Patent Application Titled “Data Processing Systems For Assessing Readiness For Responding To Privacy-Related Incidents” Published Online (USPTO 20220261717): OneTrust LLC

2022 SEP 02 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- According to news reporting originating from Washington, D.C., by NewsRx journalists, a patent application by the inventors Brannon, Jonathan Blake (Smyrna, GA, US); Clearwater, Andrew (Brunswick, ME, US); Hecht, Trey (Atlanta, GA, US); Thielova, Linda (London, GB), filed on May 9, 2022, was made available online on August 18, 2022.

The assignee for this patent application is OneTrust LLC (Atlanta, Georgia, United States).

Reporters obtained the following quote from the background information supplied by the inventors: “Over the past years, privacy and security policies, and related operations have become increasingly important. Breaches in security, leading to the unauthorized access of personal data (which may include sensitive personal data) have become more frequent among companies and other organizations of all sizes. Such personal data may include, but is not limited to, personally identifiable information (PII), which may be information that directly (or indirectly) identifies an individual or entity. Examples of PII include names, addresses, dates of birth, social security numbers, and biometric identifiers such as a person’s fingerprints or picture. Other personal data may include, for example, customers’ Internet browsing habits, purchase history, or even their preferences (e.g., likes and dislikes, as provided or obtained through social media).

“Many organizations that obtain, use, and transfer personal data, including sensitive personal data, have begun to address these privacy and security issues. To manage personal data, many companies have attempted to implement operational policies and processes that comply with legal requirements, such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) or the U.S.’s Health Insurance Portability and Accountability Act (HIPPA) protecting a patient’s medical information. Many regulators recommend conducting privacy impact assessments, or data protection risk assessments along with data inventory mapping. For example, the GDPR requires data protection impact assessments. Additionally, the United Kingdom ICO’s office provides guidance around privacy impact assessments. The OPC in Canada recommends certain personal information inventory practices, and the Singapore PDPA specifically mentions personal data inventory mapping.

“In implementing these privacy impact assessments, an individual may provide incomplete or incorrect information regarding personal data to be collected, for example, by new software, a new device, or a new business effort, for example, to avoid being prevented from collecting that personal data, or to avoid being subject to more frequent or more detailed privacy audits. In light of the above, there is currently a need for improved systems and methods for monitoring compliance with corporate privacy policies and applicable privacy laws in order to reduce a likelihood that an individual will successfully “game the system” by providing incomplete or incorrect information regarding current or future uses of personal data.

“Organizations that obtain, use, and transfer personal data often work with other organizations (“vendors”) that provide services and/or products to the organizations. Organizations working with vendors may be responsible for ensuring that any personal data to which their vendors may have access is handled properly. However, organizations may have limited control over vendors and limited insight into their internal policies and procedures. Therefore, there is currently a need for improved systems and methods that help organizations ensure that their vendors handle personal data properly.”

In addition to obtaining background information on this patent application, NewsRx editors also obtained the inventors’ summary information for this patent application: “In general, various aspects of the present disclosure provide methods, apparatuses, systems, computing devices, computing entities, and/or the like for identifying a readiness of an entity to address a data breach incident. In accordance with various aspects, a method is provided. Accordingly, the method comprises: receiving, by computing hardware, information on a data breach incident involving a processing activity executed by a computing system associated with an entity; identifying, by the computing hardware and based on the information, a data structure mapping a set of attributes to the processing activity; determining, by the computing hardware using the data structure, a geographic location associated with the computing system, wherein the set of attributes identifies the geographic location; determining, by the computing hardware and based on the geographic location, a required activity to address the data breach incident; configuring, by the computing hardware, a graphical user interface to display a mechanism for the required activity, wherein the mechanism is configured so that an indication can be provided for the required activity; receiving, by the computing hardware, the indication via the mechanism for the required activity, wherein the indication corresponds to a progress of completion of the required activity; and responsive to receiving the indication: generating, by the computing hardware, data breach response data identifying the progress of completion of the required activity; and configuring, by the computing hardware and based on the data breach response data, the graphical user interface to display at least one of (i) a readiness indicator representing a readiness of the entity to address the data breach incident or (ii) a plurality of comparison readiness indicators in which each comparison readiness indicator of the plurality of comparison readiness indicators represents a readiness of a different entity to address the data breach incident.

