Data processing systems for processing data subject access requests

US 10,509,920 B2
Filed: 02/15/2019
Issued: 12/17/2019
Est. Priority Date: 06/10/2016
Status: Active Grant

First Claim

Patent Images

1. A data subject access request processing system comprising:

one or more data subject access request management servers;

a plurality of local storage nodes, each of the plurality of local storage nodes being physically located in a distinct geographic location;

one or more processors; and

memory, wherein the one or more processors are configured for;

receiving, from a remote computing device, at the one or more data subject access request management servers, a data subject access request for a data subject, the request comprising one or more request parameters;

identifying, based at least in part on the data subject access request, a particular local storage node of the plurality of local storage nodes;

routing the data subject access request from the one or more data subject access request management servers to the particular local storage node;

processing the request at the particular local storage node by identifying one or more pieces of personal data associated with the data subject, the one or more pieces of personal data being stored in one or more data repositories associated with a particular organization; and

taking one or more actions based at least in part on the data subject access request, the one or more actions including one or more actions related to the one or more pieces of personal data;

wherein taking the one or more actions comprises executing one or more steps related to the one or more actions at the particular local storage node.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In particular embodiments, a data subject request processing system may be configured to utilize one or more local storage nodes in order to process a data subject access request on behalf of a data subject. In particular embodiments, the one or more local storage nodes may be local to the data subject making the request (e.g., in the same country as the data subject, in the same jurisdiction, in the same geographic area, etc.). The system may, for example, be configured to: (1) receive a data subject access request from a data subject (e.g., via a web form); (2) identify a suitable local storage node based at least in part on the request and/or the data subject; (3) route the data subject access request to the identified local storage node; and (4) process the data subject access request at the identified local storage node.

513 Citations

19 Claims

1. A data subject access request processing system comprising:
- one or more data subject access request management servers;
  
  a plurality of local storage nodes, each of the plurality of local storage nodes being physically located in a distinct geographic location;
  
  one or more processors; and
  
  memory, wherein the one or more processors are configured for;
  
  receiving, from a remote computing device, at the one or more data subject access request management servers, a data subject access request for a data subject, the request comprising one or more request parameters;
  
  identifying, based at least in part on the data subject access request, a particular local storage node of the plurality of local storage nodes;
  
  routing the data subject access request from the one or more data subject access request management servers to the particular local storage node;
  
  processing the request at the particular local storage node by identifying one or more pieces of personal data associated with the data subject, the one or more pieces of personal data being stored in one or more data repositories associated with a particular organization; and
  
  taking one or more actions based at least in part on the data subject access request, the one or more actions including one or more actions related to the one or more pieces of personal data;
  
  wherein taking the one or more actions comprises executing one or more steps related to the one or more actions at the particular local storage node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The data subject access request processing system of claim 1, wherein:
    - the one or more actions are selected from the group consisting of;
      
      deleting the one or more pieces of personal data from the one or more data repositories;
      
      modifying at least one of the one or more pieces of personal data and storing the modified at least one of the one or more pieces of personal data in the one or more data repositories; and
      
      generating a report comprising the one or more pieces of personal data and providing the report to the data subject.
  - 3. The data subject access request processing system of claim 2, wherein:
    - the one or more actions comprise generating the report; and
      
      the one or more processors are further configured for at least temporarily storing the one or more pieces of personal data at the particular local storage node.
  - 4. The data subject access request processing system of claim 2, wherein:
    - the one or more actions comprise generating the report; and
      
      the one or more processors are further configured for transmitting the one or more pieces of personal data to a data store associated with the particular organization.
  - 5. The data subject access request processing system of claim 1, wherein the metadata comprises an indication of fulfillment of the data subject access request.
  - 6. The data subject access request processing system of claim 1, wherein the one or more data retention rules are selected from the group consisting of:
    - (1) one or more rules relating to maintaining the one or more pieces of personal data in storage until the data is viewed by the data subject;
      
      (2) one or more rules relating to maintaining the one or more pieces of personal data for no more than a particular amount of time;
      
      (3) one or more rules based on the data subject; and
      
      (4) one or more legal or industry requirements related to storage of personal data.
  - 7. The data subject access request processing system of claim 1, wherein:
    - identifying, based at least in part on the data subject access request, the particular local storage node of the plurality of local storage nodes comprises;
      
      determining a location of the remote computing device based at least in part on an IP address of the remote computing device;
      
      identifying a particular defined geographic boundary that comprise the location; and
      
      identifying the particular local storage node of the plurality of local storage nodes by identifying at least one local storage node of the plurality local storage nodes that is physically located within the defined geographic boundary.
  - 8. The data subject access request processing system of claim 7, wherein the defined geographic boundary is selected from the group consisting of:
    - a particular jurisdiction; and
      
      a particular country.

