Patent Issued for Data processing and scanning systems for assessing vendor risk (USPTO 11416590): OneTrust LLC

2022 SEP 01 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- A patent by the inventors Barday, Kabir A. (Atlanta, GA, US), Brannon, Jonathan Blake (Smyrna, GA, US), Jones, Kevin (Atlanta, GA, US), Sabourin, Jason L. (Brookhaven, GA, US), Shah, Milap (Bengaluru, IN), Viswanathan, Subramanian (Marietta, GA, US), filed on October 18, 2021, was published online on August 16, 2022, according to news reporting originating from Alexandria, Virginia, by NewsRx correspondents.

Patent number 11416590 is assigned to OneTrust LLC (Atlanta, Georgia, United States).

The following quote was obtained by the news editors from the background information supplied by the inventors: “Over the past years, privacy and security policies, and related operations have become increasingly important. Breaches in security, leading to the unauthorized access of personal data (which may include sensitive personal data) have become more frequent among companies and other organizations of all sizes. Such personal data may include, but is not limited to, personally identifiable information (PII), which may be information that directly (or indirectly) identifies an individual or entity. Examples of PII include names, addresses, dates of birth, social security numbers, and biometric identifiers such as a person’s fingerprints or picture. Other personal data may include, for example, customers’ Internet browsing habits, purchase history, or even their preferences (e.g., likes and dislikes, as provided or obtained through social media).

“Many organizations that obtain, use, and transfer personal data, including sensitive personal data, have begun to address these privacy and security issues. To manage personal data, many companies have attempted to implement operational policies and processes that comply with legal requirements, such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) or the U.S.’s Health Insurance Portability and Accountability Act (HIPAA) protecting a patient’s medical information. Many regulators recommend conducting privacy impact assessments, or data protection risk assessments along with data inventory mapping. For example, the GDPR requires data protection impact assessments. Additionally, the United Kingdom ICO’s office provides guidance around privacy impact assessments. The OPC in Canada recommends certain personal information inventory practices, and the Singapore PDPA specifically mentions personal data inventory mapping.

“Organizations that obtain, use, and transfer personal data often work with other organizations (“vendors”) that provide services and/or products to the organizations. Organizations working with vendors may be responsible for ensuring that any personal data to which their vendors may have access is handled properly. However, organizations may have limited control over vendors and limited insight into their internal policies and procedures. Therefore, there is currently a need for improved systems and methods that help organizations ensure that their vendors handle personal data properly.”

In addition to the background information obtained for this patent, NewsRx journalists also obtained the inventors’ summary information for this patent: “According to various aspects the disclosure, a method is provided that comprises: receiving, by computing hardware, an indication of a first privacy standard and a second privacy standard, wherein the first privacy standard is applicable to an entity and the second privacy standard is no longer applicable to the entity; generating, by the computing hardware, a graphical user interface for displaying a compliance questionnaire by: configuring a first display element for displaying a first question based on the first privacy standard being applicable to the entity and an ontology comprising a mapping of a first data control required for compliance with the first privacy standard to the first question, and excluding a second display element configured for displaying a second question based on the second privacy standard no longer being applicable to the entity and the ontology comprising a mapping of a second data control required for compliance with the second privacy standard to the second question; providing the graphical user interface for display on a user device; receiving a response to the first question; generating, by the computing hardware, a compliance determination for the first privacy standard based on the response to the first question, wherein the compliance determination indicates an extent the entity is in compliance with the first privacy standard; and providing, by the computing hardware, the compliance determination for display to the user on the graphical user interface via the user device.

“According to particular aspects, the first data control and the second data control comprise at least one of a control on accessing sensitive data, a control on modifying the sensitive data, or a control on storing the sensitive data. According to particular aspects, configuring the first display element comprises translating the first question into a language indicated by the user. In addition, according to particular aspects, the method further comprises configuring, by the computing hardware, a second graphical user interface displaying a plurality of privacy standards and comprising a first selectable element associated with the first privacy standard and a second selectable element associated with the second privacy standard, and providing, by the computing hardware the second graphical user interface for display on the user device. Here, receiving the indication of the first privacy standard and the second privacy standard occurs in response to a selection of the first selectable element and a deselection of the second selectable element on the second graphical user interface.

