Patent Issued for Data processing systems and methods for providing training in a vendor procurement process (USPTO 11416798): OneTrust LLC

2022 SEP 05 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- From Alexandria, Virginia, NewsRx journalists report that a patent by the inventors Barday, Kabir A. (Atlanta, GA, US), Brannon, Jonathan Blake (Smyrna, GA, US), filed on August 24, 2021, was published online on August 16, 2022.

The patent’s assignee for patent number 11416798 is OneTrust LLC (Atlanta, Georgia, United States).

News editors obtained the following quote from the background information supplied by the inventors: “Over the past years, privacy and security policies, and related operations have become increasingly important. Breaches in security, leading to the unauthorized access of personal data (which may include sensitive personal data) have become more frequent among companies and other organizations of all sizes. Such personal data may include, but is not limited to, personally identifiable information (PII), which may be information that directly (or indirectly) identifies an individual or entity. Examples of PII include names, addresses, dates of birth, social security numbers, and biometric identifiers such as a person’s fingerprints or picture. Other personal data may include, for example, customers’ Internet browsing habits, purchase history, or even their preferences (e.g., likes and dislikes, as provided or obtained through social media).

“Many organizations that obtain, use, and transfer personal data, including sensitive personal data, have begun to address these privacy and security issues. To manage personal data, many companies have attempted to implement operational policies and processes that comply with legal requirements, such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) or the U.S.’s Health Insurance Portability and Accountability Act (HIPPA) protecting a patient’s medical information. Many regulators recommend conducting privacy impact assessments, or data protection risk assessments along with data inventory mapping. For example, the GDPR requires data protection impact assessments. Additionally, the United Kingdom ICO’s office provides guidance around privacy impact assessments. The OPC in Canada recommends certain personal information inventory practices, and the Singapore PDPA specifically mentions personal data inventory mapping.

“In implementing these privacy impact assessments, an individual may provide incomplete or incorrect information regarding personal data to be collected, for example, by new software, a new device, or a new business effort, for example, to avoid being prevented from collecting that personal data, or to avoid being subject to more frequent or more detailed privacy audits. In light of the above, there is currently a need for improved systems and methods for monitoring compliance with corporate privacy policies and applicable privacy laws in order to reduce a likelihood that an individual will successfully “game the system” by providing incomplete or incorrect information regarding current or future uses of personal data.

“Organizations that obtain, use, and transfer personal data often work with other organizations (“vendors”) that provide services and/or products to the organizations. Organizations working with vendors may be responsible for ensuring that any personal data to which their vendors may have access is handled properly. However, organizations may have limited control over vendors and limited insight into their internal policies and procedures. Therefore, there is currently a need for improved systems and methods that help organizations ensure that their vendors handle personal data properly. There is also a need for improved systems and methods for estimating the timing of vendor risk analysis and procurement and providing effective training to ensure that employees and/or vendors are compliant with applicable privacy and security regulations and standards.”

As a supplement to the background information on this patent, NewsRx correspondents also obtained the inventors’ summary information for this patent: “A computer-implemented data processing method for monitoring one or more system inputs as input of information related to a privacy campaign, according to various embodiments, comprises: (A) actively monitoring, by one or more processors, one or more system inputs from a user as the user provides information related to a privacy campaign, the one or more system inputs comprising one or more submitted inputs and one or more unsubmitted inputs, wherein actively monitoring the one or more system inputs comprises: (1) recording a first keyboard entry provided within a graphical user interface that occurs prior to submission of the one or more system inputs by the user, and (2) recording a second keyboard entry provided within the graphical user interface that occurs after the user inputs the first keyboard entry and before the user submits the one or more system inputs; (B) storing, in computer memory, by one or more processors, an electronic record of the one or more system inputs; (C) analyzing, by one or more processors, the one or more submitted inputs and one or more unsubmitted inputs to determine one or more changes to the one or more system inputs prior to submission, by the user, of the one or more system inputs, wherein analyzing the one or more submitted inputs and the one or more unsubmitted inputs to determine the one or more changes to the one or more system inputs comprises comparing the first keyboard entry with the second keyboard entry to determine one or more differences between the one or more submitted inputs and the one or more unsubmitted inputs, wherein the first keyboard entry is an unsubmitted input and the second keyboard entry is a submitted input; (D) determining, by one or more processors, based at least in part on the one or more system inputs and the one or more changes to the one or more system inputs, whether the user has provided one or more system inputs comprising one or more abnormal inputs; and (E) at least partially in response to determining that the user has provided one or more abnormal inputs, automatically flagging the one or more system inputs that comprise the one or more abnormal inputs in memory.

