“Data Processing Systems And Methods For Performing Privacy Assessments And Monitoring Of New Versions Of Computer Code For Privacy Compliance” in Patent Application Approval Process (USPTO 20190124122)

2019 MAY 14 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- A patent application by the inventor Barday, Kabir A. (Atlanta, GA), filed on December 20, 2018, was made available online on April 25, 2019, according to news reporting originating from Washington, D.C., by NewsRx correspondents.

This patent application is assigned to OneTrust LLC (Atlanta, Georgia, United States).

The following quote was obtained by the news editors from the background information supplied by the inventors: “Over the past years, privacy and security policies, and related operations have become increasingly important. Breaches in security, leading to the unauthorized access of personal data (which may include sensitive personal data) have become more frequent among companies and other organizations of all sizes. Such personal data may include, but is not limited to, personally identifiable information (PII), which may be information that directly (or indirectly) identifies an individual or entity. Examples of PII include names, addresses, dates of birth, social security numbers, and biometric identifiers such as a person’s fingerprints or picture. Other personal data may include, for example, customers’ Internet browsing habits, purchase history, or even their preferences (i.e., likes and dislikes, as provided or obtained through social media). While not all personal data may be sensitive, in the wrong hands, this kind of information may have a negative impact on the individuals or entities whose sensitive personal data is collected, including identity theft and embarrassment. Not only would this breach have the potential of exposing individuals to malicious wrongdoing, the fallout from such breaches may result in damage to reputation, potential liability, and costly remedial action for the organizations that collected the information and that were under an obligation to maintain its confidentiality and security. These breaches may result not only in financial loss, but loss of credibility, confidence, and trust from individuals, stakeholders, and the public.

“Many organizations that obtain, use, and transfer personal data, including sensitive personal data, have begun to address these privacy and security issues. To manage personal data, many companies have attempted to implement operational policies and processes that comply with legal requirements, such as Mayada’s Personal Information Protection and Electronic Documents Act (PIPEDA) or the U.S.’s Health Insurance Portability and Accountability Act (HIPPA) protecting a patient’s medical information. The European Union’s General Data Protection Regulation (GDPR) may fine companies up to 4% of their global worldwide turnover (revenue) for not complying with its regulations (companies must comply by March 2018). These operational policies and processes also strive to comply with industry best practices (e.g., the Digital Advertising Alliance’s Self-Regulatory Principles for Online Behavioral Advertising).

“Many regulators recommend conducting privacy impact assessments, or data protection risk assessments along with data inventory mapping. For example, the GDPR requires data protection impact assessments. Additionally, the United Kingdom ICO’s office provides guidance around privacy impact assessments. The OPC in Mayada recommends personal information inventory, and the Singapore PDPA specifically mentions personal data inventory mapping. Thus, developing operational policies and processes may reassure not only regulators, but also an organization’s customers, vendors, and other business partners.

“For many companies handling personal data, privacy audits, whether done according to AICPA Generally Accepted Privacy Principles, or ISACA’s IT Standards, Guidelines, and Tools and Techniques for Audit Assurance and Control Professionals, are not just a best practice, they are a requirement (for example, Facebook and Google will be required to perform 10 privacy audits each until 2032 to ensure that their treatment of personal data comports with the expectations of the Federal Trade Commission). When the time comes to perform a privacy audit, be it a compliance audit or adequacy audit, the lack of transparency or clarity into where personal data comes from, where it is stored, who is using it, where it has been transferred, and for what purpose is it being used, may bog down any privacy audit process. Even worse, after a breach occurs and is discovered, many organizations are unable to even identify a clear-cut organizational owner responsible for the breach recovery, or provide sufficient evidence that privacy policies and regulations were complied with.

“Many of these breaches have their roots in vulnerabilities that may be found in software applications, websites, or other computer code that collect, use and process personal data. The computer code may be an in-house application or solution, or one provided by a third party. When an organization’s auditors or privacy team members conduct a privacy audit or assessment, they typically direct questions to software developers in an attempt to obtain answers they need to address compliance with privacy standards. Unfortunately, the auditors and developers do not always use the same vernacular or technical language. As an example, auditors might ask a developer, ‘List for me all the personal data that you collect,’ or ‘are you using any third party code?’ A developer, when responding, might, for example, not understand that a user’s IP address is considered personal data, especially according to some laws. A developer might also not understand that third party code includes, for example, including snippets of HTML for a hosted library from Google’s hosted library, or the use of other software development kits (SDKs). With multitudes of questions during the audit process, the disconnect or language barrier may lead to vulnerabilities. Thus, auditors may ask a multitude of questions, but the disconnect from the language barrier might not lead to the identification or resolution of many privacy-related issues because the auditors are not obtaining the right answers to those questions.