“In addition, according to particular aspects, the method further comprises receiving, by the computing hardware, data associated with the response and originating from the user and generating, by the computing hardware, a confidence level for the response based on the data, wherein the data substantiates the response, the confidence level represents a confidence the entity is in compliance with the first data control, and the compliance determination is generated based on the confidence level. Further, according to particular aspects, the method further comprises generating a confidence score, by the computing hardware, for the compliance determination, wherein the confidence score represents a confidence in the compliance determination and providing the confidence score for display on the graphical user interface to the user. Furthermore, according to particular aspects, the method further comprises receiving, by the computing hardware, an indication of a third privacy standard, wherein the third privacy standard is applicable to the entity and the ontology comprises a mapping of a third data control required for compliance with the third privacy standard to the first question, generating, by the computing hardware, a second compliance determination for the third privacy standard based on the response to the first question, wherein the second compliance determination indicates an extent the entity is in compliance with the third privacy standard, and providing, by the computing hardware, the second compliance determination for display to the user on the graphical user interface via the user device.

“According to various aspects of the disclosure, a system is provided that includes a non-transitory computer-readable medium storing instructions and a processing device communicatively coupled to the non-transitory computer-readable medium. The processing device is configured to execute the instructions and thereby perform operations comprising: generating a graphical user interface for displaying a compliance questionnaire by: configuring a first display element for displaying a first question based on a first privacy standard being applicable to an entity and an ontology comprising a mapping of a first data control required for compliance with the first privacy standard to the first question, and configuring a second display element configured for displaying a second question based on a second privacy standard being applicable to the entity and the ontology comprising a mapping of a second data control required for compliance with the second privacy standard to the second question; providing the graphical user interface for display to a user on a user device; receiving a first response to the first question and a second response to the second question; generating a first compliance determination for the first privacy standard based on the first response to the first question, wherein the first compliance determination indicates an extent the entity is in compliance with the first privacy standard; generating a second compliance determination for the second privacy standard based on the second response to the second question, wherein the second compliance determination indicates an extent the entity is in compliance with the second privacy standard; and providing the first compliance determination and the second compliance determination for display to the user on the graphical user interface via the user device.

“According to particular aspects, configuring the first display element comprises translating the first question into a language indicated by the user. According to particular aspects, generating the graphical user interface for displaying the compliance questionnaire further comprises excluding a third display element configured for displaying a third question based on a third privacy standard that is not applicable to the entity and the ontology comprising a mapping of a third data control required for compliance with the third privacy standard to the third question.”

The claims supplied by the inventors are:

“1. A method comprising: receiving, by computing hardware, an indication of a first privacy standard and a second privacy standard, wherein the first privacy standard is applicable to an entity and the second privacy standard is no longer applicable to the entity; generating, by the computing hardware, a graphical user interface for displaying a compliance questionnaire by: configuring a first display element for displaying a first question based on the first privacy standard being applicable to the entity and an ontology comprising a mapping of a first data control required for compliance with the first privacy standard to the first question, and excluding a second display element configured for displaying a second question based on the second privacy standard no longer being applicable to the entity and the ontology comprising a mapping of a second data control required for compliance with the second privacy standard to the second question; providing the graphical user interface for display on a user device; receiving a response to the first question; generating, by the computing hardware, a compliance determination for the first privacy standard based on the response to the first question, wherein the compliance determination indicates an extent the entity is in compliance with the first privacy standard; and providing, by the computing hardware, the compliance determination for display to the user on the graphical user interface via the user device.

“2. The method of claim 1, wherein: the method further comprises: configuring, by the computing hardware, a second graphical user interface displaying a plurality of privacy standards and comprising a first selectable element associated with the first privacy standard and a second selectable element associated with the second privacy standard; and providing, by the computing hardware, the second graphical user interface for display on the user device; and receiving the indication of the first privacy standard and the second privacy standard occurs in response to a selection of the first selectable element and a deselection of the second selectable element on the second graphical user interface.

“3. The method of claim 1, wherein the first data control and the second data control comprise at least one of a control on accessing sensitive data, a control on modifying the sensitive data, or a control on storing the sensitive data.

“4. The method of claim 1 further comprising: receiving, by the computing hardware, data associated with the response and originating from the user; and generating, by the computing hardware, a confidence level for the response based on the data, wherein: the data substantiates the response, the confidence level represents a confidence the entity is in compliance with the first data control, and the compliance determination is generated based on the confidence level.

“5. The method of claim 1 further comprising: generating a confidence score, by the computing hardware, for the compliance determination, wherein the confidence score represents a confidence in the compliance determination; and providing the confidence score for display on the graphical user interface to the user.

“6. The method of claim 1, wherein configuring the first display element comprises translating the first question into a language indicated by the user.