“A computer-implemented data processing method for monitoring a user as the user provides one or more system inputs as input of information related to a privacy campaign, in various embodiments, comprises: (A) actively monitoring, by one or more processors, (i) a user context of the user as the user provides the one or more system inputs as information related to the privacy campaign and (ii) one or more system inputs from the user, the one or more system inputs comprising one or more submitted inputs and one or more unsubmitted inputs, wherein actively monitoring the user context and the one or more system inputs comprises recording a first user input provided within a graphical user interface that occurs prior to submission of the one or more system inputs by the user, and recording a second user input provided within the graphical user interface that occurs after the user inputs the first user input and before the user submits the one or more system input; (B) storing, in computer memory, by one or more processors, an electronic record of user context of the user and the one or more system inputs from the user; (C) analyzing, by one or more processors, at least one item of information selected from a group consisting of (i) the user context and (ii) the one or more system inputs from the user to determine whether abnormal user behavior occurred in providing the one or more system inputs, wherein determining whether the abnormal user behavior occurred in providing the one or more system inputs comprises comparing the first user input with the second user input to determine one or more differences between the one or more submitted inputs and the one or more unsubmitted inputs, wherein the first user input is an unsubmitted input and the second user input is a submitted input; and (D) at least partially in response to determining that abnormal user behavior occurred in providing the one or more system inputs, automatically flagging, in memory, at least a portion of the provided one or more system inputs in which the abnormal user behavior occurred.

“A computer-implemented data processing method for monitoring a user as the user provides one or more system inputs as input of information related to a privacy campaign, in various embodiments, comprises: (A) actively monitoring, by one or more processors, a user context of the user as the user provides the one or more system inputs, the one or more system inputs comprising one or more submitted inputs and one or more unsubmitted inputs, wherein actively monitoring the user context of the user as the user provides the one more system inputs comprises recording a first user input provided within a graphical user interface that occurs prior to submission of the one or more system inputs by the user, and recording a second user input provided within the graphical user interface that occurs after the user provides the first user input and before the user submits the one or more system inputs, wherein the user context comprises at least one user factor selected from a group consisting of: (i) an amount of time the user takes to provide the one or more system inputs, (ii) a deadline associated with providing the one or more system inputs, (iii) a location of the user as the user provides the one or more system inputs; and (iv) one or more electronic activities associated with an electronic device on which the user is providing the one or more system inputs; (B) storing, in computer memory, by one or more processors, an electronic record of the user context of the user; (C) analyzing, by one or more processors, the user context, based at least in part on the at least one user factor, to determine whether abnormal user behavior occurred in providing the one or more system inputs, wherein determining whether the abnormal user behavior occurred in providing the one or more system inputs comprises comparing the first user input with the second user input to determine one or more differences between the first user input and the second user input, wherein the first user input is an unsubmitted input and the second user input is a submitted input; and (D) at least partially in response to determining that abnormal user behavior occurred in providing the one or more system inputs, automatically flagging, in memory, at least a portion of the provided one or more system inputs in which the abnormal user behavior occurred.

“A computer-implemented data processing method for scanning one or more webpages to determine vendor risk, in various embodiments, comprises: (A) scanning, by one or more processors, one or more webpages associated with a vendor; (B) identifying, by one or more processors, one or more vendor attributes based on the scan; (C) calculating a vendor risk score based at least in part on the one or more vendor attributes; and (D) taking one or more automated actions based on the vendor risk rating.

“A computer-implemented data processing method for generating an incident notification for a vendor, according to particular embodiments, comprises: receiving, by one or more processors, an indication of a particular incident; determining, by one or more processors based on the indication of the particular incident, one or more attributes of the particular incident; determining, by one or more processors based on the one or more attributes of the particular incident, a vendor associated with the particular incident; determining, by one or more processors based on the vendor associated with the particular incident, a notification obligation for the vendor associated with the particular incident; generating, by one or more processors in response to determining the notification obligation, a task associated with satisfying the notification obligation; presenting, by one or more processors on a graphical user interface, an indication of the task associated with satisfying the notification obligation; detecting, by one or more processors on a graphical user interface, a selection of the indication of the task associated with satisfying the notification obligation; and presenting, by one or more processors on a graphical user interface, detailed information associated with the task associated with satisfying the notification obligation.”

The claims supplied by the inventors are:

“1. A method comprising: detecting, by computing hardware, a request to procure a vendor for an entity, a vendor criteria parameter identifying the vendor, and a user parameter identifying a user, wherein the vendor is to provide at least one of a service or a product to the entity; responsive to detecting the request: determining, by the computing hardware and based on the vendor criteria parameter and at least one of a privacy impact assessment or a security assessment conducted on the vendor with respect to the vendor handling data for the entity, a training requirement associated with a procurement of the vendor; determining, by the computing hardware and based on the user parameter, training data for the user, wherein the training data indicates a completion status identifying a progress of the user completing required training; generating, by the computing hardware and based on the training data and the training requirement, customized training content comprising a portion of a training course associated with the training requirement, wherein generating the customized training content comprising the portion of the training course comprises at least one of determining that a regulation associated with the training course has changed since the user previously satisfied the training requirement or determining that a predetermined amount of time has passed since the user previously satisfied the training requirement; generating, by the computing hardware, a graphical user interface by configuring a presentation element configured for presenting the customized training content on the graphical user interface; and transmitting an instruction to a browser application executed on a user device causing the browser application to retrieve the customized training content and present the graphical user interface on the user device.