“In light of the above, there is currently a need for improved systems and methods for assessing mobile applications, websites, and other computer code for features and conditions that may have an impact on a company’s compliance with privacy standards.”

In addition to the background information obtained for this patent application, NewsRx journalists also obtained the inventor’s summary information for this patent application: “A computer-implemented data processing method, according to various embodiments, for use in automatically monitoring computer code for changes within the context of privacy management comprises: (1) receiving, by one or more computer processors, one or more computer storage locations where a new version of particular computer code may be stored; (2) monitoring, by one or more computer processors, the one or more computer storage locations to determine whether any new versions of the particular computer code have been stored in the one or more computer storage locations by executing the data processing steps of: (A) receiving an indication that new computer code has been stored in the one or more computer storage locations; and (B) comparing the contents of the new computer code with one or more versions of the particular computer code that have been assessed as a part of a previous privacy assessment; and (3) in response to determining that the contents of the new computer code are different from the contents of the one or more versions of the particular computer code that have been assessed as a part of a previous privacy assessment, communicating, by one or more computer processors, an alert to a user indicating that a new version of the particular computer code exists; and (4) in response to determining that the contents of the new computer code are different from the contents of the one or more versions of the particular computer code that have been assessed as a part of a previous privacy assessment: (A) automatically electronically analyzing, by one or more computer processors, the new computer code to determine one or more privacy-related attributes of the new computer code, each of the privacy-related attributes indicating one or more types of personal information the new computer code collects or accesses; (B) electronically displaying to an individual, by one or more computer processors, a list of the one or more privacy-related attributes of the new computer code; (C) electronically displaying, by one or more computer processors, one or more prompts to the individual, wherein each prompt informs the user to input information regarding one or more particular attributes of the one or more privacy-related attributes; and (D) communicating, by one or more computer processors, the information regarding the particular privacy-related attributes to one or more second individuals for use in conducting a privacy assessment of the new computer code.

“A computer system, according to various embodiments, for use in automatically monitoring computer code for changes within the context of privacy management comprises at least one processor and memory operatively coupled to the at least one processor, and the computer system is configured for: (1) receiving one or more computer storage locations where a new version of particular computer code may be stored; (2) monitoring the one or more computer storage locations to determine whether any new versions of the particular computer code have been stored in the one or more computer storage locations by executing the data processing steps of: (A) receiving an indication that new computer code having an identifier associated with the particular computer code has been stored in the one or more computer storage locations; and (B) comparing the contents of the new computer code with one or more versions of the particular computer code that have been assessed as a part of a previous privacy assessment; (3) in response to determining that the contents of the new computer code are different from the contents of the one or more versions of the particular computer code that have been assessed as a part of a previous privacy assessment, communicating an alert to a user indicating that a new version of the particular computer code exists; and (4) in response to determining that the contents of the new computer code are different from the contents of the one or more versions of the computer code that have been assessed as a part of a previous privacy assessment: (A) automatically electronically analyzing the new computer code to determine whether the new computer code has any one of a specified plurality of privacy-related attributes; and (B) in response to determining that the new computer code has a particular one of the specified plurality of privacy-related attributes: (1) executing the steps of: (a) electronically displaying one or more prompts to a user requesting that the user input information regarding the particular privacy-related attribute; (b) receiving input information from the user regarding the particular privacy-related attribute; and © communicating the input information to a second user for use in a privacy assessment of the new computer code; (2) changing an indicator associated with the new computer code to indicate that, before the new computer code is launched, the attribute should be reviewed by one or more designated individuals; and (3) changing an indicator associated with the new computer code to indicate that, before the new computer code is launched, the new computer code should be modified to not include the particular privacy-related attribute.

“A computer-implemented data processing method for use in automatically monitoring computer code for changes within the context of privacy management, the method comprising: (1) receiving, by one or more computer processors, one or more computer storage locations where a new version of particular computer code may be stored; (2) monitoring, by one or more computer processors, the one or more computer storage locations to determine whether any new versions of the particular computer code have been stored in the one or more computer storage locations; (3) in response to determining that one or more new versions of the particular computer code have been stored in the one or more computer storage locations: (A) automatically electronically, by one or more computer processors, analyzing the new computer code to determine one or more privacy-related attributes of the new computer code, each of the one or more privacy-related attributes indicating one or more types of personal information the new computer code collects or accesses; (B) electronically displaying to an individual, by one or more computer processors, a list of the one or more privacy-related attributes of the new computer code; (C) electronically displaying, by one or more computer processors, one or more prompts to the individual wherein each prompt informs the individual to input information regarding the one or more attributes; and (D) communicating, by one or more computer processors, the information regarding the one or more privacy-related attributes to one or more second individuals for use in conducting a privacy assessment of the new computer code.