“In particular aspects, the data breach response data indicates an urgency of addressing the data breach incident for the geographic location. In some aspects, the processing activity is further executed by a second computing system, and the method further comprises: determining, by the computing hardware using the data structure, a second geographic location associated with the second computing system, wherein the set of attributes identifies the second geographic location; determining, by the computing hardware and based on the second geographic location, a second required activity to address the data breach incident; configuring, by the computing hardware, the graphical user interface to display a second mechanism for the second required activity, wherein the second mechanism is configured so that a second indication can be provided for the second required activity; receiving, by the computing hardware, the second indication via the second mechanism for the second required activity, wherein the second indication corresponds to a progress of completion of the second required activity; and responsive to receiving the second indication: generating, by the computing hardware, second data breach response data based on the progress of completion of the second required activity, wherein the second data breach response data indicates an urgency of addressing the data breach incident for the second geographic location; and configuring, by the computing hardware and based on the second data breach response data, the graphical user interface to display the urgency of addressing the data breach incident for the second geographic location is higher than the urgency of addressing the data breach incident for the geographic location.

“In some aspects, the data breach response data comprises at least one of whether a relevant deadline for completion of the required activity or whether the required activity was performed properly. In some aspects, the method further comprises determining, by the computing hardware, a relative ranking of each readiness of the different entity to address the data breach incident, wherein the plurality of comparison readiness indicators are displayed according to the relative ranking of each readiness. In some aspects, the method further comprises configuring, by the computing hardware, the graphical user interface to display an upload mechanism, wherein the upload mechanism is configured to facilitate uploading of at least one of data that has been reported to a second entity, data that has been collected for compliance, or data regarding a third entity responsible for the data breach incident. In some aspects, the indication corresponding to the progress of completion of the required activity indicates a completion of the required activity, and the method further comprises, responsive to the indication indicting the completion of the required activity, configuring, by the computing hardware, the graphical user interface to no longer display the mechanism for the required activity.

“In accordance with various aspects, a system is provided comprising a non-transitory computer-readable medium storing instructions and a processing device communicatively coupled to the non-transitory computer-readable medium. The processing device is configured to execute the instructions and thereby perform operations that comprise: receiving information on a data breach incident involving a data asset associated with a computing system for an entity; identifying, based on the information, a data structure mapping a set of attributes to the data asset; determining, using the data structure, a type of data handled by the data asset, wherein the set of attributes identifies the type of data; determining, based on the type of data, a required activity to address the data breach incident; configuring a graphical user interface to display a mechanism for the required activity, wherein the mechanism is configured so that an indication can be provided for the required activity; receiving the indication via the mechanism for the required activity, wherein the indication corresponds to a progress of completion of the required activity; and responsive to receiving the indication: generating data breach response data identifying the progress of completion of the required activity; and configuring, based on the data breach response data, the graphical user interface to display at least one of (i) a readiness indicator representing a readiness of the entity to address the data breach incident or (ii) a plurality of comparison readiness indicators in which each comparison readiness indicator of the plurality of comparison readiness indicators represents a readiness of a different entity to address the data breach incident.

“In particular aspects, the data breach response data indicates an urgency of addressing the data breach incident for the data asset. In some aspects, the operations further comprises: determining, using the data structure, a second data asset associated with the computing system and used in handling the type of data, wherein the data structure provides a mapping a second set of attributes to the second data asset and the second set of attributes identify the type of data; determining, based on the second data asset, a second required activity to address the data breach incident; configuring the graphical user interface to display a second mechanism for the second required activity, wherein the second mechanism is configured so that a second indication can be provided for the second required activity; receiving the second indication via the second mechanism for the second required activity, wherein the second indication corresponds to a progress of completion of the second required activity; and responsive to receiving the second indication: generating second data breach response data based on the progress of completion of the second required activity, wherein the second data breach response data indicates an urgency of addressing the data breach incident for the second data asset; and configuring, based on the second data breach response data, the graphical user interface to display the urgency of addressing the data breach incident for the second data asset is higher than the urgency of addressing the data breach incident for the data asset.

