Data processing systems and methods for auditing data request compliance

US 10,614,246 B2
Filed: 06/10/2019
Issued: 04/07/2020
Est. Priority Date: 06/10/2016
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium storing computer-executable instructions for:

receiving, by at least one computer processor, a data subject access request from a data subject access requestor;

automatically determining, by at least one computer processor, a type of the data subject access request, the determined type of data subject access request being selected from a group consisting of;

(1) a request to delete personal data of the data subject access requestor that is being stored by a particular organization;

(2) a request to provide, to the data subject access requestor, the personal data of the data subject access requestor that is being stored by the particular organization;

(3) a request to update the personal data of the data subject access requestor that is being stored by the particular organization; and

(4) a request to opt out of having the particular organization use the personal data of the data subject access requestor in one or more particular ways;

determining, by at least one processor, based at least partially on the determined type of data subject access request, a workflow that is to be used to process the data subject access request, wherein the workflow is a workflow for validating an identity of an individual;

after determining the workflow, facilitating, by at least one processor, the processing of the data subject access request via the workflow;

analyzing, by at least one processor, a timing of a plurality of processed data subject access requests;

receiving an audit request, to audit compliance, by the particular organization with one or more data subject access request requirements, the one or more data subject access request requirements comprising a respective time constraint for responding to each of the plurality of processed data subject access requests, the audit request comprising one or more request parameters;

performing an audit based on the one or more request parameters;

generating a report of one or more results of the audit; and

providing the report to a privacy officer associated with the particular organization.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A privacy management system that is configured to process one or more data subject access requests and further configured to: (1) enable a data protection officer to submit an audit request; (2) perform an audit based on one or more parameters provided as part of the request (e.g., one or more parameters such as how long an average request takes to fulfill, one or more parameters related to logging and/or tracking data subject access requests and/or complaints from one or more particular customer advocacy groups, individuals, NGOs, etc.); and (3) provide one or more audit results to the officer (e.g., by displaying the results on a suitable display screen).

681 Citations

20 Claims

1. A non-transitory computer-readable medium storing computer-executable instructions for:
- receiving, by at least one computer processor, a data subject access request from a data subject access requestor;
  
  automatically determining, by at least one computer processor, a type of the data subject access request, the determined type of data subject access request being selected from a group consisting of;
  
  (1) a request to delete personal data of the data subject access requestor that is being stored by a particular organization;
  
  (2) a request to provide, to the data subject access requestor, the personal data of the data subject access requestor that is being stored by the particular organization;
  
  (3) a request to update the personal data of the data subject access requestor that is being stored by the particular organization; and
  
  (4) a request to opt out of having the particular organization use the personal data of the data subject access requestor in one or more particular ways;
  
  determining, by at least one processor, based at least partially on the determined type of data subject access request, a workflow that is to be used to process the data subject access request, wherein the workflow is a workflow for validating an identity of an individual;
  
  after determining the workflow, facilitating, by at least one processor, the processing of the data subject access request via the workflow;
  
  analyzing, by at least one processor, a timing of a plurality of processed data subject access requests;
  
  receiving an audit request, to audit compliance, by the particular organization with one or more data subject access request requirements, the one or more data subject access request requirements comprising a respective time constraint for responding to each of the plurality of processed data subject access requests, the audit request comprising one or more request parameters;
  
  performing an audit based on the one or more request parameters;
  
  generating a report of one or more results of the audit; and
  
  providing the report to a privacy officer associated with the particular organization.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The non-transitory computer-readable medium of claim 1, wherein the determined type of data subject access request comprises a request to delete the personal data of the data subject access requestor that is being stored by the particular organization;
    - andwherein performing the audit comprises determining whether the personal data of the data subject access requestor that is being stored by the particular organization has been deleted.
  - 3. The non-transitory computer-readable medium of claim 1, wherein the determined type of data subject access request comprises a request to provide, to the data subject access requestor, the personal data of the data subject access requestor that is being stored by the particular organization;
    - andwherein performing the audit comprises determining whether the personal data of the data subject access requestor that is being stored by the particular organization has been deleted.
  - 4. The non-transitory computer-readable medium of claim 1, wherein the one or more request parameters comprise one or more parameters related to a particular group of data subjects;
    - andwherein performing the audit comprises analyzing a plurality of data subject access requestors to identify one or more members of the particular group of data subjects.
  - 5. The non-transitory computer-readable medium of claim 1, wherein performing the audit comprises analyzing the timing of the processing of each of the plurality of processed data subject access requests and comparing the analysis to each respective time constraint.
  - 6. The non-transitory computer-readable medium of claim 1, wherein performing the audit comprises analyzing each of the plurality of processed data subject access requests to identify whether any particular data subject access request of the plurality of processed data subject access requests utilized one or more time extensions during processing.
  - 7. The non-transitory computer-readable medium of claim 6, further storing computer-executable instructions for:
    - in response to determining that a particular data subject access request of the plurality of processed data subject access requests utilized the one or more time extensions during processing, modifying the report of one or more results of the audit.
  - 8. The non-transitory computer-readable medium of claim 1, wherein performing the audit comprises determining, for each of the plurality of processed data subject access requests, whether the processing required manual processing.
  - 9. The non-transitory computer-readable medium of claim 1, further storing computer-executable instructions for:
    - receiving a complaint from the data subject access requestor regarding the processing of the data subject access request; and
      
