Data processing systems and methods for automatically detecting and documenting privacy-related aspects of computer software

US 10,642,870 B2
Filed: 09/09/2019
Issued: 05/05/2020
Est. Priority Date: 06/10/2016
Status: Active Grant

First Claim

Patent Images

1. A data processing computer system for automatically analyzing computer code to determine whether computer software associated with the computer code collects personal data, the system comprising:

at least one computer processor; and

computer memory storing computer-executable instructions for;

analyzing, by the at least one computer processor, at least one segment of the computer code to determine whether the at least one segment of computer code comprises instructions for collecting one or more pieces of personal data, wherein determining whether the at least one segment of computer code comprises instructions for collecting the one or more pieces of the personal data comprises extracting one or more comments from a file containing the at least one segment of the computer code and using information from the one or more comments to determine whether the at least one segment of computer code comprises instructions for collecting the one or more pieces of the personal data;

in response to determining that the at least one segment of the computer code comprises instructions for collecting the one or more pieces of personal data, prompting, by the at least one computer processor, a user to input particular information selected from a group consisting of;

(1) where the system stores the one or more pieces of the personal data, (2) how long the system stores the one or more pieces of personal data, (3) whether the one or more pieces of personal data will include the personal data of minors, and (4) whether the at least one segment of computer code comprises instructions for facilitating the transfer of the one or more pieces of personal data across geographic borders, wherein the user is an author of the at least one segment of computer code;

receiving the particular information from the user; and

at least partially in response to receiving the particular information from the user;

(A) using the particular information to at least partially answer one or more questions within one or more questionnaires that are used in conducting a privacy impact assessment for the computer software associated with the computer code; and

(B) populating, by the at least one computer processor, at least a portion of a privacy-related data map using the particular information, wherein the privacy-related data map identifies one or more electronic associations between two or more data assets within a data model comprising a respective digital inventory for each of the two or more data assets, each of the respective digital inventories comprising one or more respective inventory attributes selected from a group consisting of;

(i) one or more processing activities associated with each of the respective data assets, (ii) transfer data associated with each of the respective data assets, and (iii) respective identifiers of the one or more pieces of personal data associated with each of the respective data assets.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data processing systems and methods according to various embodiments are adapted for automatically detecting and documenting privacy-related aspects of computer software. Particular embodiments are adapted for: (1) automatically scanning source code to determine whether the source code include instructions for collecting personal data; and (2) facilitating the documentation of the portions of the code that collect the personal data. For example, the system may automatically prompt a user for comments regarding the code. The comments may be used, for example, to populate: (A) a privacy impact assessment; (B) system documentation; and/or (C) a privacy-related data map. The system may comprise, for example, a privacy comment plugin for use in conjunction with a code repository.

681 Citations

25 Claims

1. A data processing computer system for automatically analyzing computer code to determine whether computer software associated with the computer code collects personal data, the system comprising:
- at least one computer processor; and
  
  computer memory storing computer-executable instructions for;
  
  analyzing, by the at least one computer processor, at least one segment of the computer code to determine whether the at least one segment of computer code comprises instructions for collecting one or more pieces of personal data, wherein determining whether the at least one segment of computer code comprises instructions for collecting the one or more pieces of the personal data comprises extracting one or more comments from a file containing the at least one segment of the computer code and using information from the one or more comments to determine whether the at least one segment of computer code comprises instructions for collecting the one or more pieces of the personal data;
  
  in response to determining that the at least one segment of the computer code comprises instructions for collecting the one or more pieces of personal data, prompting, by the at least one computer processor, a user to input particular information selected from a group consisting of;
  
  (1) where the system stores the one or more pieces of the personal data, (2) how long the system stores the one or more pieces of personal data, (3) whether the one or more pieces of personal data will include the personal data of minors, and (4) whether the at least one segment of computer code comprises instructions for facilitating the transfer of the one or more pieces of personal data across geographic borders, wherein the user is an author of the at least one segment of computer code;
  
  receiving the particular information from the user; and
  
  at least partially in response to receiving the particular information from the user;
  
