Data processing systems for identity validation of data subject access requests and related methods

US 10,416,966 B2
Filed: 08/06/2018
Issued: 09/17/2019
Est. Priority Date: 06/10/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented data processing method for responding to a data subject access request, the computer-implemented data processing method comprising:

receiving a data subject access request from a requestor that is a request for a particular organization to perform one or more actions with regard to one or more pieces of personal data associated with an identified data subject that the particular organization has obtained on the identified data subject,wherein at least one of the one or more pieces of personal data associated with the identified data subject was not provided to the particular organization by the identified data subject, andwherein the data subject access request comprises one or more request parameters, wherein one of the one or more request parameters of the data subject access request comprises a type of data subject access request, and wherein the type of data subject access request is selected from a group consisting of;

a first type of data subject access request that requires a first number of identity validation methods, anda second type of data subject access request that requires a second number of identity validation methods, wherein the first number of identity validation methods is different than the second number of identity validation methods;

in response to receiving the data subject access request from the requestor, determining a number of identity validation methods required based at least in part on the type of data subject access request;

validating an identity of the requestor, based at least in part on the determined number of identity validation methods required, by prompting the requestor to identify information associated with the identified data subject, wherein validating the identity of the requestor further comprises;

accessing, via one or more computer networks, one or more third-party data aggregation systems;

determining, based at least in part on data information received via the one or more third-party data aggregation systems, that the identified data subject exists; and

in response to determining that the identified data subject exists, confirming, based at least in part on the data information received via the one or more third-party data aggregation systems and the one or more request parameters, that the requestor is the identified data subject;

in response to validating the identity of the requestor, processing the request by automatically identifying one or more pieces of personal data associated with the identified data subject, wherein the one or more pieces of personal data are stored in one or more data repositories associated with the particular organization; and

in response to automatically identifying the one or more pieces of personal data associated with the identified data subject, taking the one or more actions based at least in part on the data subject access request, wherein the one or more actions include one or more actions related to automatically identifying the one or more pieces of personal data associated with the identified data subject.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In particular embodiments, a computer-implemented data processing method for responding to a data subject access request comprises: (A) receiving a data subject access request from a requestor comprising one or more request parameters; (B) validating an identity of the requestor by prompting the requestor to identify information associated with the requestor; (C) in response to validating the identity of the requestor, processing the request by identifying one or more pieces of personal data associated with the requestor, the one or more pieces of personal data being stored in one or more data repositories associated with a particular organization; and (D) taking one or more actions based at least in part on the data subject access request, the one or more actions including one or more actions related to the one or more pieces of personal data.

452 Citations

18 Claims

1. A computer-implemented data processing method for responding to a data subject access request, the computer-implemented data processing method comprising:
- receiving a data subject access request from a requestor that is a request for a particular organization to perform one or more actions with regard to one or more pieces of personal data associated with an identified data subject that the particular organization has obtained on the identified data subject,wherein at least one of the one or more pieces of personal data associated with the identified data subject was not provided to the particular organization by the identified data subject, andwherein the data subject access request comprises one or more request parameters, wherein one of the one or more request parameters of the data subject access request comprises a type of data subject access request, and wherein the type of data subject access request is selected from a group consisting of;
  
  a first type of data subject access request that requires a first number of identity validation methods, anda second type of data subject access request that requires a second number of identity validation methods, wherein the first number of identity validation methods is different than the second number of identity validation methods;
  
  in response to receiving the data subject access request from the requestor, determining a number of identity validation methods required based at least in part on the type of data subject access request;
  
  validating an identity of the requestor, based at least in part on the determined number of identity validation methods required, by prompting the requestor to identify information associated with the identified data subject, wherein validating the identity of the requestor further comprises;
  
  accessing, via one or more computer networks, one or more third-party data aggregation systems;
  
  determining, based at least in part on data information received via the one or more third-party data aggregation systems, that the identified data subject exists; and
  
  in response to determining that the identified data subject exists, confirming, based at least in part on the data information received via the one or more third-party data aggregation systems and the one or more request parameters, that the requestor is the identified data subject;
  
  in response to validating the identity of the requestor, processing the request by automatically identifying one or more pieces of personal data associated with the identified data subject, wherein the one or more pieces of personal data are stored in one or more data repositories associated with the particular organization; and
  
  in response to automatically identifying the one or more pieces of personal data associated with the identified data subject, taking the one or more actions based at least in part on the data subject access request, wherein the one or more actions include one or more actions related to automatically identifying the one or more pieces of personal data associated with the identified data subject.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented data processing method of claim 1, wherein confirming that the requestor is the identified data subject further comprises:
    - generating, based at least in part on the data information received via the one or more third-party data aggregation systems, at least one threshold identity confirmation question;
      
      prompting the requestor to provide a response to the at least one threshold identity confirmation question; and
      
      comparing the response to the data information received via the one or more third-party data aggregation systems to validate the identity of the requestor.
  - 3. The computer-implemented data processing method of claim 1, wherein validating the identity of the requestor further comprises:
    - prompting the requestor to provide one or more additional pieces of information associated with the identified data subject in order to validate the identity of the requestor;
      