“A computer-implemented data processing method for use in automatically monitoring computer code for changes within the context of privacy management, the method comprising: (1) receiving, by one or more computer processors, one or more computer storage locations where a new version of particular computer code may be stored; (2) monitoring, by one or more computer processors, the one or more computer storage locations to determine whether any new versions of the computer code have been stored in the one or more computer storage locations by executing the data processing steps of: (A) receiving, by one or more computer processors, an indication that new computer code having an identifier associated with the computer code has been stored in the one or more computer storage locations; and (B) comparing, by one or more computer processors, the contents of the new computer code with one or more versions of the computer code that have been assessed as a part of a previous privacy assessment; (3) in response to determining that the contents of the new computer code are different from the contents of the one or more versions of the computer code that have been assessed as a part of a previous privacy assessment, automatically electronically analyzing, by one or more computer processors, the new computer code to determine whether the new computer code has a particular one of a specified plurality of privacy-related attributes; and (4) in response to determining that the new computer code has a particular one of the plurality of privacy-related attributes: (A) executing, by one or more computer processors, the steps of: (i) electronically displaying one or more prompts to a user requesting that the user input information regarding the particular privacy-related attribute; (ii) receiving input information from the user regarding the particular privacy-related attribute; and (iii) communicating the input information to a second user for use in a privacy assessment of the new computer code; (B) changing an indicator associated with the new computer code to indicate that, before the new computer code is launched, the attribute should be reviewed by one or more designated individuals; and (C) changing an indicator associated with the new computer code to indicate that, before the new computer code is launched, the new computer code should be modified to not include the attribute.”

The claims supplied by the inventors are:

“1. A computer system for use in automatically monitoring computer code for changes within the context of privacy management, the computer system comprising: one or more computer processors; computer memory operatively coupled to the one or more computer processors, wherein the computer system is configured for: monitoring, by one or more computer processors, one or more computer storage locations to determine whether any new versions of particular computer code have been stored in the one or more computer storage locations by executing the data processing steps of: (A) receiving an indication that new computer code has been stored in the one or more computer storage locations; and (B) comparing the contents of the new computer code with one or more versions of the particular computer code that have been assessed as a part of a previous privacy assessment, and in response to determining that the contents of the new computer code are different from the contents of the one or more versions of the particular computer code that have been assessed as a part of a previous privacy assessment, communicating, by the one or more computer processors, an alert to a user indicating that a new version of the particular computer code exists; and in response to determining that the contents of the new computer code are different from the contents of the one or more versions of the particular computer code that have been assessed as a part of a previous privacy assessment: automatically electronically analyzing, by the one or more computer processors, the new computer code to determine one or more privacy-related attributes of the new computer code, each of the privacy-related attributes indicating one or more types of personal information the new computer code collects or accesses; electronically displaying to an individual, by the one or more computer processors, a list of the one or more privacy-related attributes of the new computer code; electronically displaying, by the one or more computer processors, one or more prompts to the individual, wherein each prompt informs the user to input information regarding one or more particular attributes of the one or more privacy-related attributes; and communicating, by the one or more computer processors, the information regarding the particular privacy-related attributes to one or more second individuals for use in conducting a privacy assessment of the new computer code.

“2. The computer system of claim 1, wherein the one or more computer storage locations comprise an app store.

“3. The computer system of claim 1, wherein the one or more computer storage locations comprise a designated folder in computer memory.

“4. The computer system of claim 1, wherein the new computer code is computer code that is associated with a website and the one or more storage locations comprises a URL.

“5. The computer system of claim 4, wherein the computer system is further configured for: monitoring, by the one or more computer processors, a location of a privacy policy on the website; and in response to the location of the privacy policy satisfying one or more specified criteria, communicating, by the one or more computer processors, an alert to a user.

“6. The computer system of claim 5, wherein the one or more specified criteria comprise the location of the privacy policy being different from a specified location on the website.