  (A) using the particular information to at least partially answer one or more questions within one or more questionnaires that are used in conducting a privacy impact assessment for the computer software associated with the computer code; and
  
  (B) populating, by the at least one computer processor, at least a portion of a privacy-related data map using the particular information, wherein the privacy-related data map identifies one or more electronic associations between two or more data assets within a data model comprising a respective digital inventory for each of the two or more data assets, each of the respective digital inventories comprising one or more respective inventory attributes selected from a group consisting of;
  
  (i) one or more processing activities associated with each of the respective data assets, (ii) transfer data associated with each of the respective data assets, and (iii) respective identifiers of the one or more pieces of personal data associated with each of the respective data assets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 10, 11)
- - 2. The data processing computer system of claim 1, wherein the computer memory stores computer-executable instructions for:
    - automatically, by the at least one computer processor, analyzing the at least one segment of the computer code to determine what particular type of personal data the at least one segment of computer code collects; and
      
      automatically, by the at least one computer processor, prompting a user to input specific information as to why the at least one segment of computer code comprises instructions for collecting the particular type of personal data.
  - 3. The data processing computer system of claim 2, wherein the computer memory stores computer-executable instructions for:
    - at least partially in response to receiving the specific information from the user, using the particular information to automatically write at least a portion of the specific information to an electronic record that is used to document the functionality of the code.
  - 4. The data processing computer system of claim 2, wherein the computer memory stores computer-executable instructions for at least partially in response to receiving the specific information from the user, using the specific information to populate at least a portion of a privacy-related data map.
  - 5. The data processing computer system of claim 1, wherein the step of analyzing the at least one segment of computer code occurs at least substantially in real time as the author is writing the at least one segment of computer code.
  - 6. The data processing computer system of claim 1, wherein the step of prompting a user to input particular information occurs at least substantially in real time as the author is writing the at least one segment of computer code.
  - 7. The data processing computer system of claim 1, wherein the computer memory stores computer-executable instructions for, in response to determining that the at least one segment of the computer code comprises instructions for collecting the one or more pieces of personal data, prompting, by the at least one computer processor, a user to input where the system stores the one or more pieces of the personal data.
  - 8. The data processing computer system of claim 1, wherein the computer memory stores computer-executable instructions for, in response to determining that the at least one segment of the computer code comprises instructions for collecting the one or more pieces of personal data, prompting, by the at least one computer processor, a user to input how long the system stores the one or more pieces of personal data.
  - 10. The computer-implemented data processing method of claim 1, wherein the step of analyzing the at least one segment of the computer code occurs at least substantially in real time as the author is writing the at least one segment of the computer code.
  - 11. The computer-implemented data processing method of claim 10, wherein the step of prompting a user to input particular information occurs at least substantially in real time as the author is writing the at least one segment of the computer code.

9. A computer-implemented data processing method for automatically analyzing computer code to determine whether computer software associated with the computer code collects personal data, the method comprising:
- analyzing, by at least one computer processor, at least one segment of the computer code associated with the computer software to determine whether the at least one segment of the computer code comprises instructions for collecting one or more pieces of the personal data, wherein determining whether the at least one segment of the computer code comprises instructions for collecting the one or more pieces of the personal data comprises extracting one or more comments from a file containing the at least one segment of the computer code and using information from the one or more comments to determine whether the at least one segment of the computer code comprises instructions for collecting the one or more pieces of the personal data;
  
  in response to determining that the at least one segment of the computer code comprises instructions for collecting the one or more pieces of the personal data, prompting, by the at least one computer processor, a user to input particular information selected from a group consisting of;
  
