Patent Application Titled “Privacy Management Systems And Methods” Published Online (USPTO 20220036389): OneTrust LLC

2022 FEB 22 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- According to news reporting originating from Washington, D.C., by NewsRx journalists, a patent application by the inventors Brannon, Jonathan Blake (Smyrna, GA, US); Clearwater, Andrew (Brunswick, ME, US); Hecht, Trey (Atlanta, GA, US); Johnson, Wesley (Atlanta, GA, US); Pavlichek, Nicholas Ian (Atlanta, GA, US); Philbrook, Brian (Atlanta, GA, US); Thielova, Linda (London, GB), filed on October 12, 2021, was made available online on February 3, 2022.

The assignee for this patent application is OneTrust LLC (Atlanta, Georgia, United States).

Reporters obtained the following quote from the background information supplied by the inventors: “Over the past years, privacy and security policies, and related operations have become increasingly important. Breaches in security, leading to the unauthorized access of personal data (which may include sensitive personal data) have become more frequent among companies and other organizations of all sizes. Such personal data may include, but is not limited to, personally identifiable information (PII), which may be information that directly (or indirectly) identifies an individual or entity. Examples of PII include names, addresses, dates of birth, social security numbers, and biometric identifiers such as a person’s fingerprints or picture. Other personal data may include, for example, customers’ Internet browsing habits, purchase history, or even their preferences (e.g., likes and dislikes, as provided or obtained through social media).

“Many organizations that obtain, use, and transfer personal data, including sensitive personal data, have begun to address these privacy and security issues. To manage personal data, many companies have attempted to implement operational policies and processes that comply with legal requirements, such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) or the U.S.’s Health Insurance Portability and Accountability Act (HIPAA) protecting a patient’s medical information. Many regulators recommend conducting privacy impact assessments, or data protection risk assessments along with data inventory mapping. For example, the GDPR requires data protection impact assessments. Additionally, the United Kingdom ICO’s office provides guidance around privacy impact assessments. The OPC in Canada recommends certain personal information inventory practices, and the Singapore PDPA specifically mentions personal data inventory mapping.

“In implementing these privacy impact assessments, an individual may provide incomplete or incorrect information regarding personal data to be collected, for example, by new software, a new device, or a new business effort, for example, to avoid being prevented from collecting that personal data, or to avoid being subject to more frequent or more detailed privacy audits. In light of the above, there is currently a need for improved systems and methods for monitoring compliance with corporate privacy policies and applicable privacy laws in order to reduce a likelihood that an individual will successfully “game the system” by providing incomplete or incorrect information regarding current or future uses of personal data.

“Organizations that obtain, use, and transfer personal data often work with other organizations (“vendors”) that provide services and/or products to the organizations. Organizations working with vendors may be responsible for ensuring that any personal data to which their vendors may have access is handled properly. However, organizations may have limited control over vendors and limited insight into their internal policies and procedures. Therefore, there is currently a need for improved systems and methods that help organizations ensure that their vendors handle personal data properly.”

In addition to obtaining background information on this patent application, NewsRx editors also obtained the inventors’ summary information for this patent application: “According to various aspects, a method is provided the comprises: providing, by computing hardware, a graphical user interface for display via a user computing device to a user, wherein the graphical user interface provides, for an occurrence of a data incident, a prompt requesting a plurality of territories comprising at least one of territories in which an entity conducts business or that have been affected by the occurrence of the data incident; receiving, by the computing hardware and originating from the user, an indication of the plurality of territories comprising a first territory and a second territory; generating a master reporting questionnaire comprising a first plurality of questions, wherein the first plurality of questions is included in the master reporting questionnaire based on a first ontology comprising a mapping of a first requirement for reporting the data incident in the first territory to at least one of the first plurality of questions and a second requirement for reporting the data incident in the second territory to at least one of the first plurality of questions; causing, by the computing hardware, a request for an answer to each of the first plurality of questions in the master reporting questionnaire from the user; receiving, by the computing hardware, input indicating the answer to each of the first plurality of questions in the master reporting questionnaire originating from the user; and automatically generating, by the computing hardware, a first disclosure document for the first territory and a second disclosure document for the second territory based on the input.