      receiving the one or more additional pieces of information associated with the identified data subject from the requestor; and
      
      comparing the one or more additional pieces of information associated with the identified data subject received from the requestor to corresponding data information accessed via the one or more third-party data aggregation systems in order to validate the identity of the requestor.
  - 4. The computer-implemented data processing method of claim 3, wherein prompting the requestor to provide one or more additional pieces of information associated with the identified data subject in order to validate the identity of the requestor further comprises:
    - generating a secure link between one or more processors associated with validating the identity of the requestor and a computing device associated with the requestor to prevent outside access to the one or more additional pieces of information associated with the identified data subject provided by the requestor;
      
      receiving, via the secure link, the one or more additional pieces of information associated with the identified data subject provided by the requestor; and
      
      digitally storing the one or more additional pieces of information associated with the identified data subject provided by the requestor.
  - 5. The computer-implemented data processing method of claim 3, wherein the one or more additional pieces of information associated with the identified data subject provided by the requestor is one or more images provided by the requestor via the computing device associated with the requestor.
  - 6. The computer-implemented data processing method of claim 1, wherein the first type of data subject access request is a data subject'"'"'s rights request and the second type of data subject access request is a data subject deletion request.
  - 7. The computer-implemented data processing method of claim 1, wherein the requestor is a requesting business.
  - 8. The computer-implemented data processing method of claim 7, wherein validating the identity of the requestor further comprises using one or more company validation techniques, and wherein the one or more company validation techniques is selected from a group consisting of:
    - validating a vendor contract;
      
      receiving a matching unique identifier provided by an organization receiving the data subject access request to the requesting business;
      
      receiving a matching file in possession of both the requesting business and the organization receiving the data subject access request; and
      
      receiving a document memorializing an association between the requesting business and the organization receiving the data subject access request.

9. A computer-implemented data processing method for responding to a data subject access request, the computer-implemented data processing method comprising:
- receiving a data subject access request from a requestor that is a request for a particular organization to perform one or more actions with regard to one or more pieces of personal data associated with an identified data subject that the particular organization has obtained on the identified data subject,wherein at least one of the one or more pieces of personal data associated with the identified data subject was not provided to the particular organization by the identified data subject, andwherein the data subject access request comprises one or more request parameters, wherein one of the one or more request parameters of the data subject access request comprises a type of data subject access request, and wherein the type of data subject access request is selected from a group consisting of;
  
  a first type of data subject access request that requires a first number of identity validation methods, anda second type of data subject access request that requires a second number of identity validation methods, wherein the first number of identity validation methods is different than the second number of identity validation methods;
  
  in response to receiving the data subject access request from the requestor, determining a number of identity validation methods required based at least in part on the type of data subject access request;
  
  validating an identity of the requestor, based at least in part on the determined number of identity validation methods required, by prompting the requestor to identify information associated with the identified data subject, wherein validating the identity of the requestor further includes;
  
  accessing, via one or more computer networks, one or more third-party data aggregation systems;
  
  determining, based at least in part on data information received via the one or more third-party data aggregation systems, that the identified data subject exists; and
  
  in response to determining that the identified data subject exists, confirming, based at least in part on the data information received via the one or more third-party data aggregation systems and the one or more request parameters, that the requestor is the identified data subject; and
  
  in response to validating the identity of the requestor, taking the one or more actions based at least in part on the data subject access request, wherein the one or more actions include one or more actions related to automatically identifying the one or more pieces of personal data associated with the identified data subject.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The computer-implemented data processing method of claim 9, wherein confirming that the requestor is the identified data subject further comprises:
    - generating, based at least in part on the data information received via the one or more third-party data aggregation systems, at least one threshold identity confirmation question;
      
      prompting the requestor to provide a response to the at least one threshold identity confirmation question; and
      
      comparing the response to the data information received via the one or more third-party data aggregation systems to validate the identity of the requestor.
  - 11. The computer-implemented data processing method of claim 9, wherein validating the identity of the requestor further comprises:
    - prompting the requestor to provide one or more additional pieces of information associated with the identified data subject in order to validate the identity of the requestor;
      
      receiving the one or more additional pieces of information associated with the identified data subject from the requestor; and
      
      comparing the one or more additional pieces of information associated with the identified data subject received from the requestor to corresponding data information accessed via the one or more third-party data aggregation systems in order to validate the identity of the requestor.
  - 12. The computer-implemented data processing method of claim 11, wherein prompting the requestor to provide one or more additional pieces of information associated with the identified data subject in order to validate the identity of the requestor further comprises:
    - generating a secure link between one or more processors associated with validating the identity of the requestor and a computing device associated with the requestor to prevent outside access to the one or more additional pieces of information associated with the identified data subject provided by the requestor;
      
      receiving, via the secure link, the one or more additional pieces of information associated with the identified data subject provided by the requestor; and
      
      digitally storing the one or more additional pieces of information associated with the identified data subject provided by the requestor.
  - 13. The computer-implemented data processing method of claim 11, wherein the one or more additional pieces of information associated with the identified data subject provided by the requestor is one or more images provided by the requestor via the computing device associated with the requestor.
  - 14. The computer-implemented data processing method of claim 9, wherein the first type of data subject access request is a data subject'"'"'s rights request and the second type of data subject access request is a data subject deletion request.

