Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques

US 10,599,870 B2
Filed: 05/06/2019
Issued: 03/24/2020
Est. Priority Date: 06/10/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented data processing method of identifying and responding to one or more potential risk triggers based on a data model, the method comprising:

identifying, by one or more processors, a potential risk trigger for an entity;

assessing and analyzing, by one or more processors, the potential risk trigger to determine a relevance of a risk posed to the entity by the potential risk trigger;

identifying, by one or more processors, using one or more data modeling techniques, one or more data assets associated with the entity that may be affected by the potential risk trigger, wherein identifying the one or more data assets comprises;

accessing the data model to identify one or more pieces of personal data stored, collected, or processed by the one or more data assets; and

analyzing the one or more pieces of personal data to determine whether any of the one or more pieces of personal data may be affected by the potential risk trigger;

using the data model to identify one or more data elements stored in the one or more data assets, the data model comprising;

a respective digital inventory for each of the one or more data assets, each respective digital inventory comprising one or more inventory attributes selected from the group consisting of;

one or more processing activities associated with each respective data asset;

transfer data associated with each respective data asset;

the one or more pieces of personal data associated with each respective data asset; and

a data map identifying one or more electronic associations between at least two of the one or more data assets, wherein the one or more data elements comprise the one or more inventory attributes;

determining, by one or more processors, based at least in part on the one or more identified data assets and the relevance of the risk, whether to take one or more actions in response to a potential risk posed to the entity by the potential risk trigger, wherein;

the potential risk trigger comprises a change in a regulation related to collection and storage of personal data by the entity using the one or more identified data assets; and

the regulation comprises one or more transfer restrictions; and

analyzing, by one or more processors, the identified one or more data elements to determine one or more data transfers between the one or more data systems in different particular physical locations;

determining, by one or more processors, whether to take the one or more actions in response to the potential risk posed to the entity by the potential risk trigger comprises analyzing the transfer data associated with each respective data asset; and

in response to determining to take the one or more actions, taking, by one or more processors, the one or more actions.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In various embodiments, a Data Model Adaptive Execution System may be configured to take one or more suitable actions to remediate an identified risk in view of one or more regulations (e.g., one or more legal regulations, one or more binding corporate rules, etc.). For example, in order to ensure compliance with one or more standards related to the collection and/or storage of personal data, an entity may be required to modify one or more aspects of a way in which the entity collects, stores, and/or otherwise processes personal data (e.g., in response to a change in a legal or other requirement). In order to identify whether a particular change or other risk trigger requires remediation, the system may be configured to assess a relevance of the risk posed by the risk and identify one or more processing activities or data assets that may be affected by the risk.

657 Citations

19 Claims

1. A computer-implemented data processing method of identifying and responding to one or more potential risk triggers based on a data model, the method comprising:
- identifying, by one or more processors, a potential risk trigger for an entity;
  
  assessing and analyzing, by one or more processors, the potential risk trigger to determine a relevance of a risk posed to the entity by the potential risk trigger;
  
  identifying, by one or more processors, using one or more data modeling techniques, one or more data assets associated with the entity that may be affected by the potential risk trigger, wherein identifying the one or more data assets comprises;
  
  accessing the data model to identify one or more pieces of personal data stored, collected, or processed by the one or more data assets; and
  
  analyzing the one or more pieces of personal data to determine whether any of the one or more pieces of personal data may be affected by the potential risk trigger;
  
  using the data model to identify one or more data elements stored in the one or more data assets, the data model comprising;
  
  a respective digital inventory for each of the one or more data assets, each respective digital inventory comprising one or more inventory attributes selected from the group consisting of;
  
  one or more processing activities associated with each respective data asset;
  
  transfer data associated with each respective data asset;
  
  the one or more pieces of personal data associated with each respective data asset; and
  
  a data map identifying one or more electronic associations between at least two of the one or more data assets, wherein the one or more data elements comprise the one or more inventory attributes;
  
  determining, by one or more processors, based at least in part on the one or more identified data assets and the relevance of the risk, whether to take one or more actions in response to a potential risk posed to the entity by the potential risk trigger, wherein;
  
  the potential risk trigger comprises a change in a regulation related to collection and storage of personal data by the entity using the one or more identified data assets; and
  
  the regulation comprises one or more transfer restrictions; and
  
  analyzing, by one or more processors, the identified one or more data elements to determine one or more data transfers between the one or more data systems in different particular physical locations;
  
  determining, by one or more processors, whether to take the one or more actions in response to the potential risk posed to the entity by the potential risk trigger comprises analyzing the transfer data associated with each respective data asset; and
  