“According to some aspects, causing the request for the answer to each of the first plurality of questions from the user comprises causing the master reporting questionnaire to be displayed on the graphical user interface to allow the user to view the master reporting questionnaire and submit at least one of data or documentation as comprising the answer to each of the first plurality of questions. According to some aspects, at least one of the first disclosure document and the second disclosure document comprises at least one of a letter to a regulatory agency, an internal report to a privacy officer for the entity, or a notification of the occurrence of the data incident to be sent to data subjects affected by the occurrence of the data incident.

“According to some aspects, the plurality of territories comprises a third territory and the method further comprises: generating a master disclosure questionnaire comprising a second plurality of questions, wherein the second plurality of questions is included in the master disclosure questionnaire based on a second ontology comprising a mapping of a first disclosure requirement for the first territory to at least one of the second plurality of questions, a second disclosure requirement for the second territory to at least one of the second plurality of questions, and a third disclosure requirement for the third territory to at least one of the second plurality of questions; causing a request for an answer to each of the second plurality of questions in the master disclosure questionnaire from the user; receiving input indicating the answer to each of the second plurality of questions in the master disclosure questionnaire originating from the user; determining, based on the answer to at least one of the second plurality of questions, that the first territory and the second territory require reporting of the occurrence of the data incident; and determining, based on the answer to at least one of the second plurality of questions, that the third territory does not require reporting of the occurrence of the data incident. According to some aspects, the method further comprises: receiving, by the computing hardware via the graphical user interface, information from the user, wherein the information comprises at least one of a type of data involved in the occurrence of the data incident, an amount of data involved in the occurrence of the data incident, a number of data subjects affected by the occurrence of the data incident, a date on which the occurrence of the data incident was discovered, a process used to detect the occurrence of the data incident, or a business sector affected by the occurrence of the data incident; and identifying, by the computing hardware based on the information, the first disclosure requirement, the second disclosure requirement, and the third disclosure requirement.

“According to some aspects, the plurality of territories comprises a third territory and the method further comprises: determining a first disclosure requirement for the first territory, a second disclosure requirement for the second territory, and a third disclosure requirement for the third territory; determining a first consequence for failure to meet the first disclosure requirement, a second consequence for failure to meet the second disclosure requirement, and a third consequence for failure to meet the third disclosure requirement; determining, based on at least one of the first disclosure requirement or the first consequence, that the occurrence of the data incident should be reported for the first territory; determining, based on at least one of the second disclosure requirement or the second consequence, that the occurrence of the data incident should be reported for the second territory; and determining, based on at least one of the third disclosure requirement or the third consequence, that the occurrence of the data incident should not be reported to the third territory. According to some aspects, determining that the occurrence of the data incident should be reported for the first territory is also based on an enforcement characteristic for the first territory.

“According to various aspects, a system is provided that comprises a non-transitory computer-readable medium storing instructions and a processing device communicatively coupled to the non-transitory computer-readable medium. The processing device is configured to execute the instructions and thereby perform operations comprising: receiving, for an occurrence of a data incident, an indication of a plurality of territories comprising a first territory and a second territory, wherein the plurality of territories comprises at least one of territories in which an entity conducts business or that have been affected by the occurrence of the data incident; generating a master reporting questionnaire comprising a first plurality of questions, wherein the first plurality of questions is included in the master reporting questionnaire based on a first ontology comprising a mapping of a first requirement for reporting the data incident in the first territory to at least one of the first plurality of questions and a second requirement for reporting the data incident in the second territory to at least one of the first plurality of questions; providing the master reporting questionnaire for display on a graphical user interface to solicit an answer to each of the first plurality of questions in the master reporting questionnaire; receiving input indicating the answer to each of the first plurality of questions in the master reporting questionnaire; and automatically generating, based on the input, a first disclosure document for the first territory and a second disclosure document for the second territory.

“According to some aspects, the operations further comprise automatically sending the first disclosure document via an electronic communication. According to some aspects, at least one of the first disclosure document and the second disclosure document comprises at least one of a letter to a regulatory agency, an internal report to a privacy officer for the entity, or a notification of the occurrence of the data incident to be sent to data subjects affected by the occurrence of the data incident. According to some aspects, the operations further comprise: receiving information comprising at least one of a type of data involved in the occurrence of the data incident, an amount of data involved in the occurrence of the data incident, a number of data subjects affected by the occurrence of the data incident, a date on which the occurrence of the data incident was discovered, a process used to detect the occurrence of the data incident, or a business sector affected by the occurrence of the data incident; and identifying, based on the information, the first requirement for reporting the data incident and the second requirement for reporting the data incident.