“2. The method of claim 1, wherein detecting the request to procure the vendor, the vendor criteria parameter, and the user parameter comprises detecting a state of the browser application, the state of the browser application comprising an indication of the request to procure the vendor, the vendor criteria parameter, and the user parameter.

“3. The method of claim 1, wherein the graphical user interface is further configured with a control element configured to generate an indication of completion of the customized training content and the method further comprises: responsive to a selection of the control element, determining, by the computing hardware, to initiate a process to procure the vendor.

“4. The method of claim 1, wherein generating the customized training content comprising the portion of the training course comprises also determining that the training course has been updated since the user previously satisfied the training requirement.

“5. The method of claim 1, wherein the vendor criteria parameter comprises at least one of: (a) a jurisdiction of the vendor, (b) a classification of the vendor, © a type of data processed by the vendor, or (d) a volume of data processed by the vendor.

“6. A system comprising: processing hardware; computer memory communicatively coupled to the processing hardware; and a non-transitory computer-readable medium communicatively coupled to the processing hardware, and storing computer-executable instructions, wherein the processing hardware is configured for executing the computer-executable instructions and thereby performing operations comprising: receiving a request to procure a vendor for an entity from a user via a remote device, wherein the vendor is to provide at least one of a service or a product to the entity; determining vendor training criteria for the vendor; retrieving training data for the user, wherein the training data indicates a completion status identifying a progress of the user completing required training; determining a training requirement associated with a procurement of the vendor by the user based on the vendor training criteria, the training data, and at least one of a privacy impact assessment or a security assessment conducted on the vendor with respect to the vendor handling data for the entity; determining that the user is no longer in compliance with the training requirement based on the training data and the training requirement; responsive to determining that the user is no longer in compliance with the training requirement: generating customized training content comprising a portion of a training course associated with the training requirement based on the training data and the training requirement, wherein generating the customized training content comprising the portion of the training course comprises at least one of determining that a regulation associated with the training course has changed since the user previously satisfied the training requirement or determining that a predetermined amount of time has passed since the user previously satisfied the training requirement; and transmitting the customized training content to the remote device for presentation to the user; receiving an indication from the remote device that the user has satisfied the training requirement; and in response to receiving the indication, facilitating the procurement of the vendor.

“7. The system of claim 6, wherein the operations further comprise determining a vendor jurisdiction for the vendor, and determining the training requirement is further based on the vendor jurisdiction.

“8. The system of claim 6, wherein the operations further comprise determining a user jurisdiction for the user, and determining the training requirement is further based on the user jurisdiction.

“9. The system of claim 6, wherein the operations further comprise determining a role in an organization for the user, and determining the training requirement is further based on the role in the organization.

“10. The system of claim 6, wherein the operations further comprise determining a type of data to which the user will have access, and determining the training requirement is further based on the type of data.

“11. The system of claim 6, wherein determining the vendor training criteria comprises: accessing a data map associated with the vendor to retrieve vendor attributes; and determining the vendor training criteria based on the vendor attributes.

“12. The system of claim 6, wherein the training requirement comprises at least one of a privacy certification or a security certification.

“13. A non-transitory computer-readable medium storing computer-executable instructions that, when executed by computing hardware, configure the computing hardware to perform operations comprising: detecting a modification of training material associated with a procurement of a vendor for an entity, wherein the vendor is to provide at least one of a service or a product to the entity; in response to detecting the modification of the training material, determining, based on at least one of a privacy impact assessment or a security assessment conducted on the vendor with respect to the vendor handling data for the entity, a training requirement associated with the training material; retrieving training data for a user, wherein the training data indicates a completion status identifying a progress of the user completing required training; determining that the user is no longer in compliance with the training requirement based on the modification of the training material; in response to determining that the user is no longer in compliance with the training requirement: generating customized training content comprising a portion of the training material based on the modification of the training material, wherein the modification comprises at least one of a regulation associated with the training course has changed since the user previously satisfied the training requirement or determining that a predetermined amount of time has passed since the user previously satisfied the training requirement; and transmitting the customized training content and a request to satisfy the training requirement to the user.

“14. The non-transitory computer-readable medium of claim 13, wherein: the training material is stored in a learning management system; and detecting the modification of the training material comprises monitoring the learning management system for the modification of the training material.

“15. The non-transitory computer-readable medium of claim 14, wherein monitoring the learning management system comprises periodically monitoring the learning management system.

“16. The non-transitory computer-readable medium of claim 13, wherein detecting the modification of the training material comprises: receiving a user request to update the training material; and updating the training material in response to the user request.

“17. The non-transitory computer-readable medium of claim 13, wherein the request to satisfy the training requirement comprises a plurality of questions associated with the training material.

“18. The non-transitory computer-readable medium of claim 13, wherein the user is associated with the vendor.”

For additional information on this patent, see: Barday, Kabir A. Data processing systems and methods for providing training in a vendor procurement process. U.S. Patent Number 11416798, filed August 24, 2021, and published online on August 16, 2022. Patent URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=11416798.PN.&OS=PN/11416798RS=PN/11416798

(Our reports deliver fact-based news of research and discoveries from around the world.)