Data processing systems and methods for implementing audit schedules for privacy campaigns

US 9,892,477 B2
Filed: 06/26/2017
Issued: 02/13/2018
Est. Priority Date: 04/01/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented data processing method for determining a privacy audit schedule for a privacy campaign, the data processing method comprising:

displaying, by one or more computer processors, on a graphical user interface, a prompt to create an electronic record for the privacy campaign, wherein the privacy campaign utilizes personal data collected from at least one or more persons or one or more entities;

receiving, by one or more computer processors, a command to create an electronic record for the privacy campaign;

creating, by one or more computer processors, an electronic record for the privacy campaign and digitally storing the record;

presenting, by one or more computer processors, on one or more graphical user interfaces, a plurality of prompts for the input of campaign data related to the privacy campaign;

electronically receiving, by one or more computer processors, campaign data input by one or more users, wherein the campaign data comprises each of;

a description of the campaign;

an identification of one or more types of particular personal data obtained as part of the campaign;

at least one data subject from which the particular personal data was collected;

one or more storage locations where the personal data is to be stored; and

data indicating who will have access to the particular personal data;

processing, by one or more computer processors, the campaign data by electronically associating the campaign data with the record for the privacy campaign;

digitally storing, by one or more computer processors, the campaign data in association with the electronic record for the privacy campaign;

determining, by one or more computer processors, based at least in part on the received campaign data, a risk value associated with the privacy campaign, wherein determining the risk value comprises,electronically retrieving, from a data structure, the campaign data associated with the record for the privacy campaign,electronically determining a weighting factor for each of a plurality of risk factors, wherein the plurality of risk factors comprises;

a nature of the particular personal data associated with the campaign;

a physical location of the particular personal data associated with the campaign;

a length of time that the particular personal data associated with the campaign will be retained in storage; and

a country of residence of at least one subject from which the particular personal data was collected;

electronically determining a relative risk rating for each of the plurality of risk factors;

electronically calculating a risk value for the privacy campaign based upon, for each respective one of the plurality of risk factors, the relative risk rating for the respective risk factor and the weighting factor for the respective risk factor; and

electronically assigning, by one or more computer processors, a privacy audit schedule to the privacy campaign based on the determined risk value for the privacy campaign.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data processing systems and methods for retrieving data regarding a plurality of data privacy campaigns and for using that data to assess a relative risk associated with the data privacy campaign. In various embodiments, the system may be adapted to: (1) display one or more visual summaries of one or more data flow diagrams that visually depicts key features of the data flow, such as whether data is confidential and/or encrypted; (2) allow for multiple users to be assigned responsibility for populating different respective questions that are required to define the data flow; (3) automatically assess and display a relative risk associated with each campaign; and (4) automatically set, monitor, and facilitate the timely completion of an audit schedule for each campaign.

110 Citations

30 Claims

1. A computer-implemented data processing method for determining a privacy audit schedule for a privacy campaign, the data processing method comprising:
- displaying, by one or more computer processors, on a graphical user interface, a prompt to create an electronic record for the privacy campaign, wherein the privacy campaign utilizes personal data collected from at least one or more persons or one or more entities;
  
  receiving, by one or more computer processors, a command to create an electronic record for the privacy campaign;
  
  creating, by one or more computer processors, an electronic record for the privacy campaign and digitally storing the record;
  
  presenting, by one or more computer processors, on one or more graphical user interfaces, a plurality of prompts for the input of campaign data related to the privacy campaign;
  
  electronically receiving, by one or more computer processors, campaign data input by one or more users, wherein the campaign data comprises each of;
  
  a description of the campaign;
  
  an identification of one or more types of particular personal data obtained as part of the campaign;
  
  at least one data subject from which the particular personal data was collected;
  
  one or more storage locations where the personal data is to be stored; and
  
  data indicating who will have access to the particular personal data;
  
  processing, by one or more computer processors, the campaign data by electronically associating the campaign data with the record for the privacy campaign;
  
  digitally storing, by one or more computer processors, the campaign data in association with the electronic record for the privacy campaign;
  
  determining, by one or more computer processors, based at least in part on the received campaign data, a risk value associated with the privacy campaign, wherein determining the risk value comprises,electronically retrieving, from a data structure, the campaign data associated with the record for the privacy campaign,electronically determining a weighting factor for each of a plurality of risk factors, wherein the plurality of risk factors comprises;
  
  a nature of the particular personal data associated with the campaign;
  
  a physical location of the particular personal data associated with the campaign;
  
  a length of time that the particular personal data associated with the campaign will be retained in storage; and
  
  a country of residence of at least one subject from which the particular personal data was collected;
  
  electronically determining a relative risk rating for each of the plurality of risk factors;
  
  electronically calculating a risk value for the privacy campaign based upon, for each respective one of the plurality of risk factors, the relative risk rating for the respective risk factor and the weighting factor for the respective risk factor; and
  
