Automated data processing systems and methods for automatically processing requests for privacy-related information

US 10,708,305 B2
Filed: 09/09/2019
Issued: 07/07/2020
Est. Priority Date: 06/10/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented data processing method for processing data subject access requests, the method comprising:

receiving, by at least one computer processor, a data subject access request that requests data regarding a data subject, the data subject access request comprising a request to execute at least one action selected from a group consisting of;

(a) deleting personal data of the data subject;

(b) modifying personal data of the data subject; and

(c) providing personal data of the data subject;

at least partially in response to receiving the data subject access request, determining, by at least one computer processor, the data subject based on the data subject access request;

at least partially in response to receiving the data subject access request, generating, by at least one computer processor, a unique session ID based on the data subject;

associating, by at least one computer processor in a computer memory, the unique session ID with the data subject;

at least partially in response to receiving the data subject access request, determining, by at least one computer processor, whether the data subject access request was initiated by an automated source;

in response to determining that the data subject access request was initiated by an automated source, automatically taking at least one action, by at least one computer processor, to have the data subject access request reinitiated by a human source, wherein the at least one action comprises, at least partially in response to receiving the data subject access request;

(i) generating a unique, temporary uniform resource locator (URL) based on the unique session ID; and

(ii) at least temporarily providing access to an electronic form for completing a second data subject access request at the unique URL; and

at least partially in response to determining that the data subject access request was initiated by a human, automatically facilitating the fulfillment of the data subject access request.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data processing system, according to various embodiments, may receive a data subject access request that includes a request to delete personal data of a particular data subject, modify personal data of the data subject, and/or provide personal data of the data subject. At least partially in response to receiving the data subject access request, the system may determine whether the data subject access request was initiated by an automated source. At least partially in response to determining that the data subject access request was initiated by an automated source, the system may automatically take at least one action to have the data subject access request reinitiated by a human source. At least partially in response to determining that the data subject access request was initiated by a human, the system may automatically facilitate the fulfillment of the data subject access request.

Citations

27 Claims

1. A computer-implemented data processing method for processing data subject access requests, the method comprising:
- receiving, by at least one computer processor, a data subject access request that requests data regarding a data subject, the data subject access request comprising a request to execute at least one action selected from a group consisting of;
  
  (a) deleting personal data of the data subject;
  
  (b) modifying personal data of the data subject; and
  
  (c) providing personal data of the data subject;
  
  at least partially in response to receiving the data subject access request, determining, by at least one computer processor, the data subject based on the data subject access request;
  
  at least partially in response to receiving the data subject access request, generating, by at least one computer processor, a unique session ID based on the data subject;
  
  associating, by at least one computer processor in a computer memory, the unique session ID with the data subject;
  
  at least partially in response to receiving the data subject access request, determining, by at least one computer processor, whether the data subject access request was initiated by an automated source;
  
  in response to determining that the data subject access request was initiated by an automated source, automatically taking at least one action, by at least one computer processor, to have the data subject access request reinitiated by a human source, wherein the at least one action comprises, at least partially in response to receiving the data subject access request;
  
  (i) generating a unique, temporary uniform resource locator (URL) based on the unique session ID; and
  
  (ii) at least temporarily providing access to an electronic form for completing a second data subject access request at the unique URL; and
  
