Data processing systems for identity validation of data subject access requests and related methods

US 10,705,801 B2
Filed: 02/14/2020
Issued: 07/07/2020
Est. Priority Date: 06/10/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented data processing method for processing a data subject access request, the computer-implemented data processing method comprising:

receiving a data subject access request from a data subject that is a request for a particular organization to perform one or more actions with regard to one or more pieces of personal data associated with the data subject that the particular organization has obtained on the data subject, wherein the data subject access request comprises one or more request parameters,wherein at least one of the one or more pieces of personal data associated with the data subject was not provided to the particular organization by the data subject,wherein the data subject access request has a request type selected from the group consisting of;

a first request type, wherein the one or more actions comprise a first request to delete the one or more pieces of personal data associated with the data subject;

a second request type, wherein the one or more actions comprise a second request to provide a copy of the one or more pieces of personal data associated with the data subject to the data subject; and

a third request type, wherein the one or more actions comprise a third request to modify the one or more pieces of personal data associated with the data subject,wherein the one or more request parameters comprise the request type,wherein the first request type is associated with a first authentication type requiring a first number of identity validation methods,wherein the second request type is associated with a second authentication type requiring a second number of identity validation methods, andwherein the second number of identity validation methods is greater than the first number of identity validation methods;

in response to receiving the data subject access request from the data subject, validating an identity of the data subject by;

automatically detecting a type of authentication required to validate the identity of the data subject based at least in part on the one or more request parameters wherein the type of authentication required to validate the identity of the data subject is based on the request type;

prompting the data subject to provide one or more pieces of information based at least in part on the type of authentication required;

receiving, from the data subject, the one or more pieces of information;

in response to receiving the one or more pieces of information, confirming the validity of the one or more pieces of information; and

in response to confirming the validity of the one or more pieces of information, validating the identity of the data subject;

in response to validating the identity of the data subject, processing the data subject access request by automatically identifying one or more pieces of personal data associated with the data subject, wherein the one or more pieces of personal data associated with the data subject are stored in one or more data repositories associated with the particular organization; and

in response to automatically identifying the one or more pieces of personal data associated with the data subject, automatically taking the one or more actions based at least in part on the data subject access request, wherein the one or more actions include one or more actions related to the one or more pieces of personal data associated with the data subject.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In particular embodiments, a computer-implemented data processing method for responding to a data subject access request comprises: (A) receiving a data subject access request from a requestor comprising one or more request parameters; (B) validating an identity of the requestor by prompting the requestor to identify information associated with the requestor; (C) in response to validating the identity of the requestor, processing the request by identifying one or more pieces of personal data associated with the requestor, the one or more pieces of personal data being stored in one or more data repositories associated with a particular organization; and (D) taking one or more actions based at least in part on the data subject access request, the one or more actions including one or more actions related to the one or more pieces of personal data.

825 Citations

11 Claims

1. A computer-implemented data processing method for processing a data subject access request, the computer-implemented data processing method comprising:
- receiving a data subject access request from a data subject that is a request for a particular organization to perform one or more actions with regard to one or more pieces of personal data associated with the data subject that the particular organization has obtained on the data subject, wherein the data subject access request comprises one or more request parameters,wherein at least one of the one or more pieces of personal data associated with the data subject was not provided to the particular organization by the data subject,wherein the data subject access request has a request type selected from the group consisting of;
  
  a first request type, wherein the one or more actions comprise a first request to delete the one or more pieces of personal data associated with the data subject;
  
  a second request type, wherein the one or more actions comprise a second request to provide a copy of the one or more pieces of personal data associated with the data subject to the data subject; and
  
  a third request type, wherein the one or more actions comprise a third request to modify the one or more pieces of personal data associated with the data subject,wherein the one or more request parameters comprise the request type,wherein the first request type is associated with a first authentication type requiring a first number of identity validation methods,wherein the second request type is associated with a second authentication type requiring a second number of identity validation methods, andwherein the second number of identity validation methods is greater than the first number of identity validation methods;
  
  in response to receiving the data subject access request from the data subject, validating an identity of the data subject by;
  
  automatically detecting a type of authentication required to validate the identity of the data subject based at least in part on the one or more request parameters wherein the type of authentication required to validate the identity of the data subject is based on the request type;
  
  prompting the data subject to provide one or more pieces of information based at least in part on the type of authentication required;
  
  receiving, from the data subject, the one or more pieces of information;
  
  in response to receiving the one or more pieces of information, confirming the validity of the one or more pieces of information; and
  
  in response to confirming the validity of the one or more pieces of information, validating the identity of the data subject;
  
  in response to validating the identity of the data subject, processing the data subject access request by automatically identifying one or more pieces of personal data associated with the data subject, wherein the one or more pieces of personal data associated with the data subject are stored in one or more data repositories associated with the particular organization; and
  