  electronically assigning, by one or more computer processors, a privacy audit schedule to the privacy campaign based on the determined risk value for the privacy campaign.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 26)
- - 2. The computer-implemented data processing method of claim 1, wherein the risk value for the campaign is a numerical risk value for the campaign.
  - 3. The computer-implemented data processing method of claim 1, wherein the risk value for the campaign is a risk level for the campaign.
  - 4. The computer-implemented data processing method of claim 1, wherein the audit schedule is a default audit schedule that has been predetermined for the risk value associated with the campaign.
  - 5. The computer-implemented data processing method of claim 4, wherein the default audit schedule has been determined based on one or more privacy laws.
  - 6. The computer-implemented data processing method of claim 4, wherein the default audit schedule is modifiable by one or more users.
  - 7. The computer-implemented data processing method of claim 1, further comprising:
    - receiving, by one or more computer processors, a request to modify the audit schedule assigned to the campaign; and
      
      in response to receiving the request, determining, by one or more computer processors, whether the privacy audit schedule assigned to the privacy campaign is modifiable.
  - 8. The computer-implemented data processing method of claim 7, further comprising:
    - in response to determining that the audit schedule is modifiable, modifying, by one or more computer processors, the privacy audit schedule for the campaign.
  - 9. The computer-implemented data processing method of claim 8, further comprising:
    - in response to determining that the privacy audit schedule is not modifiable, electronically displaying an indication that the privacy audit schedule is not modifiable.
  - 10. The computer-implemented data processing method of claim 1, further comprising:
    - determining whether a privacy audit, to be performed according to the privacy audit schedule, is to be performed within a threshold period of time from a current time; and
      
      in response to determining that the privacy audit is to be performed within the threshold period of time from the current time, generating an electronic alert indicating that the privacy audit is to be performed within the threshold period of time from the current time.
  - 11. The computer-implemented data processing method of claim 1, further comprising:
    - receiving an electronic confirmation that a scheduled privacy audit, made according to the privacy audit schedule, has been completed; and
      
      in response to receiving the electronic confirmation, updating the audit schedule to reflect that the scheduled privacy audit has been completed.
  - 12. The computer-implemented data processing method of claim 11, wherein the electronic confirmation received is based upon an electronic verification generated if all portions of the scheduled privacy audit have been verified as completed by one or more users.
  - 13. The computer-implemented data processing method of claim 12, wherein the method further comprises:
    - receiving documentation related to the compliance of the privacy campaign;
      
      electronically associating the documentation received with the record for the campaign; and
      
      digitally storing the documentation in association with the record for the campaign in an electronic storage device.
  - 14. The computer-implemented data processing method of claim 1, wherein the method further comprises:
    - determining whether the scheduled privacy audit is overdue based on whether an electronic confirmation that a scheduled privacy audit, made according to the privacy audit schedule, has been completed; and
      
      in response to determining that the privacy audit is overdue, generating an electronic alert indicating that the privacy audit is overdue.
  - 15. The method of claim 1, wherein the method further comprises:
    - electronically retrieving the campaign record and the campaign data associated with the record; and
      
      generating, for display, a computer-generated user interface comprising an inventory page, wherein the inventory page comprises a list of a plurality of campaigns and audit information for one or more of the plurality of campaigns.
  - 16. The computer-implemented data processing method of claim 1, wherein the plurality of risk factors further comprises a number of individuals having access to the particular personal data associated with the campaign.
  - 17. The computer-implemented data processing method of claim 1, wherein the plurality of risk factors further comprises a type of individual from which the particular personal data associated with the campaign originated.
  - 18. The computer-implemented data processing method of claim 1, wherein the step of determining a weighting factor for each of a plurality of risk factors comprises using one or more user customizations to determine at least one weighting factor for a respective one of the plurality of risk factors.
  - 26. The computer-implemented data processing method of claim 17, wherein the plurality of risk factors further comprises a type of individual from which the particular personal data associated with the campaign originated.

19. A computer-implemented data processing method for determining a privacy audit schedule for a privacy campaign, the data processing method comprising:
- receiving, by one or more computer processors, a command to set up the privacy campaign in privacy management software;
  
  in response to receiving the command, creating, by one or more computer processors, an electronic record for the privacy campaign and digitally storing the record;
  
  communicating, by one or more computer processors, to one or more users, a plurality of prompts for the input of campaign data related to the privacy campaign;
  
  electronically receiving, by one or more computer processors, campaign data input by one or more users, wherein the campaign data comprises;
  
  (1) data indicating what types of particular personal data are obtained as part of the privacy campaign; and
  