  at least partially in response to determining that the data subject access request was initiated by a human, automatically facilitating the fulfillment of the data subject access request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer-implemented data processing method of claim 1, wherein generating the unique session ID based on the data subject comprises generating the unique session ID based on the data subject using JavaScript.
  - 3. The computer-implemented data processing method of claim 1, wherein:
    - determining that the data subject access request was initiated by an automated source comprises determining that that the data subject access request was submitted from a source that has been previously identified as an automated source of data subject access requests.
  - 4. The computer-implemented data processing method of claim 3, wherein automatically taking at least one action, by at least one computer processor, to have the data subject access request reinitiated by a human source comprises taking at least one defensive action to block a successful submission of the data subject access request by the automated source.
  - 5. The computer-implemented data processing method of claim 4, wherein the at least one defensive action comprises utilizing one or more HTML tagging techniques to at least partially prevent a bot tool from automatically matching a form for use in submitting one or more data subject access requests to a known form that the bot can complete.
  - 6. The computer-implemented data processing method of claim 4, wherein the at least one defensive action comprises dynamically modifying a format of a form for use in submitting one or more data subject access requests.
  - 7. The computer-implemented data processing method of claim 1, wherein:
    - determining that the data subject access request was initiated by an automated source comprises determining that that the data subject access request was submitted from a source that has submitted more than a predetermined number of data subject access requests to a particular data subject access processing system in the past.
  - 8. The computer-implemented data processing method of claim 1, wherein:
    - determining that the data subject access request was initiated by an automated source comprises determining that that the source submitted multiple data subject access requests at about the same time as the data subject access request was submitted.
  - 9. The computer-implemented data processing method of claim 1, wherein automatically taking at least one action, by at least one computer processor, to have the data subject access request reinitiated by a human source comprises automatically taking at least one defensive action to block a successful submission of the data subject access request by the automated source.
  - 10. The computer-implemented data processing method of claim 9, wherein automatically taking the at least one defensive action comprises, at least partially in response to receiving the data subject access request:
    - (1) setting a session cookie on the browser of a client computer that is attempting to submit the data subject access request;
      
      (2) using the session cookie to determine whether the data subject access request is being submitted from a domain associated with a third-party DSAR data subject access request aggregator; and
      
      (3) in response to determining that the data subject access request is being submitted from a domain associated with a third-party DSAR data subject access request aggregator, rejecting the data subject access request.
  - 11. The computer-implemented data processing method of claim 9, wherein automatically taking the at least one defensive action comprises dynamically modifying a format of a form for use in submitting one or more data subject access requests.
  - 12. The computer-implemented data processing method of claim 9, wherein automatically taking at least one defensive action comprises utilizing one or more HTML tagging techniques to at least partially prevent the automated source from automatically matching a form for use in submitting one or more data subject access requests to a known form that the automated source can complete.

13. A non-transitory computer-readable medium storing computer-executable instructions for:
- receiving a data subject access request that requests data regarding a particular data subject, the data subject access request comprising a request to execute at least one action selected from a group consisting of;
  
  (a) deleting personal data of the data subject;
  
  (b) modifying personal data of the data subject; and
  
  (c) providing information regarding the use, by a particular entity, of the data subject'"'"'s personal data;
  
  at least partially in response to receiving the data subject access request, determining the data subject based on the data subject access request;
  
  at least partially in response to receiving the data subject access request, generating a unique session ID based on the data subject;
  
  associating, in a computer memory, the unique session ID with the data subject;
  
  at least partially in response to receiving the data subject access request, determining whether the data subject access request was initiated was initiated robotically;
  
  at least partially in response to determining that the data subject access request was initiated robotically;
  
  (i) preventing fulfillment of the robotically-generated data subject access request;
  
  (ii) generating a unique, temporary uniform resource locator (URL) based on the unique session ID; and
  
  (iii) at least temporarily providing access to an electronic form for completing a second data subject access request at the unique URL; and
  
  at least partially in response to determining that the data subject access request was initiated by a human, automatically facilitating the fulfillment of the data subject access request.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 14. The non-transitory computer-readable medium of claim 13, wherein generating the unique session ID based on the data subject comprises generating the unique session ID based on the data subject using JavaScript.
  - 15. The non-transitory computer-readable medium of claim 13, wherein the URL is unique to the data subject access request.
  - 16. The non-transitory computer-readable medium of claim 13, wherein determining that the data subject access request was generated robotically comprises:
    - analyzing data subject access submission activity from a particular source; and
      