  (1) where system stores the one or more pieces of personal data, (2) how long the system stores the one or more pieces of personal data, (3) whether the one or more pieces of personal data will include the personal data of minors, and (4) whether the at least one segment of computer code comprises instructions for facilitating the transfer of the one or more pieces of personal data across geographic borders, wherein the user is an author of the at least one segment of computer code;
  
  receiving, by the at least one computer processor, the particular information from the user, and saving the particular information in a memory; and
  
  in response to receiving the particular information from the user;
  
  (A) using the particular information to at least partially answer one or more questions within one or more questionnaires that are used in conducting a privacy impact assessment for the computer software associated with the computer code; and
  
  (B) populating, by the at least one computer processor, at least a portion of a privacy-related data map using the particular information, wherein the privacy-related data map identifies one or more electronic associations between at least two data assets within a data model comprising a respective digital inventory for each of the at least two data assets, each respective digital inventory comprising one or more respective inventory attributes selected from a group consisting of;
  
  (i) one or more processing activities associated with each of the respective data assets, (ii) transfer data associated with the each of the respective data assets, and (iii) respective identifiers of the one or more pieces of the personal data associated with the each of the respective data assets.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The computer-implemented data processing method of claim 9, wherein the step of prompting a user to input particular information is done by generating a graphical user interface that includes at least one prompt;
    - andreceiving the particular information from the user via the graphical user interface.
  - 13. The computer-implemented data processing method of claim 9, wherein the step of prompting a user to input particular information is done via a personal digital assistant.
  - 14. The computer-implemented data processing method of claim 9, wherein the computer-implemented method further comprises, at least partially in response to receiving the particular information from the user, automatically writing at least a portion of the particular information to a document that is used to document the functionality of the code.
  - 15. The computer-implemented data processing method of claim 9, wherein the method further comprises:
    - analyzing the at least one segment of computer code to determine whether the computer code comprises instructions for storing the one or more pieces of personal data in a particular location; and
      
      at least partially in response to determining that the computer code comprises instructions for storing the one or more pieces of personal data in a particular location, prompting the user to input at least one reason why the one or more pieces of personal data are being stored in the particular location.
  - 16. The computer-implemented data processing method of claim 9, further comprising, in response to determining that the at least one segment of the computer code comprises instructions for collecting the one or more pieces of personal data, prompting, by the at least one computer processor, a user to input where the system stores the one or more pieces of the personal data.
  - 17. The computer-implemented data processing method of claim 9, further comprising, in response to determining that the at least one segment of the computer code comprises instructions for collecting the one or more pieces of personal data, prompting, by the at least one computer processor, a user to input how long the system stores the one or more pieces of personal data.

18. A non-transitory computer-readable medium storing computer-executable instructions for:
- analyzing, by at least one computer processor, at least one segment of computer code associated with particular computer software to determine whether the at least one segment of the computer code comprises instructions for collecting a particular type of personal data, wherein determining whether the at least one segment of the computer code comprises instructions for collecting a particular type of the personal data comprises extracting one or more comments from a file containing the at least one segment of the computer code and using information from the one or more comments to determine whether the at least one segment of computer code comprises instructions for collecting the one or more pieces of the personal data;
  
  in response to determining that the at least one segment of the computer code comprises instructions for collecting the particular type of the personal data, prompting, by the at least one computer processor, a user to input particular information selected from a group consisting of;
  
  (1) where a system stores the one or more pieces of the personal data;
  
  (2) how long the system stores the one or more pieces of the personal data;
  
  (3) whether the one or more pieces of the personal data will include personal data of minors; and
  
  (4) whether the at least one segment of the computer code comprises instructions for facilitating a transfer of the one or more pieces of the personal data across geographic borders, wherein the user is an author of the at least one segment of computer code;
  
  receiving, by the at least one computer processor, the particular information from the user; and
  
  at least partially in response to receiving the particular information from the user;
  
  (A) using the particular information to at least partially answer one or more questions within one or more questionnaires that are used in conducting a privacy impact assessment for the computer software associated with the computer code; and
  
