Data processing systems and methods for generating personal data inventories for organizations and other entities

US 10,026,110 B2
Filed: 06/10/2017
Issued: 07/17/2018
Est. Priority Date: 04/01/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented data processing method for automatically generating an inventory of personal data stored by a particular organization, the data processing method comprising, for each of a plurality of particular privacy campaigns:

presenting, on one or more computer user interfaces, a plurality of prompts for the input of data mapping data related to the particular privacy campaign, wherein each of the plurality of particular privacy campaigns utilizes personal data collected from one or more persons or one or more entities;

electronically receiving the data mapping data via input by one or more users, wherein the data mapping data comprises;

a descriptor of the particular privacy campaign;

an identification of one or more types of particular personal data to be acquired or used during the privacy campaign;

data indicating one or more locations in computer memory where the particular personal data is to be stored; and

data identifying one or more particular types of individuals who will have access to the particular personal data;

processing the data mapping data by electronically associating the data mapping data with a record for the particular privacy campaign;

digitally storing, in memory, the data mapping data associated with the record for the particular campaign;

determining, based at least in part on the data mapping data, a risk value associated with the privacy campaign, wherein determining the risk value comprises;

electronically retrieving, from memory, the data mapping data associated with the record for the privacy campaign;

electronically determining a weighting factor for each of a plurality of risk factors, wherein the plurality of the risk factors comprises;

the descriptor of the particular privacy campaign;

the identification of one or more type of particular personal data to be acquired or used during the privacy campaign;

the data indicating one or more locations in computer memory where the particular personal data is to be store; and

the data identifying one or more particular types of individual who will have access to the particular personal data;

electronically determining a relative risk rating for each of the plurality of risk factors; and

electronically calculating a risk value for the privacy campaign based upon, for each respective one of the plurality of risk factors, the relative risk rating for the respective risk factor and the weighting factor for the respective risk factor; and

storing the risk value in computer memory,wherein the computer-implemented data processing method further comprises;

receiving, via a user interface, a request to generate an inventory of personal data for the particular organization; and

in response to receiving the request, generating the requested inventory of personal data for the particular organization, wherein the requested inventory comprises the data mapping data for each of the plurality of particular privacy campaigns.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data processing systems and methods, according to various embodiments, are configured for generating personal data inventories for an organization by: (1) conducting, by one or more computer processors, privacy impact assessments for each of the organization'"'"'s new business initiatives, the privacy impact assessments including both data-mapping and non-data-mapping questions; (2) flagging, by one or more computer processors, any data-mapping questions within the privacy impact assessments as data mapping questions; and (3) generating, one or more computer processors, personal data inventories on-demand based on the flagged data-mapping data.

134 Citations

23 Claims

1. A computer-implemented data processing method for automatically generating an inventory of personal data stored by a particular organization, the data processing method comprising, for each of a plurality of particular privacy campaigns:
- presenting, on one or more computer user interfaces, a plurality of prompts for the input of data mapping data related to the particular privacy campaign, wherein each of the plurality of particular privacy campaigns utilizes personal data collected from one or more persons or one or more entities;
  
  electronically receiving the data mapping data via input by one or more users, wherein the data mapping data comprises;
  
  a descriptor of the particular privacy campaign;
  
  an identification of one or more types of particular personal data to be acquired or used during the privacy campaign;
  
  data indicating one or more locations in computer memory where the particular personal data is to be stored; and
  
  data identifying one or more particular types of individuals who will have access to the particular personal data;
  
  processing the data mapping data by electronically associating the data mapping data with a record for the particular privacy campaign;
  
  digitally storing, in memory, the data mapping data associated with the record for the particular campaign;
  
  determining, based at least in part on the data mapping data, a risk value associated with the privacy campaign, wherein determining the risk value comprises;
  
  electronically retrieving, from memory, the data mapping data associated with the record for the privacy campaign;
  
  electronically determining a weighting factor for each of a plurality of risk factors, wherein the plurality of the risk factors comprises;
  
  the descriptor of the particular privacy campaign;
  
  the identification of one or more type of particular personal data to be acquired or used during the privacy campaign;
  
  the data indicating one or more locations in computer memory where the particular personal data is to be store; and
  
  the data identifying one or more particular types of individual who will have access to the particular personal data;
  
  electronically determining a relative risk rating for each of the plurality of risk factors; and
  
  electronically calculating a risk value for the privacy campaign based upon, for each respective one of the plurality of risk factors, the relative risk rating for the respective risk factor and the weighting factor for the respective risk factor; and
  
  storing the risk value in computer memory,wherein the computer-implemented data processing method further comprises;
  
