Data processing systems for fulfilling data subject access requests and related methods

US 10,289,866 B2
Filed: 08/09/2018
Issued: 05/14/2019
Est. Priority Date: 06/10/2016
Status: Active Grant

First Claim

Patent Images

1. A privacy management computer system for receiving and facilitating the processing of data subject access requests via a webform, the system comprising:

one or more computer processors; and

computer memory storing instructions that are executed by the one or more computer processors, wherein the one or more computer processors are adapted for;

displaying a webform on a computer display, the webform being adapted to receive data subject access requests for processing;

receiving, via the webform, a data subject access request from a data subject access requestor;

automatically determining a type of the data subject access request, the determined type of data subject access request being selected from a group consisting of;

(1) a request to delete personal data of the requestor that is being stored by a particular organization;

(2) a request to provide, to the requestor, personal data of the requestor that is being stored by the particular organization;

(3) a request to update personal data of the requestor that is being stored by the particular organization; and

(4) a request to opt out of having the particular organization use the requestor'"'"'s personal information in one or more particular ways;

determining, based at least partially on the determined type of data subject access request, an authentication methodology that is to be used to verify the requestor'"'"'s identity before the system facilitates completion of the data subject access request;

using the determined type of authentication methodology to verify the requestor'"'"'s identity; and

at least partially in response to verifying the requestor'"'"'s identity via the determined type of authentication methodology, executing at least one processing step to advance the completion of the data subject access request, wherein the one or more computer processors are adapted for;

at least partially in response to determining that the type of data subject access request is a request to delete personal data of the requestor that is being stored by the organization;

(A) requiring the requestor to input a first predetermined number of types of information to authenticate the requestor, (B) using each of the first predetermined number of types of information to authenticate the requestor, and (C) after authenticating the requestor, fulfilling the request to delete personal data; and

at least partially in response to determining that the type of data subject access request is a request to provide, to the requestor, personal data of the requestor that is being stored by the organization;

(A) requiring the requestor to input a second predetermined number of types of information to authenticate the requestor, (B) using each of the second predetermined number of types of information to authenticate the requestor, and (C) after authenticating the requestor, fulfilling the request to provide personal data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A privacy management system that is adapted for, in the course of processing a particular data subject access request, automatically determining a type of the data subject access request, such as: (1) a request to delete personal data of the requestor that is being stored by a particular organization; (2) a request to provide, to the requestor, personal data of the requestor that is being stored by the particular organization; (3) a request to update personal data of the requestor that is being stored by the particular organization; and (4) a request to opt out of having the particular organization use the requestor'"'"'s personal information in one or more particular ways. After making this determination, the system may determine, based on the determined type of data subject access request, a particular workflow to follow in processing the data subject access request, and then execute the determined workflow.

560 Citations

16 Claims

1. A privacy management computer system for receiving and facilitating the processing of data subject access requests via a webform, the system comprising:
- one or more computer processors; and
  
  computer memory storing instructions that are executed by the one or more computer processors, wherein the one or more computer processors are adapted for;
  
  displaying a webform on a computer display, the webform being adapted to receive data subject access requests for processing;
  
  receiving, via the webform, a data subject access request from a data subject access requestor;
  
  automatically determining a type of the data subject access request, the determined type of data subject access request being selected from a group consisting of;
  
  (1) a request to delete personal data of the requestor that is being stored by a particular organization;
  
  (2) a request to provide, to the requestor, personal data of the requestor that is being stored by the particular organization;
  
  (3) a request to update personal data of the requestor that is being stored by the particular organization; and
  
  (4) a request to opt out of having the particular organization use the requestor'"'"'s personal information in one or more particular ways;
  
  determining, based at least partially on the determined type of data subject access request, an authentication methodology that is to be used to verify the requestor'"'"'s identity before the system facilitates completion of the data subject access request;
  
  using the determined type of authentication methodology to verify the requestor'"'"'s identity; and
  
  at least partially in response to verifying the requestor'"'"'s identity via the determined type of authentication methodology, executing at least one processing step to advance the completion of the data subject access request, wherein the one or more computer processors are adapted for;
  
  at least partially in response to determining that the type of data subject access request is a request to delete personal data of the requestor that is being stored by the organization;
  
  (A) requiring the requestor to input a first predetermined number of types of information to authenticate the requestor, (B) using each of the first predetermined number of types of information to authenticate the requestor, and (C) after authenticating the requestor, fulfilling the request to delete personal data; and
  
  at least partially in response to determining that the type of data subject access request is a request to provide, to the requestor, personal data of the requestor that is being stored by the organization;
  