      in response to determining that the data subject access submission activity is inconsistent with human data subject access submission activity, determining that the data subject access request was generated robotically.
  - 17. The non-transitory computer-readable medium of claim 16, wherein automatically taking at least one action, by at least one computer processor, to have the data subject access request reinitiated by a human source comprises taking at least one defensive action to block a successful submission of the data subject access request by the automated source.
  - 18. The non-transitory computer-readable medium of claim 17, wherein the at least one defensive action comprises utilizing one or more HTML tagging techniques to at least partially prevent a bot tool from automatically matching a form for use in submitting one or more data subject access requests to a known form that the bot can complete.
  - 19. The non-transitory computer-readable medium of claim 17, wherein the at least one defensive action comprises dynamically modifying a format of a form for use in submitting one or more data subject access requests.
  - 20. The non-transitory computer-readable medium of claim 13, wherein automatically taking at least one action, by at least one computer processor, to have the data subject access request reinitiated by a human source comprises automatically taking at least one defensive action to block a successful submission of the data subject access request by the automated source.
  - 21. The non-transitory computer-readable medium of claim 20, wherein automatically taking the at least one defensive action comprises dynamically modifying a format of a form for use in submitting one or more data subject access requests.
  - 22. The non-transitory computer-readable medium of claim 20, wherein automatically taking at least one defensive action comprises utilizing one or more HTML tagging techniques to at least partially prevent a bot tool from automatically matching a form for use in submitting one or more data subject access requests to a known form that the bot can complete.

23. A computer system for processing data subject access requests, the system comprising:
- at least one computer processor; and
  
  computer memory storing computer-executable instructions that, when executed by the at least one computer processor, are operable for;
  
  receiving, by the at least one computer processor, a data subject access request that requests data regarding a data subject, the data subject access request comprising a request to execute at least one action selected from a group consisting of;
  
  (a) deleting personal data of the data subject;
  
  (b) modifying personal data of the data subject; and
  
  (c) providing personal data of the data subject;
  
  at least partially in response to receiving the data subject access request, determining, by the at least one computer processor, the data subject based on the data subject access request;
  
  at least partially in response to receiving the data subject access request, generating, by the at least one computer processor, a unique session ID based on the data subject;
  
  associating, by the at least one computer processor in the computer memory, the unique session ID with the data subject;
  
  at least partially in response to receiving the data subject access request, determining, by the at least one processor, whether the data subject access request was submitted by an automated source;
  
  at least partially in response to determining that the data subject access request was submitted by an automated source, automatically taking at least one defensive action, by the at least one computer processor, to block a successful submission of the data subject access request by the automated source and to instead have the data subject access request resubmitted by a human source, wherein the at least one defensive action comprises;
  
  (i) preventing fulfillment of the data subject access request submitted by the automated source;
  
  (ii) generating a unique, temporary uniform resource locator (URL) based on the session ID; and
  
  at least temporarily providing access to an electronic form for completing a second data subject access request at the unique URL; and
  
  at least partially in response to determining that the data subject access request was submitted by a human, automatically facilitating, by the at least one computer processor, the fulfillment of the data subject access request.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The computer system of claim 23, wherein the at least one defensive action comprises utilizing one or more HTML tagging techniques to at least partially prevent an automated source from automatically matching a form for use in submitting one or more data subject access requests to a known form that the automated source can complete.
  - 25. The computer system of claim 23, wherein the at least one defensive action comprises dynamically modifying a format of a form for use in submitting one or more data subject access requests.
  - 26. The computer system of claim 23, wherein generating the unique session ID based on the data subject comprises generating the unique session ID based on the data subject using JavaScript.
  - 27. The computer system of claim 23, wherein the URL is unique to the data subject access request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OneTrust LLC
Original Assignee
OneTrust LLC
Inventors
Barday, Kabir A., Brannon, Jonathan Blake, Jones, Kevin, Kveen, Bryan Patrick, Malhotra, Priya, Sabourin, Jason L.
Primary Examiner(s)
Patel, Haresh N

Application Number

US16/565,265
Publication Number

US 20200007579A1
Time in Patent Office

302 Days
Field of Search

726 28
US Class Current
CPC Class Codes

G06F 21/6245   Protecting personal data, e...

H04L 2463/144   Detection or countermeasure...

H04L 63/102   Entity profiles

H04L 63/126   the source of the received ...

H04L 63/1491   using deception as counterm...

H04L 67/1097   for distributed storage of ...

Automated data processing systems and methods for automatically processing requests for privacy-related information

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Automated data processing systems and methods for automatically processing requests for privacy-related information

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links