  in response to automatically identifying the one or more pieces of personal data associated with the data subject, automatically taking the one or more actions based at least in part on the data subject access request, wherein the one or more actions include one or more actions related to the one or more pieces of personal data associated with the data subject.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer-implemented data processing method of claim 1, wherein the type of authentication required to validate the identity of the data subject is selected from the group consisting of:
    - one or more credit-based authentication techniques;
      
      one or more public information-based verification techniques; and
      
      one or more employee authentication system integration techniques.
  - 3. The computer-implemented data processing method of claim 2, wherein:
    - the type of authentication required to validate the identity of the data subject comprises the one or more public information-based verification techniques; and
      
      validating the identity of the data subject further comprises;
      
      accessing, via one or more computer networks, one or more third-party data aggregation systems;
      
      receiving, from the one or more third-party data aggregation systems, information associated with the data subject; and
      
      comparing the information associated with the data subject with the one or more pieces of information to validate the identity of the data subject.
  - 4. The computer-implemented data processing method of claim 3, wherein the receiving the one or more pieces of information comprises receiving the one or more pieces of information from the one or more request parameters.
  - 5. The computer-implemented data processing method of claim 2, wherein:
    - the one or more request parameters comprise an indication that the data subject is an employee of the particular organization;
      
      the type of authentication required to validate the identity of the data subject comprises the one or more employee authentication system integration techniques; and
      
      validating the identity of the data subject further comprises;
      
      prompting the data subject to login to an employee authentication system associated with the particular organization;
      
      receiving an indication that the data subject has logged into the employee authentication system using a set of credentials associated with the data subject in the employee authentication system; and
      
      validating the identity of the data subject.

6. A computer-implemented data processing method for responding to a data subject access request, the computer-implemented data processing method comprising:
- receiving a data subject access request from a requestor comprising one or more request parameters for a particular organization to perform one or more actions with regard to one or more pieces of personal data associated with the requestor that the particular organization has obtained on the requestor, wherein at least one of the one or more pieces of personal data associated with the requestor was not provided to the particular organization by the requestor;
  
  determining, based in part on the request type of the data subject access request, a number of identity validation methods required to validate an identity of the requestor;
  
  providing the required number of identity validation methods to the requestor, wherein each identity validation method of the required number of identity validation methods includes prompting the requestor to identify different information associated with the requestor for each identity validation method of the required number of identity validation methods,wherein the data subject access request has a request type selected from the group consisting of;
  
  a first request type, wherein the one or more actions comprise a first request to delete the one or more pieces of personal data associated with the requestor;
  
  a second request type, wherein the one or more actions comprise a second request to provide a copy of the one or more pieces of personal data associated with the requestor to the requestor; and
  
  a third request type, wherein the one or more actions comprise a third request to modify the one or more pieces of personal data associated with the requestor, wherein the one or more request parameters comprise the request type,wherein the first request type is associated with a first authentication type requiring a first number of identity validation methods,wherein the second request type is associated with a second authentication type requiring a second number of identity validation methods, andwherein the second number of identity validation methods is greater than the first number of identity validation methods;
  
  validating an identity of the requestor by prompting the requestor to identify information associated with the requestor;
  
  in response to validating the identity of the requestor, processing the data subject access request by automatically identifying one or more pieces of personal data associated with the requestor, wherein the one or more pieces of personal data associated with the requestor are stored in one or more data repositories associated with a particular organization; and
  
  in response to automatically identifying the one or more pieces of personal data associated with the requestor, automatically taking one or more actions based at least in part on the data subject access request, wherein the one or more actions include one or more actions related to the one or more pieces of personal data associated with the requestor.
- View Dependent Claims (7, 8, 9)
- - 7. The computer-implemented data processing method of claim 6, wherein validating the identity of the requestor comprises:
    - accessing, via one or more computer networks, one or more third-party data aggregation systems; and
      
      confirming, based at least in part on information received via the one or more third-party data aggregation systems and the one or more request parameters, that the requestor is a data subject of the data subject access request.
  - 8. The computer-implemented data processing method of claim 7, wherein confirming that the requestor is the data subject of the data subject access request comprises:
    - generating, based at least in part on the information received via the one or more third-party data aggregation systems, at least one threshold identity confirmation question;
      
      prompting the requestor to provide a response to the at least one threshold identity confirmation question; and
      
      comparing the response to the information received via the one or more third-party data aggregation systems to validate the identity of the requestor as the data subject of the data subject access request.
  - 9. The computer-implemented data processing method of claim 6, wherein:
    - the requestor is a business and validating the identity of the requestor further comprises using one or more company verification techniques; and
      
      the one or more company verification techniques is selected from the group consisting of;
      
      validating a vendor contract;
      
      receiving a matching unique identifier provided by an organization receiving the data subject access request to the business;
      
      receiving a matching file in possession of both the business and the organization receiving the data subject access request; and
      
      receiving a document memorializing an association between the business and the organization receiving the data subject access request.

