easier for Discogs’ team to keep the 🎵 music playing without constant emailing.
📋 Streamlined privacy reviews:
Users now have easier access to the privacy review process.
“If they want to use a new product or create a new feature on our website, they can actually just go in themselves, create the Launch with the Screener and the Data Spec, and then we just do the Privacy Worksheet. It's very approachable."
– Sam Moss, Privacy Program & Vendor Management Lead, Discogs
🚀 Speedy progress on compliance goals:
Moss completed privacy impact assessments for over half of their processing activities in TerraTrue, with a goal to complete all 95 in the coming quarter.
These improvements did not go unnoticed.
"Stakeholders clearly see a difference in how fast the review turnaround time is.”
– Sam Moss, Privacy Program & Vendor Management Lead, Discogs
KEY TAKEAWAYS FOR PRIVACY & COMPLIANCE LEADS
Efficiency, Communication, and Cross-Functional Collaboration
Moss and Discogs' experience switching from the traditional privacy solution to one that was tailored to their unique business is a wake-up call. Here are five actionable insights for privacy and security pros looking to improve their own operations, and reduce clunky email processes:
1. Break down silos between privacy and vendor management
"If you have multiple teams involved in vendor onboarding or privacy, find a way to bring them all together.”
– Sam Moss, Privacy Program & Vendor Management Lead, Discogs
2. Prioritize user experience for better adoption
Simpler, more approachable tools lead to higher adoption rates across departments. When business users find a process easy to navigate, they're more likely to follow it correctly.
3. Measure what matters
Track specific metrics like review cycle times, risk levels, and completion rates to demonstrate the value of your privacy program to leadership. Discogs' reduction in timing for vendor reviews provided clear evidence of improvement.
4. Automate the repetitive aspects of compliance
Identify opportunities to automate routine assessments and determinations. As Moss noted, having TerraTrue automatically determine when a DPIA is needed "saves cognitive load" for privacy teams.
5. Focus on cross-functional collaboration
Make sure your privacy and vendor management processes include all relevant stakeholders. Discogs found that bringing finance, legal, and business teams into a single workflow improved efficiency and saved resources in the long run.
Discogs is proof that fragmented, email-heavy processes are a thing of the past for companies that want to secure their legacy for generations to come, backed by airtight privacy and compliance. And that’s 🎶 music to our ears…
Slash Vendor Review Time
Streamline your processes, enhance productivity, and ensure security with TerraTrue.