Data processing systems for processing data subject access requests

US 10,565,161 B2
Filed: 02/17/2019
Issued: 02/18/2020
Est. Priority Date: 06/10/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented data processing method for processing a data subject within a data system in order to fulfill a data subject access request, the method comprising:

receiving, by one or more processors, from a data subject, a data subject access request;

identifying, based at least in part on the data subject access request, a particular local storage node of a plurality of local storage nodes;

routing the data subject access request to the particular local storage node;

processing the data subject access request at the local storage node by identifying one or more pieces of personal data associated with the data subject, wherein identifying the one or more pieces of personal data associated with the data subject comprises scanning one or more data inventories stored within a data system for the one or more pieces of personal data;

in response to identifying the one or more pieces of personal data, at least temporarily storing the one or more pieces of personal data at the local storage node;

providing access, to the data subject, to the one or more pieces of personal data at the local storage node;

receiving one or more data retention rules, the one or more data retention rules comprising;

a first rule to archive the one or more pieces of personal data in response to the data subject accessing the one or more pieces of personal data at the local storage node; and

a second rule to archive the one or more pieces of personal data in response to an expiration of a particular time period;

in response to processing the data subject access request, automatically archiving the one or more pieces of personal data based at least in part on the one or more data retention rules;

determining that the data subject has accessed the one or more pieces of personal data at the local storage node; and

in response to determining that the data subject has accessed the one or more pieces of personal data at the local storage node, automatically archiving the one or more pieces of personal data and storing metadata indicating a time of the access by the data subject; and

in response to archiving the one or more pieces of personal data, digitally storing metadata associated with a completion of the data subject access request.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In various embodiments, an organization may be required to comply with one or more legal or industry requirements related to the storage of personal data (e.g., which may, for example, include personally identifiable information) even when responding to and fulfilling Data Subject Access Requests. In particular, when responding to a DSAR, the system may compile one or more pieces of personal data for provision to a data subject. The system may store this compilation of personal data at least temporarily in order to provide access to the data to the data subject. As such, the system may be configured to implement one or more data retention rules in order to ensure compliance with any legal or industry requirements related to the temporary storage of the collected data while still fulfilling any requirements related to providing the data to data subjects that request it, deleting the data upon request, etc.

Citations

19 Claims

1. A computer-implemented data processing method for processing a data subject within a data system in order to fulfill a data subject access request, the method comprising:
- receiving, by one or more processors, from a data subject, a data subject access request;
  
  identifying, based at least in part on the data subject access request, a particular local storage node of a plurality of local storage nodes;
  
  routing the data subject access request to the particular local storage node;
  
  processing the data subject access request at the local storage node by identifying one or more pieces of personal data associated with the data subject, wherein identifying the one or more pieces of personal data associated with the data subject comprises scanning one or more data inventories stored within a data system for the one or more pieces of personal data;
  
  in response to identifying the one or more pieces of personal data, at least temporarily storing the one or more pieces of personal data at the local storage node;
  
  providing access, to the data subject, to the one or more pieces of personal data at the local storage node;
  
  receiving one or more data retention rules, the one or more data retention rules comprising;
  
  a first rule to archive the one or more pieces of personal data in response to the data subject accessing the one or more pieces of personal data at the local storage node; and
  
  a second rule to archive the one or more pieces of personal data in response to an expiration of a particular time period;
  
  in response to processing the data subject access request, automatically archiving the one or more pieces of personal data based at least in part on the one or more data retention rules;
  
  determining that the data subject has accessed the one or more pieces of personal data at the local storage node; and
  
  in response to determining that the data subject has accessed the one or more pieces of personal data at the local storage node, automatically archiving the one or more pieces of personal data and storing metadata indicating a time of the access by the data subject; and
  
  in response to archiving the one or more pieces of personal data, digitally storing metadata associated with a completion of the data subject access request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The computer-implemented data processing method of claim 1, the method further comprising:
    - determining that the particular time period has expired without the data subject accessing the one or more pieces of personal data; and
      
      in response to determining that the particular time period has expired without the data subject accessing the one or more pieces of personal data, automatically archiving the one or more pieces of personal data and storing metadata indicating that the data subject did not access the one or more pieces of personal data prior to the expiration of the time period.
  - 3. The computer-implemented data processing method of claim 1, wherein:
    - the one or more data retention rules comprise one or more rules based on one or more legal requirements related to storage of the one or more pieces of personal data associated with the data subject;
      