  (B) populating, by the at least one computer processor, at least a portion of a privacy related data map using the one or more types of information, wherein the privacy-related data map identifies one or more electronic associations between two or more data assets within a data model comprising a respective digital inventory for each of the two or more data assets, each of the respective digital inventory comprising one or more respective inventory attributes selected from a group consisting of;
  
  (i) one or more processing activities associated with each of the respective data assets, (ii) transfer data associated with each of the respective data assets, and (iii) respective identifiers of the one or more pieces of the personal data associated with each of the respective data assets.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The non-transitory computer-readable medium of claim 18, wherein the non-transitory computer-readable medium stores computer-executable instructions for, in response to determining that the at least one segment of the computer code comprises instructions for collecting the particular type of personal data, automatically, by the at least one computer processor, prompting a user to input specific information as to how the particular type of personal data is used by the software.
  - 20. The non-transitory computer-readable medium of claim 19, wherein the step of analyzing the at least one segment of computer code occurs at least substantially in real time as an author of the at least one segment of computer code is writing the at least one segment of the computer code.
  - 21. The non-transitory computer-readable medium of claim 20, wherein the step of prompting a user to input specific information occurs at least substantially in real time as the author is writing the at least one segment of the computer code.
  - 22. The non-transitory computer-readable medium of claim 18, wherein the non-transitory computer-readable medium stores computer-executable instructions for, at least partially in response to receiving the particular information from the user, using the particular information to populate at least one question within a questionnaire of a privacy impact assessment.
  - 23. The non-transitory computer-readable medium of claim 18, wherein:
    - the non-transitory computer-readable medium stores computer-executable instructions for, at least partially in response to receiving the particular information from the user, automatically writing at least a portion of the particular information to the electronic document.
  - 24. The non-transitory computer-readable medium of claim 18, wherein the non-transitory computer-readable medium stores computer-executable instructions for:
    - analyzing the at least one segment of the computer code to determine whether the computer code comprises instructions for storing the one or more pieces of personal data in a particular location; and
      
      at least partially in response to determining that the computer code comprises instructions for storing the one or more pieces of personal data in a particular location, prompting the user to input at least one reason why the one or more pieces of personal data are being stored in the particular location.
  - 25. The non-transitory computer-readable medium of claim 18, wherein the computer-executable instructions comprise computer-executable instructions associated with a plugin for use in a particular source code repository, which is adapted to store source code and to manage version control for source code stored within the repository.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OneTrust LLC
Original Assignee
OneTrust LLC
Inventors
Malhotra, Priya, Barday, Kabir A., Karanjkar, Mihir S., Finch, Steven W., Browne, Ken A., Heard, Nathan W., Patel, Aakash H., Sabourin, Jason L., Daniel, Richard L., Patton-Kuhl, Dylan D., Brannon, Jonathan Blake
Primary Examiner(s)
Deng, Anna C

Application Number

US16/565,261
Publication Number

US 20200004762A1
Time in Patent Office

239 Days
Field of Search

717101
US Class Current
CPC Class Codes

G06F 15/76   Architectures of general pu...

G06F 16/254   Extract, transform and load...

G06F 16/288   Entity relationship models

G06F 21/552   involving long-term monitor...

G06F 21/6245   Protecting personal data, e...

G06F 40/169   Annotation, e.g. comment da...

G06F 40/186   Templates

G06N 20/00   Machine learning

G06N 3/006   based on simulated virtual ...

G06Q 30/018   Certifying business or prod...

G06Q 50/265   Personal security, identity...

H04L 63/0428   wherein the data content is...

H04L 63/101   Access control lists [ACL]

H04W 12/02   Protecting privacy or anony...

Data processing systems and methods for automatically detecting and documenting privacy-related aspects of computer software

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

681 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Data processing systems and methods for automatically detecting and documenting privacy-related aspects of computer software

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

681 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links