Data processing systems for identity validation of data subject access requests and related methods

US 10,564,936 B2
Filed: 09/13/2019
Issued: 02/18/2020
Est. Priority Date: 06/10/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented data processing method for validating a data subject access request, the computer-implemented data processing method comprising:

receiving, by at least one computer processor, a data subject access request provided by a requestor, wherein the data subject access request comprises a request for a particular organization to perform one or more actions with regard to one or more pieces of personal data associated with an identified data subject that the particular organization has obtained on the identified data subject,wherein at least one of the one or more pieces of personal data associated with the identified data subject was not provided to the particular organization by the identified data subject, andwherein the data subject access request comprises one or more request parameters, wherein one of the one or more request parameters of the data subject access request comprises a type of data subject access request, and wherein the type of data subject access request is selected from a group consisting of;

a first type of data subject access request that requires a first number of authentication methods, anda second type of data subject access request that requires a second number of authentication methods, wherein the first number of authentication methods is different than the second number of authentication methods;

in response to receiving the data subject access request provided by the requestor, determining, by at least one computer processor, one or more authentication methods required to validate an identity of the requestor as the identified data subject of the data subject access request;

providing, by at least one computer processor, the one or more authentication methods to the requestor, wherein each of the one or more authentication methods comprise prompting the requestor to provide particular information to validate the identity of the requestor as the identified data subject;

determining, by at least one computer processor, whether to validate the identity of the requestor as the identified data subject based at least in part on the particular information provided by the requestor associated with each of the one or more authentication methods;

in response to determining to validate the identity of the requestor as the identified data subject, validating, by at least one computer processor, the identity of the requestor as the identified data subject; and

in response to validating the identity of the requestor as the identified data subject, processing, by at least one computer processor, the data subject access request by;

automatically identifying, by at least one computer processor, the one or more pieces of personal data associated with the identified data subject, wherein the one or more pieces of personal data associated with the identified data subject are stored in one or more data repositories associated with the particular organization; and

in response to automatically identifying the one or more pieces of personal data associated with the identified data subject, performing, by at least one computer processor, the one or more actions on the one or more pieces of personal data associated with the identified data subject based at least in part on the data subject access request.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In particular embodiments, a computer-implemented data processing method for responding to a data subject access request comprises: (A) receiving a data subject access request from a requestor comprising one or more request parameters; (B) validating an identity of the requestor by prompting the requestor to identify information associated with the requestor; (C) in response to validating the identity of the requestor, processing the request by identifying one or more pieces of personal data associated with the requestor, the one or more pieces of personal data being stored in one or more data repositories associated with a particular organization; and (D) taking one or more actions based at least in part on the data subject access request, the one or more actions including one or more actions related to the one or more pieces of personal data.

777 Citations

20 Claims

1. A computer-implemented data processing method for validating a data subject access request, the computer-implemented data processing method comprising:
- receiving, by at least one computer processor, a data subject access request provided by a requestor, wherein the data subject access request comprises a request for a particular organization to perform one or more actions with regard to one or more pieces of personal data associated with an identified data subject that the particular organization has obtained on the identified data subject,wherein at least one of the one or more pieces of personal data associated with the identified data subject was not provided to the particular organization by the identified data subject, andwherein the data subject access request comprises one or more request parameters, wherein one of the one or more request parameters of the data subject access request comprises a type of data subject access request, and wherein the type of data subject access request is selected from a group consisting of;
  
  a first type of data subject access request that requires a first number of authentication methods, anda second type of data subject access request that requires a second number of authentication methods, wherein the first number of authentication methods is different than the second number of authentication methods;
  
  in response to receiving the data subject access request provided by the requestor, determining, by at least one computer processor, one or more authentication methods required to validate an identity of the requestor as the identified data subject of the data subject access request;
  
  providing, by at least one computer processor, the one or more authentication methods to the requestor, wherein each of the one or more authentication methods comprise prompting the requestor to provide particular information to validate the identity of the requestor as the identified data subject;
  
  determining, by at least one computer processor, whether to validate the identity of the requestor as the identified data subject based at least in part on the particular information provided by the requestor associated with each of the one or more authentication methods;
  
  in response to determining to validate the identity of the requestor as the identified data subject, validating, by at least one computer processor, the identity of the requestor as the identified data subject; and
  
  in response to validating the identity of the requestor as the identified data subject, processing, by at least one computer processor, the data subject access request by;
  
  automatically identifying, by at least one computer processor, the one or more pieces of personal data associated with the identified data subject, wherein the one or more pieces of personal data associated with the identified data subject are stored in one or more data repositories associated with the particular organization; and
  
  in response to automatically identifying the one or more pieces of personal data associated with the identified data subject, performing, by at least one computer processor, the one or more actions on the one or more pieces of personal data associated with the identified data subject based at least in part on the data subject access request.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer-implemented data processing method of claim 1, wherein the computer-implemented data processing method further comprises:
    - in response to receiving the data subject access request provided by the requestor, accessing, by at least one computer processor, one or more external data systems;
      