  receiving, via a user interface, a request to generate an inventory of personal data for the particular organization; and
  
  in response to receiving the request, generating the requested inventory of personal data for the particular organization, wherein the requested inventory comprises the data mapping data for each of the plurality of particular privacy campaigns.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented data processing method of claim 1, wherein the method further comprises electronically flagging one or more of the plurality of prompts as a prompt requesting data mapping data.
  - 3. The computer-implemented data processing method of claim 2, wherein the electronically flagged one or more of the plurality of prompts prompt a user to input data mapping data for the particular privacy campaign.
  - 4. The computer-implemented method of claim 1, wherein each of the plurality of prompts for input of data mapping data includes a respective unique identifier to associate its respective prompt with a respective category of data mapping data selected from a group consisting of:
    - campaign description;
      
      type of personal data;
      
      time period for storage of the personal data; and
      
      storage location of personal data.
  - 5. The computer-implemented method of claim 1, further comprising automatically configuring the plurality of prompts for the input of data mapping data based on a selection of a particular template from one or more templates.
  - 6. The computer-implemented method of claim 5, wherein the particular template of the one or more templates is selected based on a type of the particular privacy campaign.

7. A computer-implemented data processing method for automatically generating an inventory of personal data stored by a particular organization, the data processing method comprising:
- for each of a plurality of particular privacy campaigns, wherein each of the plurality of particular privacy campaigns utilizes personal data collected from one or more persons or one or more entities;
  
  receiving, via a computer user interface, a command to create an electronic record for the particular privacy campaign;
  
  in response to receiving the command, creating an electronic record for the particular privacy campaign and digitally storing the record in memory;
  
  presenting, on one or more computer user interfaces, a plurality of prompts for the input of data mapping data related to the privacy campaign;
  
  electronically receiving data mapping data input by one or more users, wherein the data mapping data comprises;
  
  a description of the privacy campaign;
  
  an identification of one or more types of particular personal data related to the privacy campaign;
  
  data identifying a particular type of subject from which the personal data was collected;
  
  data indicating one or more locations in computer memory where the personal data is to be stored; and
  
  data identifying one or more particular types of individual who will have access to the particular personal data;
  
  processing the data mapping data by electronically associating the data mapping data with the record for the particular privacy campaign; and
  
  digitally storing, in memory, the data mapping data associated with the record for the particular campaign;
  
  determining, based at least in part on the data mapping data, a risk value associated with the privacy campaign, wherein determining the risk value comprises;
  
  electronically retrieving, from memory, the data mapping data associated with the record for the privacy campaign;
  
  electronically determining a weighting factor for each of a plurality of risk factors, wherein the plurality of risk factors comprises;
  
  the identification of one or more types of particular personal data related to the privacy campaign;
  
  the data identifying a particular type of subject from which the personal data was collected; and
  
  the data indicating one or more locations in computer memory where the particular personal data is to be stored,electronically determining a relative risk rating for each of the plurality of risk factors;
  
  electronically calculating a risk value for the privacy campaign based upon, for each respective one of the plurality of risk factors, the relative risk rating for the respective risk factor and the weighting factor for the respective risk factor;
  
  storing the risk value in computer memory;
  
  receiving a request, from a user, to display an inventory of personal data for the particular organization that includes the data mapping data for each of the plurality of particular campaigns; and
  
  in response to receiving the request to display the inventory of personal data for the particular organization that includes the data mapping data for each of the plurality of particular campaigns, displaying, on a display screen, the inventory of personal data for the particular organization.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The computer-implemented data processing method of claim 7, further comprising:
    - storing the plurality of prompts for the input of data mapping data among a plurality of user selection tabs for presentation of the plurality of prompts for the input of data mapping data along with one or more different prompts for non-data mapping data input; and
      
      upon selection of each respective one of the plurality of user selection tabs, initiating a presentation of a different respective computer user interface that presents the plurality of prompts for the input of data mapping data along with the one or more different prompts for input of non-data mapping data that correspond to the selected user selection tab.
  - 9. The computer-implemented data processing method of claim 7, further comprising:
    - upon selection of a particular user selection tab, presenting a computer user interface that includes each of the plurality of prompts for the input of data mapping data.
  - 10. The computer-implemented data processing method of claim 7, wherein the method further comprises electronically flagging one or more of the plurality of prompts as a prompt requesting data mapping data.
  - 11. The computer-implemented data processing method of claim 10, wherein the electronically flagged one or more of the plurality of prompts prompt a user to input data mapping data for the particular privacy campaign.
  - 12. The computer-implemented method of claim 7, wherein each of the plurality of prompts for input of data mapping data includes a respective unique identifier to associate its respective prompt with a respective category of data mapping data selected from a group consisting of:
    - campaign description;
      
