Data processing systems and communication systems and methods for the efficient generation of privacy risk assessments

US 10,423,996 B2
Filed: 12/31/2018
Issued: 09/24/2019
Est. Priority Date: 04/01/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented data processing method for efficiently conducting privacy risk assessments for a plurality of privacy campaigns, the method comprising, for each of the plurality of privacy campaigns:

presenting, by one or more processors, a threshold privacy assessment to a user that includes a first set of one or more questions for a first plurality of question/answer pairings that identify one or more privacy characteristics of a particular privacy campaign;

receiving, by one or more processors, respective answers for the first plurality of question/answer pairings regarding the one or more privacy characteristics of the particular privacy campaign;

determining, by one or more processors, a threshold privacy risk score for the particular privacy campaign that identifies a level of risk for one or more of the privacy characteristics indicated in the first plurality of question/answer pairings;

comparing, by one or more processors, the threshold privacy risk score to a threshold privacy risk value, the threshold privacy risk value indicating a pre-determined level of risk regarding the one or more privacy characteristics of the particular privacy campaign;

determining, by one or more processors, whether the threshold privacy risk score exceeds the threshold privacy risk value;

in response to determining that the threshold privacy risk score exceeds the threshold privacy risk value, performing, by one or more processors, an advanced privacy impact assessment that includes one or more steps in addition to steps performed during the threshold privacy assessment, wherein the one or more steps in addition to steps performed during the threshold privacy assessment comprise;

presenting, by one or more processors, a second threshold privacy assessment to a user that includes a second set of one or more questions for a second plurality of question/answer pairings that identify one or more privacy characteristics of the particular privacy campaign,receiving, by one or more processors, respective answers for the second plurality of question/answer pairings regarding the one or more privacy characteristics of the particular privacy campaign,determining a respective weighting factor for each of the second plurality of question/answer pairings,determining a respective relative risk rating for each of the second plurality of question/answer pairings,determining a second privacy risk score based upon, for each of the second plurality of question/answer pairings, the respective relative risk rating and the respective weighting factor, andelectronically associating the second privacy risk score with the particular privacy campaign; and

in response to determining that the threshold privacy risk score does not exceed the threshold privacy risk value, storing, by one or more processors, an indication that the particular privacy campaign is a low privacy risk campaign.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data processing computer systems, in various embodiments, are adapted for: (1) presenting a threshold privacy assessment that includes a first set of privacy-related questions for a privacy campaign; (2) receiving respective answers to the first set of questions; (3) using this initial set of answers to calculate an initial privacy risk score for the privacy campaign; (4) determining whether the privacy risk score exceeds the threshold privacy risk value; (5) in response to the privacy risk score exceeding the threshold privacy risk value, providing one or more supplemental questions to the user to facilitate the completion of a full privacy impact assessment. In some embodiments, in response to determining that the privacy risk score does not exceed the threshold privacy risk value, the systems and methods provide an indication that the particular privacy campaign is a relatively low privacy campaign.

451 Citations

20 Claims

1. A computer-implemented data processing method for efficiently conducting privacy risk assessments for a plurality of privacy campaigns, the method comprising, for each of the plurality of privacy campaigns:
- presenting, by one or more processors, a threshold privacy assessment to a user that includes a first set of one or more questions for a first plurality of question/answer pairings that identify one or more privacy characteristics of a particular privacy campaign;
  
  receiving, by one or more processors, respective answers for the first plurality of question/answer pairings regarding the one or more privacy characteristics of the particular privacy campaign;
  
  determining, by one or more processors, a threshold privacy risk score for the particular privacy campaign that identifies a level of risk for one or more of the privacy characteristics indicated in the first plurality of question/answer pairings;
  
  comparing, by one or more processors, the threshold privacy risk score to a threshold privacy risk value, the threshold privacy risk value indicating a pre-determined level of risk regarding the one or more privacy characteristics of the particular privacy campaign;
  
  determining, by one or more processors, whether the threshold privacy risk score exceeds the threshold privacy risk value;
  
  in response to determining that the threshold privacy risk score exceeds the threshold privacy risk value, performing, by one or more processors, an advanced privacy impact assessment that includes one or more steps in addition to steps performed during the threshold privacy assessment, wherein the one or more steps in addition to steps performed during the threshold privacy assessment comprise;
  