      providing, by at least one computer processor, one or more pieces of information included in the data subject access request to the one or more external systems; and
      
      determining, by at least one computer processor and based at least in part on information received via the one or more external systems, that the identified data subject exists.
  - 3. The computer-implemented data processing method of claim 2, wherein the computer-implemented data processing method further comprises:
    - in response to determining that the identified data subject exists, identifying, by at least one computer processor, the information received via the one or more external systems as an authentication method of the one or more authentication methods.
  - 4. The computer-implemented data processing method of claim 2, wherein the computer-implemented data processing method further comprises:
    - validating, by at least one computer processor, the identity of the requestor as the identified data subject based at least in part on the information received via the one or more external systems and one or more pieces of information included in the data subject access request.
  - 5. The computer-implemented data processing method of claim 1, wherein:
    - the one or more authentication methods comprise one or more two-factor authentication methods;
      
      providing the one or more authentication methods to the requestor comprises;
      
      transmitting the particular information to a contact device associated with the identified data subject; and
      
      prompting the requestor to provide the particular information to validate the identity of the requestor as the identified data subject; and
      
      the computer-implemented data processing method further comprises;
      
      receiving, by at least one computer processor, the particular information transmitted to the contact device associated with the identified data subject from the requestor; and
      
      at least partially in response to receiving the particular information transmitted to the contact device associated with the identified data subject from the requestor, validating the identity of the requestor as the identified data subject.

6. A computer-implemented data processing method for responding to a data subject access request, the computer-implemented data processing method comprising:
- receiving a data subject access request from a requestor comprising one or more request parameters, wherein the data subject access request comprises a request for a particular organization to perform one or more actions with regard to one or more pieces of personal data associated with a data subject that the particular organization has at least temporarily stored,wherein at least one of the one or more pieces of personal data associated with the data subject was not provided to the particular organization by the data subject, andwherein the data subject access request comprises one or more request parameters, wherein one of the one or more request parameters of the data subject access request comprises a type of data subject access request, and wherein the type of data subject access request is selected from a group consisting of;
  
  a first type of data subject access request that requires a first number of authentication methods, anda second type of data subject access request that requires a second number of authentication methods, wherein the first number of authentication methods is different than the second number of authentication methods;
  
  in response to receiving the data subject access request from the requestor, determining one or more authentication methods required to validate an identity of the requestor as the data subject of the data subject access request;
  
  validating the identity of the requestor by prompting the requestor to identify information associated with the requestor;
  
  in response to validating the identity of the requestor, processing the data subject access request by automatically identifying one or more pieces of personal data associated with the data subject, wherein the one or more pieces of personal data associated with the data subject are stored in one or more data repositories associated with the particular organization; and
  
  in response to automatically identifying the one or more pieces of personal data associated with the data subject, taking one or more actions based at least in part on the data subject access request, wherein the one or more actions includes one or more actions related to the one or more pieces of personal data associated with the data subject.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13)
- - 7. The computer-implemented data processing method of claim 6, wherein validating the identity of the requestor comprises:
    - accessing, via one or more computer networks, one or more third-party data aggregation systems;
      
      determining, based at least in part on information received via the one or more third-party data aggregation systems, that the requestor is the data subject; and
      
      in response to determining that the requestor is the data subject, confirming, based at least in part on the information received via the one or more third-party data aggregation systems and the one or more request parameters, that the requestor is the data subject.
  - 8. The computer-implemented data processing method of claim 7, wherein confirming that the requestor is the data subject comprises:
    - generating, based at least in part on the information received via the one or more third-party data aggregation systems, at least one threshold identity confirmation question;
      
      prompting the requestor to provide a response to the at least one threshold identity confirmation question; and
      
      comparing the response to the at least one threshold identity confirmation question to the information received via the one or more third-party data aggregation systems to validate the identity of the requestor.
  - 9. The computer-implemented data processing method of claim 6, wherein validating the identity of the requestor comprises:
    - prompting the requestor to provide one or more additional pieces of information in order to validate the identity of the requestor;
      
      receiving the one or more additional pieces of information from the requestor; and
      
      comparing the one or more additional pieces of information received from the requestor to corresponding data accessed via one or more third-party data aggregation systems in order to validate the identity of the requestor.
  - 10. The computer-implemented data processing method of claim 9, wherein the one or more additional pieces of information received from the requestor comprise one or more images provided by the requestor via a computing device associated with the requestor.
  - 11. The computer-implemented data processing method of claim 10, further comprising:
    - determining, based in part on the one or more request parameters, a number of identity validation methods required to validate the identity of the requestor; and
      
      prompting the requestor to identify different information associated with the requestor for each of the number of identity validation methods required to validate the identity of the requestor.
  - 12. The computer-implemented data processing method of claim 6, wherein the requestor is a requesting business.
  - 13. The computer-implemented data processing method of claim 12, wherein validating the identity of the requestor further comprises using one or more company validation techniques, and wherein the one or more company validation techniques are selected from a group consisting of:
    - validating a vendor contract;
      
      receiving a matching unique identifier provided by an organization receiving the data subject access request to the requesting business;
      
      receiving a matching file in possession of both the requesting business and the organization receiving the data subject access request; and
      
      receiving a document memorializing an association between the requesting business and the organization receiving the data subject access request.