“In some aspects, the data breach response data comprises at least one of whether a relevant deadline for completion of the required activity or whether the required activity was performed properly. In some aspects, the operations further comprise determining a relative ranking of each readiness of the different entity to address the data breach incident, and the plurality of comparison readiness indicators are displayed according to the relative ranking of each readiness. In some aspects, the operations further comprise configuring the graphical user interface to display an upload mechanism configured to facilitate uploading of at least one of data that has been reported to a second entity, data that has been collected for compliance, or data regarding a third entity responsible for the data breach incident. In some aspects, the indication corresponding to the progress of completion of the required activity indicates a completion of the required activity, and the operations further comprise, responsive to the indication indicting the completion of the required activity, configuring the graphical user interface to no longer display the mechanism for the required activity.”

There is additional summary information. Please visit full patent to read further.”

The claims supplied by the inventors are:

“1. A method comprising: receiving, by computing hardware, information on a data breach incident involving a processing activity executed by a computing system associated with an entity; identifying, by the computing hardware and based on the information, a data structure mapping a set of attributes to the processing activity; determining, by the computing hardware using the data structure, a geographic location associated with the computing system, wherein the set of attributes identifies the geographic location; determining, by the computing hardware and based on the geographic location, a required activity to address the data breach incident; configuring, by the computing hardware, a graphical user interface to display a mechanism for the required activity, wherein the mechanism is configured so that an indication can be provided for the required activity; receiving, by the computing hardware, the indication via the mechanism for the required activity, wherein the indication corresponds to a progress of completion of the required activity; and responsive to receiving the indication: generating, by the computing hardware, data breach response data identifying the progress of completion of the required activity; and configuring, by the computing hardware and based on the data breach response data, the graphical user interface to display at least one of (i) a readiness indicator representing a readiness of the entity to address the data breach incident or (ii) a plurality of comparison readiness indicators in which each comparison readiness indicator of the plurality of comparison readiness indicators represents a readiness of a different entity to address the data breach incident.

“2. The method of claim 1, wherein the data breach response data indicates an urgency of addressing the data breach incident for the geographic location.

“3. The method of claim 2, wherein the processing activity is further executed by a second computing system, and the method further comprises: determining, by the computing hardware using the data structure, a second geographic location associated with the second computing system, wherein the set of attributes identifies the second geographic location; determining, by the computing hardware and based on the second geographic location, a second required activity to address the data breach incident; configuring, by the computing hardware, the graphical user interface to display a second mechanism for the second required activity, wherein the second mechanism is configured so that a second indication can be provided for the second required activity; receiving, by the computing hardware, the second indication via the second mechanism for the second required activity, wherein the second indication corresponds to a progress of completion of the second required activity; and responsive to receiving the second indication: generating, by the computing hardware, second data breach response data based on the progress of completion of the second required activity, wherein the second data breach response data indicates an urgency of addressing the data breach incident for the second geographic location; and configuring, by the computing hardware and based on the second data breach response data, the graphical user interface to display the urgency of addressing the data breach incident for the second geographic location is higher than the urgency of addressing the data breach incident for the geographic location.

“4. The method of claim 1, wherein the data breach response data comprises at least one of whether a relevant deadline for completion of the required activity or whether the required activity was performed properly.

“5. The method of claim 1 further comprising determining, by the computing hardware, a relative ranking of each readiness of the different entity to address the data breach incident, wherein the plurality of comparison readiness indicators are displayed according to the relative ranking of each readiness.