“7. The method of claim 1 further comprising: receiving, by the computing hardware, an indication of a third privacy standard, wherein the third privacy standard is applicable to the entity and the ontology comprises a mapping of a third data control required for compliance with the third privacy standard to the first question; generating, by the computing hardware, a second compliance determination for the third privacy standard based on the response to the first question, wherein the second compliance determination indicates an extent the entity is in compliance with the third privacy standard; and providing, by the computing hardware, the second compliance determination for display to the user on the graphical user interface via the user device.

“8. A system comprising: a non-transitory computer-readable medium storing instructions; and a processing device communicatively coupled to the non-transitory computer-readable medium, wherein, the processing device is configured to execute the instructions and thereby perform operations comprising: generating a graphical user interface for displaying a compliance questionnaire by: configuring a first display element for displaying a first question based on a first privacy standard being applicable to an entity and an ontology comprising a mapping of a first data control required for compliance with the first privacy standard to the first question, and configuring a second display element configured for displaying a second question based on a second privacy standard being applicable to the entity and the ontology comprising a mapping of a second data control required for compliance with the second privacy standard to the second question; providing the graphical user interface for display to a user on a user device; receiving a first response to the first question and a second response to the second question; generating a first compliance determination for the first privacy standard based on the first response to the first question, wherein the first compliance determination indicates an extent the entity is in compliance with the first privacy standard; generating a second compliance determination for the second privacy standard based on the second response to the second question, wherein the second compliance determination indicates an extent the entity is in compliance with the second privacy standard; and providing the first compliance determination and the second compliance determination for display to the user on the graphical user interface via the user device.

“9. The system of claim 8, wherein the operations further comprise receiving an indication of the first privacy standard and the second privacy standard as being applicable to the entity as a result of the user selecting the first privacy standard and the second privacy standard from a second graphical user interface displaying a plurality of privacy standards comprising the first privacy standard and the second privacy standard, wherein each privacy standard of the plurality of privacy standards is configured to be user-selectable.

“10. The system of claim 8, wherein generating the graphical user interface for displaying the compliance questionnaire further comprises excluding a third display element configured for displaying a third question based on a third privacy standard that is not applicable to the entity and the ontology comprising a mapping of a third data control required for compliance with the third privacy standard to the third question.

“11. The system of claim 8, wherein the operations further comprise: receiving data associated with the first response and originating from the user; and generating a confidence level for the first response based on the data, wherein: the data substantiates the first response, the confidence level represents a confidence the entity is in compliance with the first data control, and the first compliance determination is generated based on the confidence level.

“12. The system of claim 8, wherein the operations further comprise: generating a confidence score for the first compliance determination, wherein the confidence score represents a confidence in the first compliance determination; and providing the confidence score for display on the graphical user interface to the user.

“13. The system of claim 8, wherein configuring the first display element comprises translating the first question into a language indicated by the user.

“14. The system of claim 8, wherein a third privacy standard is applicable to the entity, the ontology comprises a mapping of a third data control required for compliance with the third privacy standard to the first question, and the operations further comprise: generating a third compliance determination for the third privacy standard based on the response to the first question, wherein the third compliance determination indicates an extent the entity is in compliance with the third privacy standard; and providing the third compliance determination for display to the user on the graphical user interface via the user device.

“15. A non-transitory computer-readable medium having program code that is stored thereon, the program code executable by one or more processing devices for performing operations comprising: generating a graphical user interface for displaying a compliance questionnaire by: configuring a first display element for displaying a first question based on a first privacy standard being applicable to an entity and an ontology comprising a mapping of a first data control required for compliance with the first privacy standard to the first question, and excluding a second display element configured for displaying a second question based on a second privacy standard not being applicable to the entity and the ontology comprising a mapping of a second data control required for compliance with the second privacy standard to the second question; providing the graphical user interface for display to a user on a user device; receiving a response to the first question; generating a compliance determination for the first privacy standard based on the response to the first question, wherein the compliance determination indicates an extent the entity is in compliance with the first privacy standard; and providing the compliance determination for display to the user on the graphical user interface via the user device.”

There are additional claims. Please visit full patent to read further.

URL and more information on this patent, see: Barday, Kabir A. Data processing and scanning systems for assessing vendor risk. U.S. Patent Number 11416590, filed October 18, 2021, and published online on August 16, 2022. Patent URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=11416590.PN.&OS=PN/11416590RS=PN/11416590

(Our reports deliver fact-based news of research and discoveries from around the world.)