Data processing systems and methods for automatically detecting and documenting privacy-related aspects of computer software
First Claim
1. A data processing computer system for automatically analyzing computer code to determine whether computer software associated with the computer code collects personal data, the system comprising:
- at least one computer processor; and
computer memory storing computer-executable instructions for;
analyzing, by the at least one computer processor, at least one segment of the computer code to determine whether the at least one segment of computer code comprises instructions for collecting one or more pieces of personal data, wherein determining whether the at least one segment of computer code comprises instructions for collecting the one or more pieces of the personal data comprises extracting one or more comments from a file containing the at least one segment of the computer code and using information from the one or more comments to determine whether the at least one segment of computer code comprises instructions for collecting the one or more pieces of the personal data;
in response to determining that the at least one segment of the computer code comprises instructions for collecting the one or more pieces of personal data, prompting, by the at least one computer processor, a user to input particular information selected from a group consisting of;
(1) where the system stores the one or more pieces of the personal data, (2) how long the system stores the one or more pieces of personal data, (3) whether the one or more pieces of personal data will include the personal data of minors, and (4) whether the at least one segment of computer code comprises instructions for facilitating the transfer of the one or more pieces of personal data across geographic borders, wherein the user is an author of the at least one segment of computer code;
receiving the particular information from the user; and
at least partially in response to receiving the particular information from the user;
(A) using the particular information to at least partially answer one or more questions within one or more questionnaires that are used in conducting a privacy impact assessment for the computer software associated with the computer code; and
(B) populating, by the at least one computer processor, at least a portion of a privacy-related data map using the particular information, wherein the privacy-related data map identifies one or more electronic associations between two or more data assets within a data model comprising a respective digital inventory for each of the two or more data assets, each of the respective digital inventories comprising one or more respective inventory attributes selected from a group consisting of;
(i) one or more processing activities associated with each of the respective data assets, (ii) transfer data associated with each of the respective data assets, and (iii) respective identifiers of the one or more pieces of personal data associated with each of the respective data assets.
2 Assignments
0 Petitions
Accused Products
Abstract
Data processing systems and methods according to various embodiments are adapted for automatically detecting and documenting privacy-related aspects of computer software. Particular embodiments are adapted for: (1) automatically scanning source code to determine whether the source code include instructions for collecting personal data; and (2) facilitating the documentation of the portions of the code that collect the personal data. For example, the system may automatically prompt a user for comments regarding the code. The comments may be used, for example, to populate: (A) a privacy impact assessment; (B) system documentation; and/or (C) a privacy-related data map. The system may comprise, for example, a privacy comment plugin for use in conjunction with a code repository.
681 Citations
25 Claims
-
1. A data processing computer system for automatically analyzing computer code to determine whether computer software associated with the computer code collects personal data, the system comprising:
-
at least one computer processor; and computer memory storing computer-executable instructions for; analyzing, by the at least one computer processor, at least one segment of the computer code to determine whether the at least one segment of computer code comprises instructions for collecting one or more pieces of personal data, wherein determining whether the at least one segment of computer code comprises instructions for collecting the one or more pieces of the personal data comprises extracting one or more comments from a file containing the at least one segment of the computer code and using information from the one or more comments to determine whether the at least one segment of computer code comprises instructions for collecting the one or more pieces of the personal data; in response to determining that the at least one segment of the computer code comprises instructions for collecting the one or more pieces of personal data, prompting, by the at least one computer processor, a user to input particular information selected from a group consisting of;
(1) where the system stores the one or more pieces of the personal data, (2) how long the system stores the one or more pieces of personal data, (3) whether the one or more pieces of personal data will include the personal data of minors, and (4) whether the at least one segment of computer code comprises instructions for facilitating the transfer of the one or more pieces of personal data across geographic borders, wherein the user is an author of the at least one segment of computer code;receiving the particular information from the user; and at least partially in response to receiving the particular information from the user; (A) using the particular information to at least partially answer one or more questions within one or more questionnaires that are used in conducting a privacy impact assessment for the computer software associated with the computer code; and (B) populating, by the at least one computer processor, at least a portion of a privacy-related data map using the particular information, wherein the privacy-related data map identifies one or more electronic associations between two or more data assets within a data model comprising a respective digital inventory for each of the two or more data assets, each of the respective digital inventories comprising one or more respective inventory attributes selected from a group consisting of;