  in response to determining to take the one or more actions, taking, by one or more processors, the one or more actions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The computer-implemented data processing method of claim 1, wherein the potential risk trigger comprises a change in a regulation related to collection and storage of personal data by the entity using the one or more identified data assets.
  - 3. The computer-implemented data processing method of claim 1, the method further comprising:
    - receiving an indication of a security breach of the one or more identified data assets; and
      
      in response to receiving the indication, identifying the potential risk trigger as the security breach.
  - 4. The computer-implemented data processing method of claim 1, whereinthe one or more data transfers comprise a first transfer from a first data asset in a first location to a second data asset in a second location;
    - the one or more inventory attributes associated with the first data asset comprise one or more first data storage attributes; and
      
      the one or more inventory attributes associated with the second data asset comprise one or more second data storage attributes.
  - 5. The computer-implemented data processing method of claim 4, wherein:
    - the one or more transfer restrictions comprise a first transfer restriction related to the first transfer; and
      
      the first transfer restriction comprises a restriction that the one or more second data storage attributes comprise one or more second data security restrictions that are at least as stringent as one or more first data security restrictions associated with the one or more first data storage attributes.
  - 6. The computer-implemented data processing method of claim 1, wherein the one or more inventory attributes comprise one or more processing activities associated with each respective data asset.
  - 7. The computer-implemented data processing method of claim 1, wherein the one or more inventory attributes comprise the one or more pieces of personal data associated with each respective data asset.
  - 8. The computer-implemented data processing method of claim 1, wherein the one or more inventory attributes comprise the data map identifying the one or more electronic associations between the at least two of the one or more data assets.
  - 9. The computer-implemented data processing method of claim 1, wherein the one or more inventory attributes comprise transfer data associated with each respective data asset.
  - 10. The computer-implemented data processing method of claim 9, wherein the one or more transfer restrictions restrict a transfer of data between the different particular physical locations.
  - 11. The computer-implemented data processing method of claim 10, wherein analyzing the identified one or more data elements to determine the one or more data transfers between the one or more data systems in different particular physical locations comprises analyzing the transfer data associated with each respective data asset to identify the one or more data transfers between the one or more data systems in different particular physical locations.
  - 12. The computer-implemented data processing method of claim 9, wherein the one or more transfer restrictions require at least a particular level of privacy protection.
  - 13. The computer-implemented data processing method of claim 1, wherein assessing and analyzing the potential risk trigger to determine the relevance of the risk posed to the entity by the potential risk trigger comprises analyzing each respective digital inventory to determine an amount of the one or more pieces of personal data affected by the potential risk trigger.
  - 14. The computer-implemented data processing method of claim 1, wherein assessing and analyzing the potential risk trigger to determine the relevance of the risk posed to the entity by the potential risk trigger comprises determining a number of the one or more data assets affected by the potential risk trigger.
  - 15. The computer-implemented data processing method of claim 1, wherein the one or more actions comprise adjusting at least one of the one or more inventory attributes.
  - 16. The computer-implemented data processing method of claim 15, wherein adjusting the at least one of the one or more inventory attributes comprises modifying an encryption level of at least one of the one or more pieces of personal data stored by at least one of the one or more data assets.
  - 17. The computer-implemented data processing method of claim 1, wherein the regulation comprises one or more legal regulations.
  - 18. The computer-implemented data processing method of claim 1, wherein the regulation comprises one or more industry standards.
  - 19. The computer-implemented data processing method of claim 1, wherein the regulation comprises one or more binding corporate rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OneTrust LLC
Original Assignee
OneTrust LLC
Inventors
Barday, Kabir A., Karanjkar, Mihir S., Finch, Steven W., Browne, Ken A., Heard, Nathan W., Patel, Aakash H., Sabourin, Jason L., Daniel, Richard L., Patton-Kuhl, Dylan D., Jones, Kevin, Brannon, Jonathan Blake
Primary Examiner(s)
Ullah, Sharif E

Application Number

US16/404,399
Publication Number

US 20190258823A1
Time in Patent Office

323 Days
Field of Search

726 2, 726 21, 726 25, 726 36, 713150, 713163, 713181, 380255, 380264, 380276
US Class Current
CPC Class Codes

G06F 16/9038   Presentation of query results

G06F 21/577   Assessing vulnerabilities a...

G06F 21/606   by securing the transmissio...

G06F 21/6245   Protecting personal data, e...

G06F 21/64   Protecting data integrity, ...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/102   Entity profiles

H04L 63/107   wherein the security polici...

H04L 63/1433   Vulnerability analysis

Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

657 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

657 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links