14. A non-transitory computer-readable medium storing computer-executable instructions to perform a method comprising:
- receiving a data subject access request from a requestor, wherein the data subject access request comprises;
  
  one or more request parameters; and
  
  a request for a particular organization to perform one or more actions related to one or more pieces of personal data associated with a data subject that the particular organization has processed,wherein at least one of the one or more pieces of personal data associated with the data subject was not provided to the particular organization by the data subject, andwherein the data subject access request comprises one or more request parameters, wherein one of the one or more request parameters of the data subject access request comprises a type of data subject access request, and wherein the type of data subject access request is selected from a group consisting of;
  
  a first type of data subject access request that requires a first number of authentication methods, anda second type of data subject access request that requires a second number of authentication methods, wherein the first number of authentication methods is different than the second number of authentication methods;
  
  in response to receiving the data subject access request from the requestor, determining one or more authentication methods required to validate an identity of the requestor as the data subject of the data subject access request;
  
  validating the identity of the requestor by prompting the requestor to identify information associated with the requestor;
  
  in response to validating the identity of the requestor, processing the request by automatically identifying, using one or more data modelling techniques, one or more pieces of personal data associated with the requestor, wherein the one or more pieces of personal data are stored in one or more data repositories associated with the particular organization; and
  
  in response to automatically identifying the one or more pieces of personal data associated with the data subject, taking the one or more actions based at least in part on the data subject access request, wherein the one or more actions includes one or more actions related to the one or more pieces of personal data associated with the data subject.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The non-transitory computer-readable medium of claim 14, wherein validating the identity of the requestor comprises:
    - accessing, via one or more computer networks, one or more third-party data aggregation systems;
      
      determining, based at least in part on information received via the one or more third-party data aggregation systems, that the requestor is the data subject; and
      
      in response to determining that the requestor is the data subject, confirming, based at least in part on the information received via the one or more third-party data aggregation systems and the one or more request parameters, that the requestor is the data subject.
  - 16. The non-transitory computer-readable medium of claim 15, wherein confirming that the requestor is the data subject comprises:
    - generating, based at least in part on the information received via the one or more third-party data aggregation systems, at least one threshold identity confirmation question;
      
      prompting the requestor to provide a response to the at least one threshold identity confirmation question; and
      
      comparing the response to the at least one threshold identity confirmation question to the information received via the one or more third-party data aggregation systems to validate the identity of the requestor.
  - 17. The non-transitory computer-readable medium of claim 14, wherein validating the identity of the requestor comprises:
    - prompting the requestor to provide one or more additional pieces of information in order to validate the identity of the requestor;
      
      receiving the one or more additional pieces of information from the requestor; and
      
      comparing the one or more additional pieces of information received from the requestor to corresponding data accessed via one or more third-party data aggregation systems in order to validate the identity of the requestor.
  - 18. The non-transitory computer-readable medium of claim 14, wherein validating the identity of the requestor comprises validating the identity of the requestor using one or more two-factor authentication techniques.
  - 19. The non-transitory computer-readable medium of claim 14, further storing computer-executable instructions to perform the method further comprising:
    - determining, based in part on the one or more request parameters, a number of identity validation methods required to validate the identity of the requestor; and
      
      prompting the requestor to identify different information associated with the requestor for each of the number of identity validation methods required to validate the identity of the requestor.
  - 20. The non-transitory computer-readable medium of claim 14, further storing computer-executable instructions to perform the method further comprising:
    - accessing one or more third-party data aggregation systems;
      
      retrieving, from the one or more third-party data aggregation systems, one or more pieces of data associated with the requestor;
      
      generating an identity verification questionnaire based at least in part on the one or more pieces of data associated with the requestor;
      
      providing the identity verification questionnaire to the requestor;
      
      receiving one or more responses to the identity verification questionnaire from the requestor; and
      
      validating the identity of the requestor based at least in part on the one or more responses to the identity verification questionnaire from the requestor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OneTrust LLC
Original Assignee
OneTrust LLC
Inventors
Barday, Kabir A., Sabourin, Jason L., Brannon, Jonathan Blake, Karanjkar, Mihir S., Jones, Kevin
Primary Examiner(s)
Chen, Qing

Application Number

US16/570,712
Publication Number

US 20200004507A1
Time in Patent Office

158 Days
Field of Search

717100-103, 726 2- 21
US Class Current
CPC Class Codes

G06F 15/76   Architectures of general pu...

G06F 21/31   User authentication

G06F 21/552   involving long-term monitor...

G06F 21/604   Tools and structures for ma...

G06F 21/6245   Protecting personal data, e...

G06F 2221/2103   Challenge-response

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2115   Third party

G06F 2221/2141   Access rights, e.g. capabil...

G06F 8/20   Software design

H04L 63/102   Entity profiles

Data processing systems for identity validation of data subject access requests and related methods

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

777 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Data processing systems for identity validation of data subject access requests and related methods

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

777 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others