10. A computer system processing a data subject access request, the computer system comprising:
- one or more computer processors; and
  
  a computer memory embodied in one or more computer storage locations operatively coupled to the one or more computer processors that store particular computer code, wherein the computer system is configured to;
  
  receive a data subject access request from a data subject that is a request for a particular organization to perform one or more actions with regard to one or more pieces of personal data associated with the data subject that the particular organization has obtained on the data subject, wherein the data subject access request comprises one or more request parameters;
  
  wherein at least one of the one or more pieces of personal data associated with the data subject was not provided to the particular organization by the data subject,wherein the data subject access request has a request type selected from the group consisting of;
  
  a first request type, wherein the one or more actions comprise a first request to delete the one or more pieces of personal data associated with the data subject;
  
  a second request type, wherein the one or more actions comprise a second request to provide a copy of the one or more pieces of personal data associated with the data subject to the data subject; and
  
  a third request type, wherein the one or more actions comprise a third request to modify the one or more pieces of personal data associated with the data subject,wherein the one or more request parameters comprise the request type,wherein the first request type is associated with a first authentication level requiring a first threshold number of questions the data subject must answer correctly,wherein the second request type is associated with a second authentication level requiring a second threshold number of questions the data subject must answer correctly, andwherein the second threshold number of questions is greater than the first threshold number of questions;
  
  in response to receiving the data subject access request from the data subject, validate an identity of the data subject by;
  
  automatically detecting a level of authentication required to validate the identity of the data subject based at least in part on the one or more request parameters, wherein the level of authentication comprises a threshold number of questions the data subject must answer correctly and a threshold number of additional pieces of information the data subject must provide to validate the identity of the data subject, and wherein the level of authentication required to validate the identity of the data subject is based on the request type;
  
  prompting the data subject to provide one or more responses to the threshold number of questions and the threshold number of additional pieces of information;
  
  receiving, from the data subject, the threshold number of additional pieces of information and the one or more responses to the threshold number of questions;
  
  in response to receiving the threshold number of additional pieces of information and the one or more responses to the threshold number of questions, confirming an accuracy of the threshold number of additional pieces of information and the one or more responses to the threshold number of questions; and
  
  in response to confirming an accuracy of the threshold number of additional pieces of information and the one or more responses to the threshold number of questions, validating the identity of the data subject;
  
  in response to validating the identity of the data subject, process the data subject access request by automatically identifying one or more pieces of personal data associated with the data subject, wherein the one or more pieces of personal data associated with the data subject are stored in one or more data repositories associated with the particular organization; and
  
  in response to automatically identifying the one or more pieces of personal data associated with the data subject, automatically take the one or more actions based at least in part on the data subject access request, wherein the one or more actions include one or more actions related to the one or more pieces of personal data associated with the data subject.
- View Dependent Claims (11)
- - 11. The computer system of claim 10, wherein confirming the accuracy of the threshold number of additional pieces of information and the one or more responses to the threshold number of questions comprises:
    - accessing, via one or more computer networks, one or more third-party data aggregation systems;
      
      receiving, from the one or more third-party data aggregation systems, one or more correct answers to each question of the threshold number of questions the data subject must answer correctly;
      
      determining whether the one or more responses to the threshold number of questions comprise at least a threshold number of the one or more correct answers to each question of the threshold number of questions; and
      
      at least partially in response to determining that the one or more responses to the threshold number of questions comprise at least the threshold number of the one or more correct answers to each question of the threshold number of questions, validating the identity of the data subject.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OneTrust LLC
Original Assignee
OneTrust LLC
Inventors
Barday, Kabir A., Sabourin, Jason L., Brannon, Jonathan Blake, Karanjkar, Mihir S., Jones, Kevin
Primary Examiner(s)
Chen, Qing

Application Number

US16/791,075
Publication Number

US 20200183654A1
Time in Patent Office

144 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 15/76   Architectures of general pu...

G06F 21/31   User authentication

G06F 21/552   involving long-term monitor...

G06F 21/604   Tools and structures for ma...

G06F 21/6245   Protecting personal data, e...

G06F 2221/2103   Challenge-response

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2115   Third party

G06F 2221/2141   Access rights, e.g. capabil...

G06F 8/20   Software design

H04L 63/102   Entity profiles

Data processing systems for identity validation of data subject access requests and related methods

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

825 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Data processing systems for identity validation of data subject access requests and related methods

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

825 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links