9. A computer-implemented data processing method for processing a data subject within a data system in order to fulfill a data subject access request, the method comprising:
- receiving, by one or more processors, from a data subject, a data subject access request;
  
  identifying, based at least in part on the data subject access request, a particular local storage node of a plurality of local storage nodes;
  
  routing the data subject access request to the particular local storage node;
  
  processing the data subject access request at the local storage node by identifying the one or more pieces of personal data associated with the data subject,wherein identifying the one or more pieces of personal data associated with the data subject comprises scanning one or more data inventories stored within a data system for the one or more pieces of personal data;
  
  in response to identifying the one or more pieces of personal data, at least temporarily storing the one or more pieces of personal data at the local storage node; and
  
  executing one or more steps related to providing access, to the data subject, to the one or more pieces of data at the local storage node.
- View Dependent Claims (10, 11, 12)
- - 10. The computer-implemented data processing method of claim 9, wherein providing access to the data subject comprises transmitting a link to data subject to the one or more pieces of personal data at the local storage node.
  - 11. The computer-implemented data processing method of claim 9, the method further comprising:
    - determining that the data subject has accessed the one or more pieces of personal data at the local storage node; and
      
      in response to determining that the data subject has accessed the one or more pieces of personal data at the local storage node, automatically archiving the one or more pieces of personal data and storing metadata indicating a time of the access by the data subject.
  - 12. The computer-implemented data processing method of claim 9, the method further comprising:
    - determining that a particular time period has expired without the data subject accessing the one or more pieces of personal data; and
      
      in response to determining that the particular time period has expired without the data subject accessing the one or more pieces of personal data, automatically archiving the one or more pieces of personal data and storing metadata indicating that the data subject did not access the one or more pieces of personal data prior to the expiration of the time period.

13. A computer-implemented data processing method for identifying one or more pieces of personal data associated with a data subject within a data system in order to fulfill a data subject access request, the method comprising:
- receiving, by one or more processors, from a data subject, a data subject access request;
  
  determining, by one or more processors, based on the data subject access request, a location of the request;
  
  routing, by one or more processors, the data subject access request to one or more local storage nodes based at least in part on the location of the request; and
  
  processing, by one or more processors at the one or more local storage nodes, the data subject access request by identifying the one or more pieces of personal data associated with the data subject, wherein;
  
  identifying the one or more pieces of personal data associated with the data subject comprises accessing one or more data models defining a location of one or more data inventories stored within the data system for the one or more pieces of personal data; and
  
  in response to identifying the one or more pieces of personal data, taking one or more actions selected from the group consisting of;
  
  deleting the one or more pieces of personal data from the data system;
  
  modifying at least one of the one or more pieces of personal data and storing the modified at least one of the one or more pieces of personal data in the data system; and
  
  generating a report comprising the one or more pieces of personal data and providing the report to the data subject,wherein taking the one or more actions comprises executing one or more steps related to the one or more actions at the one or more local storage nodes.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The computer-implemented data processing method of claim 13, wherein:
    - the one or more actions comprise generating the report comprising the one or more pieces of personal data and providing the report to the data subject; and
      
      generating the report comprising the one or more pieces of personal data comprises at least temporarily storing the one or more pieces of personal data at the one or more local storage nodes; and
      
      providing access, to the data subject, to the one or more pieces of data at the one or more local storage nodes.
  - 15. The computer-implemented data processing method of claim 14, wherein determining the location of the request comprises determining the location of the request based at least in part on an IP address of the request.
  - 16. The computer-implemented data processing method of claim 14, wherein the one or more actions further comprise deleting at least one instance of the one or more pieces of personal data from the data system.
  - 17. The computer-implemented data processing method of claim 13, wherein routing the data subject access request to the one or more local storage nodes based at least in part on the location of the request comprises:
    - identifying a physical location of the request;
      
      identifying the one or more local storage nodes by identifying one or more local storage modes that share the physical location; and
      
      routing the data subject access request to the one or more local storage nodes.
  - 18. The computer-implemented data processing method of claim 17, wherein routing the data subject access request to the one or more local storage nodes comprises routing the data subject access request to the one or more local storage nodes such that the data subject access request does not pass through any server that is located in any location other than the physical location.
  - 19. The computer-implemented data processing method of claim 18, wherein the physical location is defined by a location selected from the group consisting of:
    - a particular country;
      
      a particular jurisdiction; and
      
      a particular geographic area.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OneTrust LLC
Original Assignee
OneTrust LLC
Inventors
Barday, Kabir A., Brannon, Jonathan Blake, Sabourin, Jason L.
Primary Examiner(s)
Khatri, Anil

Application Number

US16/277,539
Publication Number

US 20190180050A1
Time in Patent Office

305 Days
Field of Search

717101-110
US Class Current
CPC Class Codes

G06F 15/76   Architectures of general pu...

G06F 16/113   Details of archiving lifecy...

G06F 16/125   characterised by the use of...

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 21/6245   Protecting personal data, e...

H04L 63/107   wherein the security polici...

H04L 67/1097   for distributed storage of ...

H04L 67/51   Discovery or management the...

H04L 67/52   specially adapted for the l...

H04L 67/53   using third party service p...

H04L 67/63   Routing a service request d...

Data processing systems for processing data subject access requests

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

513 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Data processing systems for processing data subject access requests

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

513 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others