Data processing systems for identifying and modifying processes that are subject to data subject access requests

US 10,346,638 B2
Filed: 08/06/2018
Issued: 07/09/2019
Est. Priority Date: 06/10/2016
Status: Active Grant

First Claim

Patent Images

1. A personal data processing and analysis system comprising;

one or more processors;

one or more data assets that store a plurality of personal data associated with a plurality of data subjects, each piece of the plurality of personal data being associated with a respective particular processing activity of a plurality of processing activities undertaken by an organization; and

computer memory, wherein;

the computer memory stores one or more data models defining one or more data transfers among the one or more data assets; and

the personal data processing and analysis system is configured for;

receiving a first data subject request associated with a first data subject from a remote computing device, the first data subject request comprising a request to delete one or more first pieces of personal data from the personal data processing and deletion system, the one or more first pieces of personal data being associated with the first data subject;

in response to receiving the first data subject request, identifying, based at least in part on the one or more data models and the plurality of processing activities undertaken by the organization, a respective storage location of each of the one or more first pieces of personal data on the one or more data assets;

in response to identifying the storage location of each of the one or more pieces of personal data, automatically facilitating the deletion of each of the one or more first pieces of personal data from each respective storage location;

receiving a plurality of additional data subject requests;

analyzing each of the plurality of additional data subject requests to identify a respective associated processing activity of the plurality of processing activities;

identifying a particular processing activity of the plurality of processing activities that is associated with at least a particular number of the plurality of additional data subject requests; and

in response to identifying the particular processing activity, automatically taking one or more actions related to the particular processing activity, wherein;

analyzing each of the plurality of additional data subject requests to identify the respective associated processing activity of the plurality of processing activities comprises using one or more data mapping techniques to identify each respective associated processing activity; and

using the one or more data mapping techniques to identify each respective associated processing activity comprises;

accessing each of one or more data models; and

scanning each of the one or more data models using respective personal data associated with each of the plurality of data subject requests to identify an associated respective associated processing activity.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In particular embodiments, in response a data subject submitting a request to delete their personal data from an organization'"'"'s systems, the system may: (1) automatically determine where the data subject'"'"'s personal data is stored; (2) in response to determining the location of the data (which may be on multiple computing systems), automatically facilitate the deletion of the data subject'"'"'s personal data from the various systems; and (3) determine a cause of the request to identify one or more processing activities or other sources that result in a high number of such requests.

516 Citations

14 Claims

1. A personal data processing and analysis system comprising;
- one or more processors;
  
  one or more data assets that store a plurality of personal data associated with a plurality of data subjects, each piece of the plurality of personal data being associated with a respective particular processing activity of a plurality of processing activities undertaken by an organization; and
  
  computer memory, wherein;
  
  the computer memory stores one or more data models defining one or more data transfers among the one or more data assets; and
  
  the personal data processing and analysis system is configured for;
  
  receiving a first data subject request associated with a first data subject from a remote computing device, the first data subject request comprising a request to delete one or more first pieces of personal data from the personal data processing and deletion system, the one or more first pieces of personal data being associated with the first data subject;
  
  in response to receiving the first data subject request, identifying, based at least in part on the one or more data models and the plurality of processing activities undertaken by the organization, a respective storage location of each of the one or more first pieces of personal data on the one or more data assets;
  
  in response to identifying the storage location of each of the one or more pieces of personal data, automatically facilitating the deletion of each of the one or more first pieces of personal data from each respective storage location;
  
  receiving a plurality of additional data subject requests;
  
  analyzing each of the plurality of additional data subject requests to identify a respective associated processing activity of the plurality of processing activities;
  
  identifying a particular processing activity of the plurality of processing activities that is associated with at least a particular number of the plurality of additional data subject requests; and
  
  in response to identifying the particular processing activity, automatically taking one or more actions related to the particular processing activity, wherein;
  
  analyzing each of the plurality of additional data subject requests to identify the respective associated processing activity of the plurality of processing activities comprises using one or more data mapping techniques to identify each respective associated processing activity; and
  
  using the one or more data mapping techniques to identify each respective associated processing activity comprises;
  
  accessing each of one or more data models; and
  
  scanning each of the one or more data models using respective personal data associated with each of the plurality of data subject requests to identify an associated respective associated processing activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The personal data processing and analysis system of claim 1, wherein automatically taking one or more actions related to the particular processing activity comprises automatically modifying the particular processing activity to change at least one type of personal data collected as part of the particular processing activity.
  - 3. The personal data processing and analysis system of claim 1, wherein automatically taking one or more actions related to the particular processing activity comprises automatically generating an alert indicating the particular processing activity and data associated with the plurality of additional data subject requests.
  - 4. The personal data processing and analysis system of claim 3, wherein the data associated with the plurality of additional data subject requests comprises a source of each of the plurality of additional data subject requests.
  - 5. The personal data processing and analysis system of claim 1, wherein automatically taking one or more actions related to the particular processing activity comprises:
    - identifying at least one data subject for whom the system has collected one or more pieces of personal data as part of the particular processing activity; and
      