“According to some aspects, the plurality of territories comprises a third territory and the operations further comprise: determining a first condition for the first territory, a second condition for the second territory, and a third condition for the third territory; determining, based on the first condition, that the occurrence of the data incident should be reported for the first territory; determining, based on the second condition, that the occurrence of the data incident should be reported for the second territory; and determining, based on the third condition, that the occurrence of the data incident should not be reported for the third territory. According to some aspects, the first condition for the first territory is based on at least one of a business importance of the first territory, a penalty associated with not satisfying a disclosure requirement for the first territory, a difficulty of satisfying the disclosure requirement for the first territory, a temporal proximity of a deadline for satisfying the disclosure requirement for the first territory, or an availability of a cure period for the first territory. According to some aspects, the third condition comprises a score and determining that the occurrence of the data incident should not be reported for the third territory comprises determining that the score does not satisfy a threshold.”

There is additional summary information. Please visit full patent to read further.”

The claims supplied by the inventors are:

“1. A method comprising: providing, by computing hardware, a graphical user interface for display via a user computing device to a user, wherein the graphical user interface provides, for an occurrence of a data incident, a prompt requesting a plurality of territories comprising at least one of territories in which an entity conducts business or that have been affected by the occurrence of the data incident; receiving, by the computing hardware and originating from the user, an indication of the plurality of territories comprising a first territory and a second territory; generating a master reporting questionnaire comprising a first plurality of questions, wherein the first plurality of questions is included in the master reporting questionnaire based on a first ontology comprising a mapping of a first requirement for reporting the data incident in the first territory to at least one of the first plurality of questions and a second requirement for reporting the data incident in the second territory to at least one of the first plurality of questions; causing, by the computing hardware, a request for an answer to each of the first plurality of questions in the master reporting questionnaire from the user; receiving, by the computing hardware, input indicating the answer to each of the first plurality of questions in the master reporting questionnaire originating from the user; and automatically generating, by the computing hardware, a first disclosure document for the first territory and a second disclosure document for the second territory based on the input.

“2. The method of claim 1, wherein causing the request for the answer to each of the first plurality of questions from the user comprises causing the master reporting questionnaire to be displayed on the graphical user interface to allow the user to view the master reporting questionnaire and submit at least one of data or documentation as comprising the answer to each of the first plurality of questions.

“3. The method of claim 1, wherein at least one of the first disclosure document and the second disclosure document comprises at least one of a letter to a regulatory agency, an internal report to a privacy officer for the entity, or a notification of the occurrence of the data incident to be sent to data subjects affected by the occurrence of the data incident.

“4. The method of claim 1, wherein the plurality of territories comprises a third territory and the method further comprises: generating a master disclosure questionnaire comprising a second plurality of questions, wherein the second plurality of questions is included in the master disclosure questionnaire based on a second ontology comprising a mapping of a first disclosure requirement for the first territory to at least one of the second plurality of questions, a second disclosure requirement for the second territory to at least one of the second plurality of questions, and a third disclosure requirement for the third territory to at least one of the second plurality of questions; causing a request for an answer to each of the second plurality of questions in the master disclosure questionnaire from the user; receiving input indicating the answer to each of the second plurality of questions in the master disclosure questionnaire originating from the user; determining, based on the answer to at least one of the second plurality of questions, that the first territory and the second territory require reporting of the occurrence of the data incident; and determining, based on the answer to at least one of the second plurality of questions, that the third territory does not require reporting of the occurrence of the data incident.

“5. The method of claim 4 further comprising: receiving, by the computing hardware via the graphical user interface, information from the user, wherein the information comprises at least one of a type of data involved in the occurrence of the data incident, an amount of data involved in the occurrence of the data incident, a number of data subjects affected by the occurrence of the data incident, a date on which the occurrence of the data incident was discovered, a process used to detect the occurrence of the data incident, or a business sector affected by the occurrence of the data incident; and identifying, by the computing hardware based on the information, the first disclosure requirement, the second disclosure requirement, and the third disclosure requirement.

