Patent Issued for Privacy management systems and methods (USPTO 11481710): OneTrust LLC

2022 NOV 11 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- From Alexandria, Virginia, NewsRx journalists report that a patent by the inventors Brannon, Jonathan Blake (Smyrna, GA, US), Chennur, Rajanandini (Atlanta, GA, US), Clearwater, Andrew (Brunswick, ME, US), Hecht, Trey (Atlanta, GA, US), Johnson, Wesley (Atlanta, GA, US), Pavlichek, Nicholas Ian (Atlanta, GA, US), Philbrook, Brian (Atlanta, GA, US), filed on December 6, 2021, was published online on October 25, 2022.

The patent’s assignee for patent number 11481710 is OneTrust LLC (Atlanta, Georgia, United States).

News editors obtained the following quote from the background information supplied by the inventors: “Over the past years, privacy and security policies, and related operations have become increasingly important. Breaches in security, leading to the unauthorized access of personal data (which may include sensitive personal data) have become more frequent among companies and other organizations of all sizes. Such personal data may include, but is not limited to, personally identifiable information (PII), which may be information that directly (or indirectly) identifies an individual or entity. Examples of PII include names, addresses, dates of birth, social security numbers, and biometric identifiers such as a person’s fingerprints or picture. Other personal data may include, for example, customers’ Internet browsing habits, purchase history, or even their preferences (e.g., likes and dislikes, as provided or obtained through social media).

“Many organizations that obtain, use, and transfer personal data, including sensitive personal data, have begun to address these privacy and security issues. To manage personal data, many companies have attempted to implement operational policies and processes that comply with legal requirements, such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) or the U.S.’s Health Insurance Portability and Accountability Act (HIPPA) protecting a patient’s medical information. Many regulators recommend conducting privacy impact assessments, or data protection risk assessments along with data inventory mapping. For example, the GDPR requires data protection impact assessments. Additionally, the United Kingdom ICO’s office provides guidance around privacy impact assessments. The OPC in Canada recommends certain personal information inventory practices, and the Singapore PDPA specifically mentions personal data inventory mapping.

“In implementing these privacy impact assessments, an individual may provide incomplete or incorrect information regarding personal data to be collected, for example, by new software, a new device, or a new business effort, for example, to avoid being prevented from collecting that personal data, or to avoid being subject to more frequent or more detailed privacy audits. In light of the above, there is currently a need for improved systems and methods for monitoring compliance with corporate privacy policies and applicable privacy laws in order to reduce a likelihood that an individual will successfully “game the system” by providing incomplete or incorrect information regarding current or future uses of personal data.

“Organizations that obtain, use, and transfer personal data often work with other organizations (“vendors”) that provide services and/or products to the organizations. Organizations working with vendors may be responsible for ensuring that any personal data to which their vendors may have access is handled properly. However, organizations may have limited control over vendors and limited insight into their internal policies and procedures. Therefore, there is currently a need for improved systems and methods that help organizations ensure that their vendors handle personal data properly.”

As a supplement to the background information on this patent, NewsRx correspondents also obtained the inventors’ summary information for this patent: “A method, according to various aspects, comprises: (1) providing, by computing hardware, a data breach information interface soliciting data breach information and one or more affected jurisdictions; (2) receiving, by the computing hardware via the data breach information interface, the data breach information and an indication of the one or more affected jurisdictions; (3) accessing, by the computing hardware based on the data breach information and the indication of the one or more affected jurisdictions, an ontology mapping a plurality of data breach response requirements to respective questions in a master questionnaire; (4) determining, by the computing hardware, data responsive to the questions in the master questionnaire based at least in part on the data breach information; (5) determining, by the computing hardware and based on the ontology and the data responsive to the questions in the master questionnaire, a data breach response requirement set for the one or more affected jurisdictions; (6) providing, by the computing hardware, a data breach response interface comprising a checklist, wherein a checklist item from the checklist corresponds to one or more requirements from the data breach response requirement set; (7) detecting, by the computing hardware, an activation of the checklist item indicating a completion of the one or more requirements; (8) generating, by the computing hardware, a data breach disclosure report for the one or more affected jurisdictions, the data breach disclosure report comprising an indication of the completion of the one or more requirements; and (9) providing, by the computing hardware, an interface for accessing the data breach disclosure report.

“In particular aspects, the method further comprises generating, by the computing hardware, the data breach response interface by: (1) configuring a first selectable object corresponding to a first data breach response requirement from the data breach response requirement set; (2) configuring the checklist as a first checklist to include: (A) a first checklist item corresponding to a first subtask of the first data breach response requirement; and (B) a second checklist item adjacent the first checklist item and corresponding to a second subtask of the first data breach response requirement; and (3) configuring a second selectable object adjacent the first selectable object and corresponding to a second data breach response requirement from the data breach response requirement set, the second selectable object being configured to access a second checklist corresponding a set of subtasks for the second data breach response requirement. In other aspects, the method further comprises: (1) receiving, by the computing hardware via the data breach response interface, selection of the second selectable object; and (2) in response to receiving the selection of the second selectable object, modifying, by the computing hardware, the data breach response interface such that the second checklist obscures the first checklist.