      type of personal data;
      
      time period for storage of the personal data;
      
      affirmation that collection of one or more types of personal data is required for the campaign;
      
      storage location of personal data; and
      
      individuals who will have access to the personal data.
  - 13. The computer-implemented method of claim 7, further comprising automatically configuring the plurality of prompts for the input of data mapping data based on a selection of a particular template from one or more templates.
  - 14. The computer-implemented method of claim 13, wherein the particular template of the one or more templates is selected based on a type of the particular privacy campaign.

15. A computer-implemented data processing method for embedding a subset of prompts for information describing data mapping data in a set of prompts that comprises a plurality of prompts for information describing non-data mapping data in relation to a privacy campaign for a particular organization, the data processing method comprising:
- electronically receiving, by one or more computer processors, a request to initiate the privacy campaign, wherein the privacy campaign utilizes personal data collected from one or more persons or one or more entities;
  
  initiating, by one or more computer processors, a privacy impact assessment in response to the request to initiate the privacy campaign, the privacy impact assessment including a plurality of prompts requesting non-data mapping data, wherein the non-data mapping data is data that is not selected from a group consisting of;
  
  a descriptor of the particular privacy campaign;
  
  one or more types of personal data to be acquired or used during the privacy campaign;
  
  one or more locations in computer memory where personal data is stored; and
  
  identifying information for one or more individuals who will have access to the personal data;
  
  embedding a subset of prompts for information requesting data mapping data in a set of prompts that comprises the plurality of prompts requesting non-data mapping data, wherein the data mapping data comprises at least one of a group of data consisting of;
  
  a descriptor of the particular privacy campaign;
  
  one or more types of personal data to be acquired or used during the privacy campaign;
  
  one or more locations in computer memory where personal data is stored; and
  
  identifying information for one or more individuals who will have access to the personal data;
  
  generating, by one or more computer processors, the privacy impact assessment to be provided on one or more computer user interfaces, the privacy impact assessment including the plurality of prompts for information requesting non-data mapping data and the subset of prompts requesting data mapping data;
  
  displaying, by one or more computer processors, the privacy impact assessment, via one or more computer user interfaces, in order to facilitate the input of privacy data in response to the plurality of prompts for information describing non-data mapping data and the subset of prompts for information describing data mapping data;
  
  receiving a response to the privacy impact assessment by receiving input of privacy data mapping data in response to the plurality of prompts for information describing non-data mapping data and the subset of prompts for information describing data mapping data;
  
  digitally storing, in memory, both the input of non-data mapping data and the input of data mapping data;
  
  determining, based at least in part on the data mapping data, a risk value associated with the privacy campaign, wherein determining the risk value comprises;
  
  electronically retrieving, from memory, the data mapping data associated with the privacy campaign;
  
  electronically determining a weighting factor for each of a plurality of risk factors, wherein the plurality of risk factors comprises;
  
  the one or more types of personal data to be acquired or used during the privacy campaign; and
  
  the one or more locations in computer memory where personal data is stored;
  
  electronically calculating a risk value for the privacy campaign based upon, for each respective one of the plurality of risk factors, the relative risk rating for the respective risk factor and the weighting factor for the respective risk factor; and
  
  digitally storing, in computer memory, the risk value for the privacy campaign.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-implemented data processing method of claim 15, wherein the step of generating the privacy impact assessment comprises electronically flagging each of a subset of the prompts as a prompt that requests data mapping data.
  - 17. The computer-implemented data processing method of claim 16, further comprising:
    - receiving, via a user interface, a request to automatically generate an inventory of personal data for the particular organization;
      
      in response to receiving the request, retrieving the input of data mapping data, wherein the retrieving is performed based on identifying the subset of prompts for information describing data mapping data that were electronically flagged; and
      
      generating the requested inventory of personal data for the particular organization, wherein;
      
      the requested inventory comprises at least the data mapping data for each of one or more privacy campaigns for the particular organization.
  - 18. The computer-implemented method of claim 15, wherein each of the prompts of the subset of prompts for information requesting data mapping data includes a respective unique identifier to associate its respective prompt with a respective category of data mapping data selected from a group consisting of:
    - campaign description;
      
      type of personal data;
      
      time period for storage of the personal data;
      
      affirmation that collection of one or more types of personal data is required for the campaign;
      