  presenting, by one or more processors, a second threshold privacy assessment to a user that includes a second set of one or more questions for a second plurality of question/answer pairings that identify one or more privacy characteristics of the particular privacy campaign,receiving, by one or more processors, respective answers for the second plurality of question/answer pairings regarding the one or more privacy characteristics of the particular privacy campaign,determining a respective weighting factor for each of the second plurality of question/answer pairings,determining a respective relative risk rating for each of the second plurality of question/answer pairings,determining a second privacy risk score based upon, for each of the second plurality of question/answer pairings, the respective relative risk rating and the respective weighting factor, andelectronically associating the second privacy risk score with the particular privacy campaign; and
  
  in response to determining that the threshold privacy risk score does not exceed the threshold privacy risk value, storing, by one or more processors, an indication that the particular privacy campaign is a low privacy risk campaign.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented data processing method of claim 1, wherein the advanced privacy impact assessment comprises:
    - obtaining a copy of a software application used to collect or use sensitive user information as part of at least one of the plurality of privacy campaigns;
      
      automatically electronically analyzing, by one or more computer processors, the software application to determine one or more privacy-related attributes of the software application each of the privacy-related attributes indicating one or more types of personal information the software application collects or accesses;
      
      electronically displaying to an individual, by one or more computer processors, a list of the one or more privacy-related attributes of the software application;
      
      electronically displaying, by one or more computer processors, one or more prompts to the individual, wherein each prompt informs the user to input information regarding one or more particular attributes of the one or more privacy-related attributes; and
      
      communicating, by one or more computer processors, the information regarding the particular privacy-related attributes to one or more second individuals for use in conducting the advanced privacy impact assessment of the software application.
  - 3. The computer-implemented data processing method of claim 2 wherein the particular privacy-related attribute is that the software application collects information regarding the web browsing habits of users of the software application.
  - 4. The computer-implemented data processing method of claim 2, wherein the information regarding the one or more particular attributes comprises a reason that the software application has the one or more attributes.
  - 5. The computer-implemented data processing method of claim 1, wherein the threshold privacy risk score is determined by associating a respective weight for each question in the first set of one or more questions.
  - 6. The computer-implemented data processing method of claim 1, wherein determining the threshold privacy risk score for the particular campaign further comprises:
    - determining that a question in a particular question/answer pairing for the first plurality of question/answer pairings includes an answer, for the particular question/answer pairing, that provides a particular response; and
      
      in response to determining that the question in a particular question/answer pairing for the first plurality of question/answer pairings includes the answer, automatically determining that the threshold privacy risk score for the particular privacy campaign exceeds the threshold privacy risk value.
  - 7. The computer-implemented data processing method of claim 1, wherein, in further response to determining that the threshold privacy risk score exceeds the threshold privacy risk value, the method further comprises:
    - providing, by the one or more processors, a notification to one or more privacy officers associated with the privacy campaign to indicate that the threshold privacy risk score exceeds the threshold privacy risk value.
  - 8. The computer-implemented data processing method of claim 1, further comprising:
    - in response to determining that the threshold privacy risk score exceeds the threshold privacy risk value, providing, by the one or more processors, the privacy impact assessment to the user that includes a second set of questions for a second plurality of question/answer pairings that identify one or more privacy characteristics of the particular privacy campaign;
      
      receiving, by the one or more processors, respective answers for the second plurality of question/answer pairings regarding the one or more privacy characteristics of the particular privacy campaign;
      
      determining, by the one or more processors, an updated privacy risk score for the particular privacy campaign that identifies a level of risk for one or more of the privacy characteristics indicated in the second plurality of question/answer pairings;
      
      comparing, by the one or more processors, the updated privacy risk score to the threshold privacy risk value, the threshold privacy risk value indicating a pre-determined level of risk regarding the one or more privacy characteristics of the particular privacy campaign;
      
      determining, by the one or more processors, whether the updated privacy risk score exceeds the threshold privacy risk value;
      
      in response to determining that the updated privacy risk score exceeds the threshold privacy risk value, providing, by the one or more processors, a notification to one or more privacy officers associated with the privacy campaign that the particular privacy campaign is a high privacy risk campaign; and
      
      in response to determining that the updated privacy risk score does not exceed the threshold privacy risk value, storing, by the one or more processors, the indication that the particular privacy campaign is a low privacy risk campaign.