      in response to receiving the complaint, modifying the report of one or more results of the audit.
  - 10. The non-transitory computer-readable medium of claim 1, wherein the workflow is a workflow that specifies, based at least partially on the determined type of data subject access request, that the workflow will facilitate at least a partial manual processing of the data subject access request.
  - 11. The non-transitory computer-readable medium of claim 10, wherein the workflow is a computer-implemented workflow for automatically deleting all of the personal data for the data subject access requestor on one or more computer systems of the particular organization.
  - 12. The non-transitory computer-readable medium of claim 11, wherein performing the audit comprises scanning the one or more computer systems of the particular organization using one or more intelligent identity scanning means to identify at least one piece of personal data associated with the data subject access requestor that is stored on the one or more computer systems of the particular organization.
  - 13. The non-transitory computer-readable medium of claim 1, wherein performing the audit comprises analyzing a plurality of open data subject access requests to determine, for each of the plurality of open data subject access requests, a number of days remaining before a respective deadline for responding.

14. A privacy management computer system for auditing one or more responses to one or more data subject access requests received by a particular entity, the system comprising:
- one or more computer processors; and
  
  computer memory operatively coupled to the one or more processors, wherein the one or more computer processors are adapted for;
  
  receiving a plurality of data subject access requests via a plurality of webforms on respective computing devices from a plurality of data subject access requestors;
  
  automatically determining a type of each data subject access request, the determined type of data subject access request being selected from a group consisting of;
  
  (1) a request to delete personal data of a data subject access requestor that is being stored by a particular organization;
  
  (2) a request to provide, to the data subject access requestor, the personal data of the data subject access requestor that is being stored by the particular organization;
  
  (3) a request to update the personal data of the data subject access requestor that is being stored by the particular organization; and
  
  (4) a request to opt out of having the particular organization use the personal data of the data subject access requestor in one or more particular ways;
  
  determining, based at least partially on the determined type of each data subject access request, a workflow that is to be used to process each request;
  
  facilitating the processing of each of the plurality of data subject access requests via the workflow;
  
  receiving an audit request to audit compliance, by the particular entity with one or more data subject access request requirements, the audit request comprising one or more request parameters, the one or more request parameters comprising one or more parameters related to a particular group of data subjects;
  
  performing the audit based on the one or more request parameters, wherein performing the audit comprises;
  
  analyzing the plurality of data subject access requestors to identify one or more members of the particular group of data subjects;
  
  identifying particular associated data subject access requests of the plurality of data subject access requests that are associated with the one or more members of the particular group of data subjects; and
  
  analyzing the particular associated data subject access requests to determine a compliance level with the one or more data subject access request requirements;
  
  generating a report of one or more results of the audit; and
  
  providing the report to a privacy officer associated with the particular entity.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The privacy management computer system of claim 14, wherein the determined type of data subject access request comprises a request to delete the personal data of the data subject access requestor that is being stored by the particular organization.
  - 16. The privacy management computer system of claim 15, wherein performing the audit comprises determining whether the personal data of the data subject access requestor that is being stored by the particular organization has been deleted.
  - 17. The privacy management computer system of claim 14, wherein the determined type of data subject access request comprises a request to provide, to the data subject access requestor, the personal data of the data subject access requestor that is being stored by the particular organization.
  - 18. The privacy management computer system of claim 17, wherein performing the audit comprises automatically determining whether the system has provided the personal data of the data subject access requestor that is being stored by the particular organization.
  - 19. The privacy management computer system of claim 14, wherein performing the audit comprises scanning one or more computer systems of the particular organization using one or more intelligent identity scanning means to identify at least one piece of personal data associated with the data subject access requestor that is stored on the one or more computer systems of the particular organization.
  - 20. The privacy management computer system of claim 14, wherein performing the audit comprises:
    - analyzing the plurality of data subject access requestors to identify a particular group associated with at least a particular number of the plurality of data subject access requestors; and
      
      generating the report to include the identified particular group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OneTrust LLC
Original Assignee
OneTrust LLC
Inventors
Barday, Kabir A., Brannon, Jonathan Blake, Sabourin, Jason L., Karanjkar, Mihir S., Jones, Kevin, Beaumont, Richard A.
Primary Examiner(s)
Zaidi, Syed A

Application Number

US16/436,616
Publication Number

US 20190294818A1
Time in Patent Office

302 Days
Field of Search

726 27
US Class Current
CPC Class Codes

G06F 15/76   Architectures of general pu...

G06F 21/552   involving long-term monitor...

G06F 21/604   Tools and structures for ma...

G06F 21/6245   Protecting personal data, e...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/0407   wherein the identity of one...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

H04L 63/107   wherein the security polici...

H04L 63/108   when the policy decisions a...

Data processing systems and methods for auditing data request compliance

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

681 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Data processing systems and methods for auditing data request compliance

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

681 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links