(i) one or more processing activities associated with each of the respective data assets, (ii) transfer data associated with each of the respective data assets, and (iii) respective identifiers of the one or more pieces of personal data associated with each of the respective data assets. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 10, 11)
-
-
9. A computer-implemented data processing method for automatically analyzing computer code to determine whether computer software associated with the computer code collects personal data, the method comprising:
-
analyzing, by at least one computer processor, at least one segment of the computer code associated with the computer software to determine whether the at least one segment of the computer code comprises instructions for collecting one or more pieces of the personal data, wherein determining whether the at least one segment of the computer code comprises instructions for collecting the one or more pieces of the personal data comprises extracting one or more comments from a file containing the at least one segment of the computer code and using information from the one or more comments to determine whether the at least one segment of the computer code comprises instructions for collecting the one or more pieces of the personal data; in response to determining that the at least one segment of the computer code comprises instructions for collecting the one or more pieces of the personal data, prompting, by the at least one computer processor, a user to input particular information selected from a group consisting of;
(1) where system stores the one or more pieces of personal data, (2) how long the system stores the one or more pieces of personal data, (3) whether the one or more pieces of personal data will include the personal data of minors, and (4) whether the at least one segment of computer code comprises instructions for facilitating the transfer of the one or more pieces of personal data across geographic borders, wherein the user is an author of the at least one segment of computer code;receiving, by the at least one computer processor, the particular information from the user, and saving the particular information in a memory; and in response to receiving the particular information from the user; (A) using the particular information to at least partially answer one or more questions within one or more questionnaires that are used in conducting a privacy impact assessment for the computer software associated with the computer code; and (B) populating, by the at least one computer processor, at least a portion of a privacy-related data map using the particular information, wherein the privacy-related data map identifies one or more electronic associations between at least two data assets within a data model comprising a respective digital inventory for each of the at least two data assets, each respective digital inventory comprising one or more respective inventory attributes selected from a group consisting of;
(i) one or more processing activities associated with each of the respective data assets, (ii) transfer data associated with the each of the respective data assets, and (iii) respective identifiers of the one or more pieces of the personal data associated with the each of the respective data assets. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory computer-readable medium storing computer-executable instructions for:
-
analyzing, by at least one computer processor, at least one segment of computer code associated with particular computer software to determine whether the at least one segment of the computer code comprises instructions for collecting a particular type of personal data, wherein determining whether the at least one segment of the computer code comprises instructions for collecting a particular type of the personal data comprises extracting one or more comments from a file containing the at least one segment of the computer code and using information from the one or more comments to determine whether the at least one segment of computer code comprises instructions for collecting the one or more pieces of the personal data; in response to determining that the at least one segment of the computer code comprises instructions for collecting the particular type of the personal data, prompting, by the at least one computer processor, a user to input particular information selected from a group consisting of;
(1) where a system stores the one or more pieces of the personal data;
(2) how long the system stores the one or more pieces of the personal data;
(3) whether the one or more pieces of the personal data will include personal data of minors; and
(4) whether the at least one segment of the computer code comprises instructions for facilitating a transfer of the one or more pieces of the personal data across geographic borders, wherein the user is an author of the at least one segment of computer code;receiving, by the at least one computer processor, the particular information from the user; and at least partially in response to receiving the particular information from the user; (A) using the particular information to at least partially answer one or more questions within one or more questionnaires that are used in conducting a privacy impact assessment for the computer software associated with the computer code; and (B) populating, by the at least one computer processor, at least a portion of a privacy related data map using the one or more types of information, wherein the privacy-related data map identifies one or more electronic associations between two or more data assets within a data model comprising a respective digital inventory for each of the two or more data assets, each of the respective digital inventory comprising one or more respective inventory attributes selected from a group consisting of;
(i) one or more processing activities associated with each of the respective data assets, (ii) transfer data associated with each of the respective data assets, and (iii) respective identifiers of the one or more pieces of the personal data associated with each of the respective data assets. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
-
Specification