9. A computer-implemented data processing method for efficiently conducting privacy risk assessments for a plurality of privacy campaigns, the method comprising, for each of the plurality of privacy campaigns:
- presenting, by one or more processors, a threshold privacy assessment to a user that includes a first set of one or more questions for a first plurality of question/answer pairings that identify one or more privacy characteristics of a particular privacy campaign of the plurality of privacy campaigns;
  
  receiving, by one or more processors, respective answers for the first plurality of question/answer pairings regarding the one or more privacy characteristics of the particular privacy campaign;
  
  determining, by one or more processors, a threshold privacy risk score for the particular privacy campaign that identifies a level of risk for one or more of the privacy characteristics indicated in the question/answer pairings;
  
  comparing, by one or more processors, the threshold privacy risk score to a threshold privacy risk value, the threshold privacy risk value indicating a pre-determined level of risk regarding the one or more privacy characteristics of the particular privacy campaign;
  
  determining, by one or more processors, whether the threshold privacy risk score exceeds the threshold privacy risk value;
  
  providing, by one or more processors and to the one or more privacy officers, (1) a first selection option to initiate an advanced privacy impact assessment that includes one or more steps in addition to steps performed during the threshold privacy assessment; and
  
  (2) a second selection option to indicate that the particular privacy campaign is a low privacy risk campaign;
  
  in response to receiving an indication of selection of the first selection option by the one or more privacy officers, initiating, by one or more processors, the advanced privacy impact assessment, wherein the one or more steps in addition to steps performed during the threshold privacy assessment comprise;
  
  presenting, by one or more processors, a second threshold privacy assessment to a user that includes a second set of one or more questions for a second plurality of question/answer pairings that identify one or more privacy characteristics of the particular privacy campaign,receiving, by one or more processors, respective answers for the second plurality of question/answer pairings regarding the one or more privacy characteristics of the particular privacy campaign,determining a respective weighting factor for each of the second plurality of question/answer pairings,determining a respective relative risk rating for each of the second plurality of question/answer pairings,determining a second privacy risk score based upon, for each of the second plurality of question/answer pairings, the respective relative risk rating and the respective weighting factor, andelectronically associating the second privacy risk score with the particular privacy campaign; and
  
  in response to receiving an indication of selection of the second selection option by the one or more privacy officers, storing, by one or more processors, an indication that the particular privacy campaign is a low privacy risk campaign.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The computer-implemented data processing method of claim 9, wherein the threshold privacy risk score is determined by associating a respective weight with each question in the first set of one or more questions.
  - 11. The computer-implemented data processing method of claim 9, wherein determining the threshold privacy risk score for the particular campaign further comprises:
    - determining that a question in a particular question/answer pairing for the first plurality of question/answer pairings includes an answer, for the particular question/answer pairing, that provides a particular response; and
      
      automatically determining that the threshold privacy risk score for the particular privacy campaign exceeds the threshold privacy risk value.
  - 12. The computer-implemented data processing method of claim 9, wherein, in further response to receiving the indication of selection of the first selection option by the one or more privacy officers, the method further comprises:
    - obtaining a copy of a software application used to collect or use sensitive user information as part of the particular privacy campaign;
      
      automatically electronically analyzing, by one or more computer processors, the software application to determine one or more privacy-related attributes of the software application each of the privacy-related attributes indicating one or more types of personal information the software application collects or accesses; and
      
      electronically displaying to one or more privacy officers, by one or more computer processors, a list of the one or more privacy-related attributes of the software application.
  - 13. The computer-implemented data processing method of claim 12, wherein, in further response to receiving the indication of selection of the first selection option by the one or more privacy officers, the method further comprises:
    - electronically displaying, by one or more computer processors, one or more prompts to the one or more privacy officers, wherein each prompt informs the one or more privacy officers to input information regarding one or more particular attributes of the one or more privacy-related attributes; and
      
      communicating, by one or more computer processors, the information regarding the particular privacy-related attributes to one or more second one or privacy officers for use in conducting the advanced privacy impact assessment of the software application.
  - 14. The computer-implemented data processing method of claim 13 wherein the particular privacy-related attribute is that the software application collects information regarding the web browsing habits of users of the software application.
  - 15. The computer-implemented data processing method of claim 13, wherein the information regarding the one or more particular attributes comprises a reason that the software application has the one or more attributes.