      automatically archiving the one or more pieces of personal data based on the one or more legal requirements; and
      
      in response to automatically archiving the one or more pieces of personal data based on the one or more legal requirements, storing metadata indicating a type of the one or more pieces of personal data.
  - 4. The computer-implemented data processing method of claim 1, wherein:
    - the one or more data retention rules comprise one or more rules based on an access limit to the one or more pieces of personal data at the local storage node by the data subject.
  - 5. The computer-implemented data processing method of claim 4, the method further comprising:
    - determining that the data subject has exceeded the access limit; and
      
      in response to determining that the data subject has exceeded the access limit, automatically archiving the one or more pieces of personal data.
  - 6. The computer-implemented data processing method of claim 5, the method further comprising:
    - in response to determining that the data subject has exceeded the access limit, storing metadata in computer memory, wherein;
      
      the metadata defines the type of the one or more pieces of personal data and that the data subject exceeded the access limit.
  - 7. The computer-implemented data processing method of claim 1, wherein automatically archiving the one or more pieces of personal data comprises:
    - automatically determining one storage locations of the one or more pieces of personal data; and
      
      in response to determining the one or more storage locations, automatically deleting the one or more pieces of personal data from the one or more storage locations.
  - 8. The computer-implemented data processing method of claim 7, wherein the one or more storage locations comprise the particular local storage node.
  - 9. The computer-implemented data processing method of claim 1, wherein identifying the particular local storage node of the plurality of local storage nodes comprises:
    - determining a location of the data subject; and
      
      identifying the particular local storage node based at least in part on the location of the data subject.
  - 10. The computer-implemented data processing method of claim 9, wherein:
    - the location is within a defined geographic boundary; and
      
      identifying the particular local storage node based at least in part on the location of the data subject comprises identifying a local storage node of the plurality of local storage nodes that is located within the defined geographic boundary.
  - 11. The computer-implemented data processing method of claim 10, wherein the defined geographic boundary is a selected from the group consisting of:
    - a particular country; and
      
      a particular jurisdiction.
  - 12. The computer-implemented data processing method of claim 9, wherein determining the location of the data subject comprises determining the location of the data subject based at least in part on the data subject access request.
  - 13. The computer-implemented data processing method of claim 12, wherein:
    - receiving the data subject access request comprises receiving the data subject access request from a computing device associated with the data subject; and
      
      determining the location of the data subject comprises;
      
      determining an IP address of the computing device associated with the data subject; and
      
      determining the location of the data subject comprises determining location of the data subject based at least in part on the computing device.
  - 14. The computer-implemented data processing method of claim 12, wherein:
    - the data subject access request comprises an address of the data subject; and
      
      determining the location of the data subject comprises determining the location based at least in part on the address.
  - 15. The computer-implemented data processing method of claim 14, wherein:
    - the address is within a defined geographic boundary; and
      
      identifying the particular local storage node based at least in part on the location of the data subject comprises identifying a local storage node of the plurality of local storage nodes that is located within the defined geographic boundary.
  - 16. The computer-implemented data processing method of claim 1, wherein the metadata associated with the completion of the data subject access request includes a type of one or more pieces of personal data.
  - 17. The computer-implemented data processing method of claim 1, wherein the metadata associated with the completion of the data subject access request includes a completion time of the data subject access request.
  - 18. The computer-implemented data processing method of claim 1, wherein the metadata associated with the completion of the data subject access request includes an indication of which of the one or more data retention rules triggered the archiving of the one or more pieces of personal data.
  - 19. The computer-implemented data processing method of claim 1, wherein the plurality of local storage nodes comprises one or more servers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OneTrust LLC
Original Assignee
OneTrust LLC
Inventors
Barday, Kabir A., Brannon, Jonathan Blake, Sabourin, Jason L.
Primary Examiner(s)
Aponte, Francisco J

Application Number

US16/278,122
Publication Number

US 20190179799A1
Time in Patent Office

366 Days
Field of Search

717101
US Class Current
CPC Class Codes

G06F 15/76   Architectures of general pu...

G06F 16/113   Details of archiving lifecy...

G06F 16/907   Retrieval characterised by ...

G06F 16/95   Retrieval from the web

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6245   Protecting personal data, e...

H04L 63/102   Entity profiles

H04L 67/568   Storing data temporarily at...

Data processing systems for processing data subject access requests

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Data processing systems for processing data subject access requests

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links