“7. A computer system for use in automatically monitoring computer code for changes within the context of privacy management, the computer system comprising: at least one processor; and memory operatively coupled to the at least one processor, wherein the computer system is configured for: monitoring one or more computer storage locations to determine whether any new versions of particular computer code have been stored in the one or more computer storage locations by executing the data processing steps of: (A) receiving an indication that new computer code having an identifier associated with the particular computer code has been stored in the one or more computer storage locations; and (B) comparing the contents of the new computer code with one or more versions of the particular computer code that have been assessed as a part of a previous privacy assessment, and in response to determining that the contents of the new computer code are different from the contents of the one or more versions of the particular computer code that have been assessed as a part of a previous privacy assessment: automatically electronically analyzing the new computer code to determine whether the new computer code has any one of a specified plurality of privacy-related attributes; and in response to determining that the new computer code has a particular one of the specified plurality of privacy-related attributes: (A) executing the steps of: (i) electronically displaying one or more prompts to a user requesting that the user input information regarding the particular privacy-related attribute; (ii) receiving input information from the user regarding the particular privacy-related attribute; and (iii) communicating the input information to a second user for use in a privacy assessment of the new computer code; (B) changing an indicator associated with the new computer code to indicate that, before the new computer code is launched, the attribute should be reviewed by one or more designated individuals; and (C) changing an indicator associated with the new computer code to indicate that, before the new computer code is launched, the new computer code should be modified to not include the particular privacy-related attribute.

“8. The computer system of claim 7, wherein the particular privacy-related attribute is that the new computer code collects information regarding the web browsing habits of users of the new computer code.

“9. The computer system of claim 7, wherein the information regarding one or more particular attributes comprises a reason that the new computer code has the one or more attributes.

“10. The computer system of claim 7, wherein the one or more computer storage locations comprises an app store.

“11. The computer system of claim 7, wherein the one or more computer storage locations comprises a designated folder in computer memory.

“12. The computer system of claim 7, wherein the new computer code is computer code that is associated with a website and the one or more storage locations comprises a URL.

“13. A computer-implemented data processing method for use in automatically monitoring computer code for changes within the context of privacy management, the method comprising: monitoring, by one or more computer processors, to determine whether any new versions of particular computer code exist in one or more computer storage locations; in response to determining that one or more new versions of the particular computer code exist in the one or more computer storage locations: (A) automatically electronically, by one or more computer processors, analyzing the one or more new versions of computer code to determine one or more privacy-related attributes of the one or more new versions of computer code, each of the one or more privacy-related attributes indicating one or more types of personal information the one or more new versions of computer code collects or accesses; (B) electronically displaying to an individual, by one or more computer processors, a list of the determined one or more privacy-related attributes; (C) electronically displaying, by one or more computer processors, one or more prompts to an individual wherein each prompt informs the individual to input information regarding the one or more attributes; and (D) communicating, by one or more computer processors, the information regarding the one or more privacy-related attributes to one or more second individuals for use in conducting a privacy assessment of the new computer code.

“14. The computer-implemented data processing method of claim 13, further comprising, in response to determining that one or more new versions of the computer code exist in the one or more computer storage locations: automatically electronically, by one or more computer processors, analyzing the one or more new versions of the computer code to determine whether the one or more new versions of the computer code has a particular one of a specified plurality of privacy-related attributes; and in response to determining that the one or more new versions of the computer code has the particular privacy-related attribute: (A) changing, by one or more computer processors, an indicator associated with the one or more new versions of the computer code to indicate that, before the one or more new versions of the computer code is launched, the attribute should be reviewed by one or more designated individuals; and (B) changing, by one or more computer processors, an indicator associated with the one or more new versions of the computer code to indicate that, before the one or more new versions of the computer code are launched, the one or more new versions of the computer code should be modified to not include the one or more particular attributes.

“15. The computer-implemented data processing method of claim 14, wherein the particular privacy-related attribute is that the one or more new versions of the computer code collects information regarding the location of users of the one or more new versions of the computer code.

“16. The computer-implemented data processing method of claim 14, wherein the particular privacy-related attribute is that the one or more new versions of the computer code collects information regarding the web browsing habits of users of the new computer code.

“17. The computer-implemented data processing method of claim 14, wherein the information regarding one or more particular attributes comprises a reason for having the new computer code have the one or more attributes.

“18. The computer-implemented data processing method of claim 13, wherein the one or more computer storage locations comprises an app store.

“19. The computer-implemented data processing method of claim 13, wherein the one or more computer storage locations comprises a designated folder in computer memory.

“20. The computer-implemented data processing method of claim 13, wherein the one or more new versions of the computer code is computer code that is associated with a web site and the one or more storage locations comprises a URL.”

URL and more information on this patent application, see: Barday, Kabir A. Data Processing Systems And Methods For Performing Privacy Assessments And Monitoring Of New Versions Of Computer Code For Privacy Compliance. Filed December 20, 2018 and posted April 25, 2019. Patent URL: http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PG01&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.html&r=1&f=G&l=50&s1=%2220190124122%22.PGNR.&OS=DN/20190124122&RS=DN/20190124122

(Our reports deliver fact-based news of research and discoveries from around the world.)