15. A computer-implemented data processing method for responding to a data subject access request, the computer-implemented data processing method comprising:
- receiving a data subject access request from a requestor that is a request for a particular organization to perform one or more actions with regard to one or more pieces of personal data associated with an identified data subject that the particular organization has obtained on the identified data subject,wherein at least one of the one or more pieces of personal data associated with the identified data subject was not provided to the particular organization by the identified data subject, andwherein the data subject access request comprises one or more request parameters, wherein one of the one or more request parameters of the data subject access request comprises a type of data subject access request, and wherein the type of data subject access request is selected from a group consisting of;
  
  a first type of data subject access request that requires a first number of identity validation methods, anda second type of data subject access request that requires a second number of identity validation methods, wherein the first number of identity validation methods is different than the second number of identity validation methods;
  
  in response to receiving the data subject access request from the requestor, determining a number of identity validation methods required based at least in part on the type of data subject access request;
  
  validating an identity of the requestor, based at least in part on the determined number of identity validation methods required, by prompting the requestor to identify information associated with the identified data subject, wherein validating the identity of the requestor further comprises;
  
  accessing, via one or more computer networks, one or more third-party data aggregation systems;
  
  determining, based at least in part on data information received via the one or more third-party data aggregation systems, that the identified data subject exists; and
  
  in response to determining that the identified data subject exists, confirming, based at least in part on the data information received via the one or more third-party data aggregation systems and the one or more request parameters, that the requestor is the identified data subject;
  
  in response to validating the identity of the requestor, automatically identifying, by one or more computer processors, one or more pieces of personal data associated with the identified data subject, wherein the one or more pieces of personal data associated with the identified data subject are stored in one or more data repositories associated with the particular organization; and
  
  in response to automatically identifying, by the one or more computer processors, the one or more pieces of personal data associated with the identified data subject, automatically facilitating deletion of the one or more pieces of personal data associated with the identified data subject being stored in the one or more data repositories associated with the particular organization.
- View Dependent Claims (16, 17, 18)
- - 16. The computer-implemented data processing method of claim 15, wherein validating the identity of the requestor further comprises:
    - prompting the requestor to provide one or more additional pieces of information associated with the identified data subject in order to validate the identity of the requestor;
      
      receiving the one or more additional pieces of information associated with the identified data subject from the requestor; and
      
      comparing the one or more additional pieces of information associated with the identified data subject received from the requestor to corresponding data information accessed via the one or more third-party data aggregation systems in order to validate the identity of the requestor.
  - 17. The computer-implemented data processing method of claim 16, wherein prompting the requestor to provide one or more additional pieces of information associated with the identified data subject in order to validate the identity of the requestor further comprises:
    - generating a secure link between one or more processors associated with validating the identity of the requestor and a computing device associated with the requestor to prevent outside access to the one or more additional pieces of information associated with the identified data subject provided by the requestor;
      
      receiving, via the secure link, the one or more additional pieces of information associated with the identified data subject provided by the requestor; and
      
      digitally storing the one or more additional pieces of information associated with the identified data subject provided by the requestor.
  - 18. The computer-implemented data processing method of claim 15, wherein the requestor is a requesting business and validating the identity of the requestor further comprises using one or more company validation techniques, and wherein the one or more company validation techniques is selected from a group consisting of:
    - validating a vendor contract;
      
      receiving a matching unique identifier provided by an organization receiving the data subject access request to the requesting business;
      
      receiving a matching file in possession of both the requesting business and the organization receiving the data subject access request; and
      
      receiving a document memorializing an association between the requesting business and the organization receiving the data subject access request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OneTrust LLC
Original Assignee
OneTrust LLC
Inventors
Barday, Kabir A., Sabourin, Jason L., Brannon, Jonathan Blake, Karanjkar, Mihir S., Jones, Kevin
Primary Examiner(s)
Chen, Qing

Application Number

US16/055,961
Publication Number

US 20180373890A1
Time in Patent Office

407 Days
Field of Search

717100-103, 726 2- 21
US Class Current
CPC Class Codes

G06F 15/76   Architectures of general pu...

G06F 21/31   User authentication

G06F 21/552   involving long-term monitor...

G06F 21/604   Tools and structures for ma...

G06F 21/6245   Protecting personal data, e...

G06F 2221/2103   Challenge-response

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2115   Third party

G06F 2221/2141   Access rights, e.g. capabil...

G06F 8/20   Software design

H04L 63/102   Entity profiles

Data processing systems for identity validation of data subject access requests and related methods

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

452 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Data processing systems for identity validation of data subject access requests and related methods

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

452 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links