16. A computer-implemented data processing method for efficiently conducting privacy risk assessments for a plurality of privacy campaigns, the method comprising, for each of the plurality of privacy campaigns:
- presenting, by one or more processors, a threshold privacy assessment to a user that includes a first set of one or more questions for a first plurality of question/answer pairings that identify one or more privacy characteristics of the particular privacy campaign;
  
  receiving, by one or more processors, respective answers for the first plurality of question/answer pairings regarding the one or more privacy characteristics of the particular privacy campaign;
  
  determining, by one or more processors, a first privacy risk score for the particular privacy campaign that identifies a level of risk for one or more of the privacy characteristics indicated in the first plurality of question/answer pairings;
  
  comparing, by one or more processors, the first privacy risk score to a first threshold privacy risk value, the first threshold privacy risk value indicating a pre-determined level of risk regarding the one or more privacy characteristics of the particular privacy campaign;
  
  determining, by one or more processors, whether the first privacy risk score exceeds the first threshold privacy risk value;
  
  in response to determining that the first privacy risk score exceeds the first threshold privacy risk value, providing, by one or more processors, a privacy impact assessment to the user that includes a second set of questions for a second plurality of question/answer pairings that identify one or more privacy characteristics of the particular privacy campaign, the second set of one or more questions includes a greater number of questions than the first set of one or more questions;
  
  receiving, by one or more processors, respective answers for the second plurality of question/answer pairings regarding the one or more privacy characteristics of the particular privacy campaign;
  
  determining, by one or more processors, a second privacy risk score for the particular privacy campaign that identifies a level of risk for one or more of the privacy characteristics indicated in the second plurality of question/answer pairings;
  
  comparing, by one or more processors, the second privacy risk score to a second threshold privacy risk value, the second threshold privacy risk value indicating a pre-determined level of risk regarding the one or more privacy characteristics of the particular privacy campaign;
  
  determining, by one or more processors, whether the second privacy risk score exceeds the second threshold privacy risk value;
  
  in response to determining that the second privacy risk score exceeds the second threshold privacy risk value;
  
  providing, by one or more processors, an advanced privacy impact assessment to the user that includes a third set of questions for a third plurality of question/answer pairings that identify one or more privacy characteristics of the particular privacy campaign, wherein the third set of one or more questions includes a greater number of questions than the second set of one or more questions,determining a respective weighting factor for each of the third plurality of question/answer pairings,determining a respective relative risk rating for each of the third plurality of question/answer pairings,determining a third privacy risk score based upon, for each of the third plurality of question/answer pairings, the respective relative risk rating and the respective weighting factor, andelectronically associating the third privacy risk score with the particular privacy campaign;
  
  in response to determining that the first privacy risk score does not exceed the first threshold privacy risk value, storing, by one or more processors, an indication that the particular privacy campaign is a low privacy risk campaign; and
  
  in response to determining that the second privacy risk score does not exceed the second threshold privacy risk value, storing, by one or more processors, the indication that the particular privacy campaign is a low privacy risk campaign.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer-implemented data processing method of claim 16, wherein the first threshold privacy risk value is different from the second threshold privacy risk value.
  - 18. The computer-implemented data processing method of claim 16, wherein the step of determining the second privacy risk score includes incorporating the first privacy risk score in the determining of the second privacy risk score.
  - 19. The computer-implemented data processing method of claim 16, wherein, in further response to determining that the first privacy risk score exceeds the first threshold privacy risk value, the method further comprises:
    - providing, by the one or more processors, a notification to one or more privacy officers associated with the privacy campaign to indicate that the first privacy risk score exceeds the first threshold privacy risk value.
  - 20. The computer-implemented data processing method of claim 16, wherein the first threshold privacy risk value is configured to be set by one or more privacy officers associated with the privacy campaign.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OneTrust LLC
Original Assignee
OneTrust LLC
Inventors
Barday, Kabir A.
Primary Examiner(s)
Ouellette, Jonathan P

Application Number

US16/237,083
Publication Number

US 20190139112A1
Time in Patent Office

267 Days
Field of Search

705 11-912, 705325
US Class Current
CPC Class Codes

G06Q 10/063114   Status monitoring or status...

G06Q 10/0635   Risk analysis of enterprise...

G06Q 30/0609   Buyer or seller confidence ...

G06Q 50/265   Personal security, identity...

Data processing systems and communication systems and methods for the efficient generation of privacy risk assessments

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

451 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Data processing systems and communication systems and methods for the efficient generation of privacy risk assessments

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

451 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links