      storage location of personal data; and
      
      individuals who will have access to the personal data.
  - 19. The computer-implemented data processing method of claim 15, wherein upon display of the privacy impact assessment, the method further comprises:
    - storing the plurality of prompts for the input of data mapping data among a plurality of user selection tabs for presentation of the plurality of prompts for the input of data mapping data along with one or more different prompts for non-data mapping data input; and
      
      upon selection of each respective one of the plurality of user selection tabs, initiating a presentation of a different respective computer user interface that presents the plurality of prompts for the input of data mapping data along with the one or more different prompts for input of non-data mapping data that correspond to the selected user selection tab.
  - 20. The computer-implemented data processing method of claim 15, wherein upon display of the privacy impact assessment, the method further comprises:
    - upon selection of a particular user selection tab displayed in the privacy impact assessment, presenting a computer user interface that includes each of the plurality of prompts for the input of data mapping data.

21. A computer-implemented data processing method for automatically generating a privacy impact assessment template for a privacy campaign, the data processing method comprising:
- receiving, by one or more computer processors, template design data, the template design data comprising a plurality of prompts for input for use in a template of privacy impact assessment questions, the plurality of prompts for input comprising;
  
  one or more prompts for an input of data mapping data; and
  
  one or more prompts for an input of non-data-mapping data;
  
  at least partially in response to receiving the template design data, generating a privacy impact assessment template for the privacy campaign that includes both;
  
  (A) the one or more prompts for an input of data mapping data; and
  
  (B) the one or more prompts for an input of non-data mapping data, wherein the data mapping data comprises;
  
  a description of the privacy campaign;
  
  an identification of one or more types of particular personal data related to the privacy campaign;
  
  data indicating one or more locations in computer memory where the personal data is to be stored; and
  
  data identifying one or more particular types of individual who will have access to the particular personal data;
  
  flagging, in computer memory, each of the one or more prompts for input of data mapping data as a data mapping question;
  
  communicating the privacy impact assessment template to one or more users;
  
  after communicating the privacy impact assessment template to one or more users, receiving respective answer data from the one or more users in response to;
  
  (A) each of the one or more prompts for input of data mapping data; and
  
  (B) each of the one or more prompts for input of non-data mapping data;
  
  saving the answer data to computer memory in association with the privacy campaign so that each respective answer is associated in computer memory with its respective question as a question/answer pairing;
  
  determining, based at least in part on the answer data for the one or more prompts for input of data mapping data, a risk value associated with the privacy campaign, wherein determining the risk value comprises;
  
  electronically retrieving, from memory, the answer data, associated with the privacy campaign, for the one or more prompts for input of data mapping data;
  
  electronically determining a weighting factor for each of a plurality of risk factors, wherein the plurality of risk factors comprises;
  
  data indicating one or more locations in computer memory wherein the personal data is the be stored; and
  
  data identifying one or more particular types of individuals who will have access to the particular personal data;
  
  electronically calculating a risk value for the privacy campaign based upon, for each respective one of the plurality of risk factors, the relative risk rating for the respective risk factor and the weighting factor for the respective risk factor; and
  
  digitally storing the risk value associated with the privacy campaign.
- View Dependent Claims (22, 23)
- - 22. The computer-implemented data processing method of claim 21, wherein a privacy officer associated with the particular organization provides the template design data.
  - 23. The computer-implemented data processing method of claim 21, further comprising:
    - after saving the answer data to computer memory, receiving a request to generate a personal data inventory for the particular organization;
      
      at least partially in response to receiving the request to generate the personal data inventory;
      
      using the flagged status of each of the one or more prompts for input of data mapping data to identify the one or more prompts for input of data mapping data as data mapping questions;
      
      in response to identifying at least a particular one of the prompts for input of data mapping data as a data mapping question, determining to include a particular one of the plurality of saved question/answer pairings that corresponds to the particular prompt for data mapping data in the personal data inventory; and
      
      generating the personal data inventory so that the personal data inventory includes the particular saved question/answer pairing that corresponds to the particular prompt for data mapping data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OneTrust LLC
Original Assignee
OneTrust LLC
Inventors
Barday, Kabir A.
Primary Examiner(s)
Ouellette, Jonathan P

Application Number

US15/619,469
Publication Number

US 20170287035A1
Time in Patent Office

402 Days
Field of Search

705 11-912
US Class Current
CPC Class Codes

G06Q 10/063114   Status monitoring or status...

G06Q 30/0609   Buyer or seller confidence ...

G06Q 50/265   Personal security, identity...

Data processing systems and methods for generating personal data inventories for organizations and other entities

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

134 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Data processing systems and methods for generating personal data inventories for organizations and other entities

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

134 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links