“6. The method of claim 1, wherein the plurality of territories comprises a third territory and the method further comprises: determining a first disclosure requirement for the first territory, a second disclosure requirement for the second territory, and a third disclosure requirement for the third territory; determining a first consequence for failure to meet the first disclosure requirement, a second consequence for failure to meet the second disclosure requirement, and a third consequence for failure to meet the third disclosure requirement; determining, based on at least one of the first disclosure requirement or the first consequence, that the occurrence of the data incident should be reported for the first territory; determining, based on at least one of the second disclosure requirement or the second consequence, that the occurrence of the data incident should be reported for the second territory; and determining, based on at least one of the third disclosure requirement or the third consequence, that the occurrence of the data incident should not be reported to the third territory.

“7. The method of claim 6, wherein determining that the occurrence of the data incident should be reported for the first territory is also based on an enforcement characteristic for the first territory.

“8. A system comprising: a non-transitory computer-readable medium storing instructions; and a processing device communicatively coupled to the non-transitory computer-readable medium, wherein, the processing device is configured to execute the instructions and thereby perform operations comprising: receiving, for an occurrence of a data incident, an indication of a plurality of territories comprising a first territory and a second territory, wherein the plurality of territories comprises at least one of territories in which an entity conducts business or that have been affected by the occurrence of the data incident; generating a master reporting questionnaire comprising a first plurality of questions, wherein the first plurality of questions is included in the master reporting questionnaire based on a first ontology comprising a mapping of a first requirement for reporting the data incident in the first territory to at least one of the first plurality of questions and a second requirement for reporting the data incident in the second territory to at least one of the first plurality of questions; providing the master reporting questionnaire for display on a graphical user interface to solicit an answer to each of the first plurality of questions in the master reporting questionnaire; receiving input indicating the answer to each of the first plurality of questions in the master reporting questionnaire; and automatically generating, based on the input, a first disclosure document for the first territory and a second disclosure document for the second territory.

“9. The system of claim 8, wherein the operations further comprise automatically sending the first disclosure document via an electronic communication.

“10. The system of claim 8, wherein at least one of the first disclosure document and the second disclosure document comprises at least one of a letter to a regulatory agency, an internal report to a privacy officer for the entity, or a notification of the occurrence of the data incident to be sent to data subjects affected by the occurrence of the data incident.

“11. The system of claim 8, wherein the operations further comprise: receiving information comprising at least one of a type of data involved in the occurrence of the data incident, an amount of data involved in the occurrence of the data incident, a number of data subjects affected by the occurrence of the data incident, a date on which the occurrence of the data incident was discovered, a process used to detect the occurrence of the data incident, or a business sector affected by the occurrence of the data incident; and identifying, based on the information, the first requirement for reporting the data incident and the second requirement for reporting the data incident.

“12. The system of claim 8, wherein the plurality of territories comprises a third territory and the operations further comprise: determining a first condition for the first territory, a second condition for the second territory, and a third condition for the third territory; determining, based on the first condition, that the occurrence of the data incident should be reported for the first territory; determining, based on the second condition, that the occurrence of the data incident should be reported for the second territory; and determining, based on the third condition, that the occurrence of the data incident should not be reported for the third territory.

“13. The system of claim 12, wherein the first condition for the first territory is based on at least one of a business importance of the first territory, a penalty associated with not satisfying a disclosure requirement for the first territory, a difficulty of satisfying the disclosure requirement for the first territory, a temporal proximity of a deadline for satisfying the disclosure requirement for the first territory, or an availability of a cure period for the first territory.”

There are additional claims. Please visit full patent to read further.

For more information, see this patent application: Brannon, Jonathan Blake; Clearwater, Andrew; Hecht, Trey; Johnson, Wesley; Pavlichek, Nicholas Ian; Philbrook, Brian; Thielova, Linda. Privacy Management Systems And Methods. Filed October 12, 2021 and posted February 3, 2022. Patent URL: https://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PG01&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.html&r=1&f=G&l=50&s1=%2220220036389%22.PGNR.&OS=DN/20220036389&RS=DN/20220036389

(Our reports deliver fact-based news of research and discoveries from around the world.)