      prompting the at least one data subject to re-provide consent under the particular processing activity.
  - 6. The personal data processing and analysis system of claim 1, wherein identifying the particular processing activity of the plurality of processing activities that is associated with at least a particular number of the plurality of additional data subject requests comprises determining that at least a particular percentage of the plurality of data subjects for whom the system processed data as part of the particular processing activity has submitted one of the plurality of data subject requests.
  - 7. The personal data processing and analysis system of claim 1, wherein analyzing each of the plurality of additional data subject requests to identify the respective associated processing activity of the plurality of processing activities further comprises generating and maintaining a log of each respective associated processing activity.

8. A computer-implemented data processing method for processing a request to delete personal data associated with a data subject from one or more computer systems of an organization and identifying one or more patterns of related requests, the method comprising:
- receiving, by one or more computer processors, a request from a data subject to delete the personal data associated with the data subject from one or more computer systems of an organization; and
  
  at least partially in response to receiving the request;
  
  processing the request by one or more computer processors;
  
  automatically identifying, by one or more computer processors, one or more computing devices on the one or more computer systems on which the personal data associated with the data subject is stored;
  
  in response to determining, by one or more computer processors, the one or more computing devices storing the personal data associated with the data subject, automatically facilitating the deletion of the personal data associated with the data subject from the one or more computing devices;
  
  identifying at least one request factor associated with the request;
  
  receiving a plurality of additional requests from a plurality of data subjects to delete the personal data associated with each respective data subject of the plurality of data subjects from the one or more computer systems;
  
  determining at least one related cause of the request and the plurality of additional requests based at least in part on the at least one request factor; and
  
  in response to determining that at least one related cause, automatically taking at least one action based at least in part on the determined at least one related cause, wherein;
  
  the at least one request factor comprises at least one source of the request; and
  
  the method further comprises;
  
  identifying at least one respective request factor associated with each of the plurality of additional requests; and
  
  determining the at least one related cause of the request and the plurality of additional requests based at least in part on the at least one request factor and the at least one respective request factor associated with each of the plurality of additional requests.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-implemented data processing method of claim 8, wherein:
    - the at least one cause comprises a particular processing activity; and
      
      automatically taking at least one action based at least in part on the determined at least one related cause comprises automatically modifying the particular processing activity to change at least one type of personal data collected as part of the particular processing activity.
  - 10. The computer-implemented data processing method of claim 8, wherein automatically taking at least one action based at least in part on the determined at least one related cause comprises automatically generating an alert indicating the at least one cause and the at least one request factor.
  - 11. The computer-implemented data processing method of claim 8, wherein the at least one source is selected from a group consisting of:
    - a particular webform;
      
      a particular website; and
      
      a particular mobile application.
  - 12. The computer-implemented data processing method of claim 8, wherein identifying the at least one respective request factor associated with each of the plurality of additional requests comprises identifying a particular processing activity of a plurality of processing activities undertaken by the organization that is associated with each of the plurality of additional requests.
  - 13. The computer-implemented data processing method of claim 12, the method further comprising:
    - identifying at least one data subject associated with the particular processing activity that has not submitted one of the plurality of data subject requests; and
      
      in response to identifying the at least one data subject, prompting the at least one data subject to provide consent for storage of personal data associated with the at least one data subject as part of the particular processing activity.
  - 14. The computer-implemented data processing method of claim 12, the method further comprising:
    - determining whether the organization has recently modified the particular processing activity; and
      
      in response to determining that the organization has recently modified the particular processing activity, automatically modifying the particular processing activity to change a type of personal data collected as part of the particular processing activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OneTrust LLC
Original Assignee
OneTrust LLC
Inventors
Barday, Kabir A., Sabourin, Jason L., Brannon, Jonathan Blake, Karanjkar, Mihir S., Jones, Kevin
Primary Examiner(s)
Tabor, Amare F

Application Number

US16/055,998
Publication Number

US 20180373891A1
Time in Patent Office

337 Days
Field of Search

726 28, 711101
US Class Current
CPC Class Codes

G06F 11/3409   for performance assessment

G06F 11/3476   Data logging G06F11/14, G06...

G06F 15/76   Architectures of general pu...

G06F 21/552   involving long-term monitor...

G06F 21/6245   Protecting personal data, e...

G06F 2221/2139   Recurrent verification

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2143   Clearing memory, e.g. to pr...

H04L 63/102   Entity profiles

Data processing systems for identifying and modifying processes that are subject to data subject access requests

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

516 Citations

14 Claims

Specification

Use Cases

Quick Links

Others

Data processing systems for identifying and modifying processes that are subject to data subject access requests

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

516 Citations

14 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others