  (2) data indicating who will have access to the particular personal data;
  
  processing, by one or more computer processors, the campaign data by electronically associating the campaign data with the record for the privacy campaign;
  
  digitally storing, by one or more computer processors, the campaign data in association with the record for the privacy campaign;
  
  determining, by one or more computer processors, based at least in part on the received campaign data, a risk value associated with the privacy campaign, wherein determining the risk value comprises;
  
  electronically retrieving, from a data structure, the campaign data associated with the record for the privacy campaign,electronically determining a weighting factor for each of a plurality of risk factors, wherein the plurality of risk factors comprises;
  
  a nature of the particular personal data associated with the campaign;
  
  a physical location of the particular personal data associated with the campaign;
  
  a length of time that the particular personal data associated with the campaign will be retained in storage; and
  
  a country of residence of at least one subject from which the particular personal data was collected;
  
  electronically determining a relative risk rating for each of the plurality of risk factors;
  
  electronically calculating a risk value for the privacy campaign based upon, for each respective one of the plurality of risk factors, the relative risk rating for the respective risk factor and the weighting factor for the respective risk factor; and
  
  electronically assigning, by one or more computer processors, a privacy audit schedule to the privacy campaign based on the determined risk value for the privacy campaign.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 27)
- - 20. The computer-implemented data processing method of claim 19, wherein the risk value for the campaign is a risk level for the campaign.
  - 21. The computer-implemented data processing method of claim 20, wherein the audit schedule is a default audit schedule that has been predetermined for the risk level associated with the campaign.
  - 22. The computer-implemented data processing method of claim 19, wherein the campaign data comprises data indicating whether personal data from one or more minors is obtained as part of the privacy campaign.
  - 23. The computer-implemented data processing method of claim 19, wherein,the campaign data comprises a description of the campaign, andthe description of the campaign comprises a name of the campaign.
  - 24. The computer-implemented data processing method of claim 19, wherein the campaign data comprises one or more storage locations for the personal data.
  - 25. The computer-implemented data processing method of claim 19, wherein the plurality of risk factors further comprises a number of individuals having access to the particular personal data associated with the campaign.
  - 27. The computer-implemented data processing method of claim 19, wherein the plurality of risk factors further comprises a type of individual from which the particular personal data associated with the campaign originated.

28. A computer-implemented data processing method for determining a privacy audit schedule for a privacy campaign, the data processing method comprising:
- receiving, by one or more computer processors, a command to set up privacy campaign in privacy management software;
  
  in response to receiving the command, creating, by one or more computer processors, an electronic record for the privacy campaign and digitally storing the record;
  
  communicating, by one or more computer processors, to one or more users, a plurality of prompts for the input of campaign data related to the privacy campaign;
  
  electronically receiving, by one or more computer processors, campaign data input by one or more users, wherein the campaign data comprises;
  
  (1) data indicating what types of information are obtained as part of the privacy campaign; and
  
  (2) data indicating one or more storage locations for the personal data;
  
  processing, by one or more computer processors, the campaign data by electronically associating the campaign data with the record for the privacy campaign;
  
  digitally storing, by one or more computer processors, the campaign data in association with the record for the privacy campaign;
  
  determining, by one or more computer processors, based at least in part on the received campaign data, a risk value associated with the privacy campaign, wherein determining the risk value comprises,electronically retrieving, from a data structure, the campaign data associated with the record for the privacy campaign,electronically determining a weighting factor for each of a plurality of risk factors, wherein the plurality of risk factors comprises;
  
  a nature of the particular personal data associated with the campaign;
  
  a physical location of the particular personal data associated with the campaign;
  
  a length of time that the particular personal data associated with the campaign will be retained in storage; and
  
  a country of residence of at least one subject from which the particular personal data was collected;
  
  electronically determining a relative risk rating for each of the plurality of risk factors;
  
  electronically calculating a risk value for the privacy campaign based upon, for each respective one of the plurality of risk factors, the relative risk rating for the respective risk factor and the weighting factor for the respective risk factor; and
  
  electronically assigning, by one or more computer processors, a privacy audit schedule to the privacy campaign based on the determined risk value for the privacy campaign.
- View Dependent Claims (29, 30)
- - 29. The computer-implemented data processing method of claim 28, wherein the campaign data comprises a description of the campaign.
  - 30. The computer-implemented data processing method of claim 28, further comprising:
    - receiving an electronic confirmation that a scheduled privacy audit, made according to the privacy audit schedule, has been completed; and
      
      in response to receiving the electronic confirmation, updating the audit schedule to indicate that the privacy campaign should be audited again by a predetermined date in the future.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OneTrust LLC
Original Assignee
OneTrust LLC
Inventors
Barday, Kabir A.
Primary Examiner(s)
Ouellette, Jonathan P

Application Number

US15/633,703
Publication Number

US 20170293990A1
Time in Patent Office

232 Days
Field of Search

705 11-912
US Class Current
CPC Class Codes

G06F 16/958   Organisation or management ...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6245   Protecting personal data, e...

G06Q 10/063114   Status monitoring or status...

G06Q 10/063116   Schedule adjustment for a p...

G06Q 10/0635   Risk analysis of enterprise...

G06Q 10/101   Collaborative creation, e.g...

G06Q 30/018   Certifying business or prod...

G06Q 30/0609   Buyer or seller confidence ...

G06Q 50/26   Government or public servic...

G06Q 50/265   Personal security, identity...

G16H 10/60   for patient-specific data, ...

G16H 40/63   for local operation

Data processing systems and methods for implementing audit schedules for privacy campaigns

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

110 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Data processing systems and methods for implementing audit schedules for privacy campaigns

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

110 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links