“6. The method of claim 1 further comprising configuring, by the computing hardware, the graphical user interface to display an upload mechanism, wherein the upload mechanism is configured to facilitate uploading of at least one of data that has been reported to a second entity, data that has been collected for compliance, or data regarding a third entity responsible for the data breach incident.

“7. The method of claim 1, wherein: the indication corresponding to the progress of completion of the required activity indicates a completion of the required activity, and the method further comprises, responsive to the indication indicting the completion of the required activity, configuring, by the computing hardware, the graphical user interface to no longer display the mechanism for the required activity.

“8. A system comprising: a non-transitory computer-readable medium storing instructions; and a processing device communicatively coupled to the non-transitory computer-readable medium, wherein, the processing device is configured to execute the instructions and thereby perform operations comprising: receiving information on a data breach incident involving a data asset associated with a computing system for an entity; identifying, based on the information, a data structure mapping a set of attributes to the data asset; determining, using the data structure, a type of data handled by the data asset, wherein the set of attributes identifies the type of data; determining, based on the type of data, a required activity to address the data breach incident; configuring a graphical user interface to display a mechanism for the required activity, wherein the mechanism is configured so that an indication can be provided for the required activity; receiving the indication via the mechanism for the required activity, wherein the indication corresponds to a progress of completion of the required activity; and responsive to receiving the indication: generating data breach response data identifying the progress of completion of the required activity; and configuring, based on the data breach response data, the graphical user interface to display at least one of (i) a readiness indicator representing a readiness of the entity to address the data breach incident or (ii) a plurality of comparison readiness indicators in which each comparison readiness indicator of the plurality of comparison readiness indicators represents a readiness of a different entity to address the data breach incident.

“9. The system of claim 8, wherein the data breach response data indicates an urgency of addressing the data breach incident for the data asset.

“10. The system of claim 9, wherein the operations further comprises: determining, using the data structure, a second data asset associated with the computing system and used in handling the type of data, wherein the data structure provides a mapping a second set of attributes to the second data asset and the second set of attributes identify the type of data; determining, based on the second data asset, a second required activity to address the data breach incident; configuring the graphical user interface to display a second mechanism for the second required activity, wherein the second mechanism is configured so that a second indication can be provided for the second required activity; receiving the second indication via the second mechanism for the second required activity, wherein the second indication corresponds to a progress of completion of the second required activity; and responsive to receiving the second indication: generating second data breach response data based on the progress of completion of the second required activity, wherein the second data breach response data indicates an urgency of addressing the data breach incident for the second data asset; and configuring, based on the second data breach response data, the graphical user interface to display the urgency of addressing the data breach incident for the second data asset is higher than the urgency of addressing the data breach incident for the data asset.

“11. The system of claim 8, wherein the data breach response data comprises at least one of whether a relevant deadline for completion of the required activity or whether the required activity was performed properly.

“12. The system of claim 8, wherein the operations further comprise determining a relative ranking of each readiness of the different entity to address the data breach incident, and the plurality of comparison readiness indicators are displayed according to the relative ranking of each readiness.

“13. The system of claim 8, wherein the operations further comprise configuring the graphical user interface to display an upload mechanism configured to facilitate uploading of at least one of data that has been reported to a second entity, data that has been collected for compliance, or data regarding a third entity responsible for the data breach incident.

“14. The system of claim 8, wherein: the indication corresponding to the progress of completion of the required activity indicates a completion of the required activity, and the operations further comprise, responsive to the indication indicting the completion of the required activity, configuring the graphical user interface to no longer display the mechanism for the required activity.”

There are additional claims. Please visit full patent to read further.

For more information, see this patent application: Brannon, Jonathan Blake; Clearwater, Andrew; Hecht, Trey; Thielova, Linda. Data Processing Systems For Assessing Readiness For Responding To Privacy-Related Incidents. Filed May 9, 2022 and posted August 18, 2022. Patent URL: https://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PG01&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.html&r=1&f=G&l=50&s1=%2220220261717%22.PGNR.&OS=DN/20220261717&RS=DN/20220261717

(Our reports deliver fact-based news of research and discoveries from around the world.)