  (A) requiring the requestor to input a second predetermined number of types of information to authenticate the requestor, (B) using each of the second predetermined number of types of information to authenticate the requestor, and (C) after authenticating the requestor, fulfilling the request to provide personal data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The privacy management computer system of claim 1, wherein the first predetermined number of types of information is greater than the second predetermined number of types of information.
  - 3. The privacy management computer system of claim 1, wherein requiring the requestor to input a first predetermined number of types of information to authenticate the requestor comprises requiring the request to transmit a copy of an ID for the requestor for processing by the system.
  - 4. The privacy management computer system of claim 1, wherein requiring the requestor to input a first predetermined number of types of information to authenticate the requestor comprises requiring the requestor to transmit a copy of a particular legal document for processing by the system.
  - 5. The privacy management computer system of claim 1, wherein determining the authentication methodology that is to be used to verify the requestor'"'"'s identity comprises one or more steps that are based, at least in part, on one or more applicable laws or regulations.
  - 6. The privacy management computer system of claim 1, wherein the at least one processing step comprises automatically deleting personal data for the requestor.
  - 7. The privacy management computer system of claim 6, wherein the at least one processing step comprises automatically deleting at least substantially all of the personal data for the requestor that is being stored by the particular organization.
  - 8. The privacy management computer system of claim 7, wherein the one or more computer processors are adapted for, before automatically deleting at least substantially all of the personal data for the requestor that is being stored by the particular organization, using at least one data model to automatically identify at least a portion of the personal data.

9. A computer-implemented method for receiving and facilitating the processing of data subject access requests, the method comprising:
- receiving, by at least one computer processor, a data subject access request from a data subject access requestor;
  
  automatically determining, by at least one computer processor, a type of the data subject access request, the determined type of data subject access request being selected from a group consisting of;
  
  (1) a request to delete personal data of the requestor that is being stored by a particular organization;
  
  (2) a request to provide, to the requestor, personal data of the requestor that is being stored by the particular organization;
  
  (3) a request to update personal data of the requestor that is being stored by the particular organization; and
  
  (4) a request to opt out of having the particular organization use the requestor'"'"'s personal information in on or more particular ways;
  
  determining, by at least one processor, based at least partially on the determined type of data subject access request, a workflow that is to be used to process the request; and
  
  after determining the workflow, facilitating, by at least one processor, the processing of the request via the computer-implemented workflow, wherein;
  
  the computer-implemented workflow comprises one or more steps for validating the identity of an individual; and
  
  the computer-implemented method comprises;
  
  at least partially in response to determining that the type of data subject access request is a request to delete personal data of the requestor that is being stored by the organization;
  
  (1) requiring, as part of the computer-implemented workflow, the requestor to input a first predetermined number of types of information to authenticate the requestor, (2) using each of the first predetermined number of types of information to authenticate the requestor, and (3) after authenticating the requestor, executing the request to delete personal data; and
  
  at least partially in response to determining that the type of data subject access request is a request to provide, to the requestor, personal data of the requestor that is being stored by the organization;
  
  (1) requiring, as part of the computer-implemented workflow, the requestor to input a second predetermined number of types of information to authenticate the requestor, (2) using each of the second predetermined number of types of information to authenticate the requestor;
  
  (3) after authenticating the requestor, executing the request to provide personal data.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer-implemented method for receiving and facilitating the processing of data subject access requests of claim 9, wherein the first predetermined number of types of information is greater than the second predetermined number of types of information.
  - 11. The computer-implemented method for receiving and facilitating the processing of data subject access requests of claim 9, wherein the workflow is a workflow that specifies, based at least partially on the determined type of data subject access request, how many different pieces of authentication information the system should require to validate the identity of the individual before the system facilitates completion of the data subject access request.
  - 12. The computer-implemented method for receiving and facilitating the processing of data subject access requests of claim 9, wherein the workflow is a workflow that specifies, based at least partially on the determined type of data subject access request, that the system will automatically process the data subject access request.
  - 13. The computer-implemented method for receiving and facilitating the processing of data subject access requests of claim 9, wherein the workflow is a workflow that specifies, based at least partially on the determined type of data subject access request, that the system will facilitate at least a partial manual processing of the data subject access request.
  - 14. The computer-implemented method for receiving and facilitating the processing of data subject access requests of claim 9, wherein the workflow is a computer-implemented workflow for automatically deleting personal data for the requestor.
  - 15. The computer-implemented method for receiving and facilitating the processing of data subject access requests of claim 9, wherein the workflow is a computer-implemented workflow for automatically deleting at least substantially all of the personal data for the requestor on one or more computer systems of the particular organization.
  - 16. The computer-implemented method for receiving and facilitating the processing of data subject access requests of claim 9, wherein the workflow comprises completing the data subject access request on an expedited basis.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OneTrust LLC
Original Assignee
OneTrust LLC
Inventors
Barday, Kabir A., Sabourin, Jason L., Brannon, Jonathan Blake, Karanjkar, Mihir S., Jones, Kevin
Primary Examiner(s)
Dolly, Kendall

Application Number

US16/059,911
Publication Number

US 20180365444A1
Time in Patent Office

278 Days
Field of Search
US Class Current
CPC Class Codes

G06F 15/76   Architectures of general pu...

G06F 21/552   involving long-term monitor...

G06F 21/6245   Protecting personal data, e...

H04L 63/0407   wherein the identity of one...

H04L 63/08   for authentication of entit...

H04L 63/0861   using biometrical features,...

H04L 67/02   based on web technology, e....

H04L 67/10   in which an application is ...

H04L 67/53   using third party service p...

Data processing systems for fulfilling data subject access requests and related methods

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

560 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Data processing systems for fulfilling data subject access requests and related methods

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

560 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links