“According to various aspects, the method comprises customizing, by the computing hardware, the data breach response interface based on the data responsive to the questions in the master questionnaire by modifying an order of each checklist item in the checklist. In still other aspects configuring the data breach response interface by configuring the checklist to include a first checklist item that corresponds to the one or more requirements from the data breach response requirement set and to exclude a second checklist item that corresponds to one or more second requirements that are not included in the data breach response requirement set. In still other embodiments, the method comprises: (1) identifying, by the computing hardware, a first data breach response requirement for a first jurisdiction and a second data breach response requirement for a second jurisdiction; (2) determining, by the computing hardware based on the ontology, that the first data breach response requirement and the second data breach response requirement are incompatible; (3) determining, by the computing hardware, a relative risk for failing to comply with the first data breach response requirement and the second data breach response requirement; and (4) configuring, by the computing hardware based on the relative risk, the data breach response requirement set to include the first data breach response requirement and exclude the second data breach response requirement.

“In still other aspects, the method comprises configuring, by the computing hardware, the data breach response interface by configuring the checklist to include a third checklist item that corresponds to the first data breach response requirement and exclude a fourth checklist item that corresponds to the second data breach response requirement. In particular aspects, the data breach information comprises at least one of a number of data subjects affected by a data breach, a discovery date of the data breach, a type of data affected by the data breach, and a volume of the data affected by the data breach.

“A system, according to various aspects, comprises a non-transitory computer-readable medium storing instructions; and a processing device communicatively coupled to the non-transitory computer-readable medium. In any aspect described herein, processing device is configured to execute the instructions and thereby perform operations comprising: (1) providing a data breach information interface soliciting data breach information for a data breach; (2) receiving, via the data breach information interface, the data breach information; (3) accessing, based on the data breach information, an ontology mapping a plurality of data breach response requirements to respective questions in a master questionnaire; (4) determining data responsive to the questions in the master questionnaire based at least in part on the data breach information; (5) determining, based on the ontology and the data responsive to the questions in the master questionnaire, a data breach response requirement set for the data breach; (6) generating a data breach response interface comprising a set of interactive elements, wherein each interactive element from the set of interactive elements corresponds to a respective requirement from the data breach response requirement set; (7) providing the data breach response interface for display on a user device; (8) detecting an interaction with a first interactive element of the set of interactive elements indicating a completion of the respective requirement; (9) generating, by the computing hardware, a data breach disclosure report for the data breach, the data breach disclosure report comprising an indication of the completion of the respective requirement; and (10) providing an interface for accessing the data breach disclosure report.”

The claims supplied by the inventors are:

“1. A method comprising: providing, by computing hardware, a data breach information interface soliciting data breach information and one or more affected jurisdictions; receiving, by the computing hardware via the data breach information interface, the data breach information and an indication of the one or more affected jurisdictions; accessing, by the computing hardware based on the data breach information and the indication of the one or more affected jurisdictions, an ontology mapping a plurality of data breach response requirements to respective questions in a master questionnaire; determining, by the computing hardware, data responsive to the questions in the master questionnaire based at least in part on the data breach information; determining, by the computing hardware and based on the ontology and the data responsive to the questions in the master questionnaire, a data breach response requirement set for the one or more affected jurisdictions; providing, by the computing hardware, a data breach response interface comprising a checklist, wherein a checklist item from the checklist corresponds to one or more requirements from the data breach response requirement set; detecting, by the computing hardware, an activation of the checklist item indicating a completion of the one or more requirements; generating, by the computing hardware, a data breach disclosure report for the one or more affected jurisdictions, the data breach disclosure report comprising an indication of the completion of the one or more requirements; and providing, by the computing hardware, an interface for accessing the data breach disclosure report.

“2. The method of claim 1, further comprising generating, by the computing hardware, the data breach response interface by: configuring a first selectable object corresponding to a first data breach response requirement from the data breach response requirement set; configuring the checklist as a first checklist to include: a first checklist item corresponding to a first subtask of the first data breach response requirement; and a second checklist item adjacent the first checklist item and corresponding to a second subtask of the first data breach response requirement; configuring a second selectable object adjacent the first selectable object and corresponding to a second data breach response requirement from the data breach response requirement set, the second selectable object being configured to access a second checklist corresponding a set of subtasks for the second data breach response requirement.

“3. The method of claim 2, further comprising: receiving, by the computing hardware via the data breach response interface, selection of the second selectable object; and in response to receiving the selection of the second selectable object, modifying, by the computing hardware, the data breach response interface such that the second checklist obscures the first checklist.

“4. The method of claim 1, further comprising customizing, by the computing hardware, the data breach response interface based on the data responsive to the questions in the master questionnaire by modifying an order of each checklist item in the checklist.

“5. The method of claim 1, the method further comprising configuring the data breach response interface by configuring the checklist to include a first checklist item that corresponds to the one or more requirements from the data breach response requirement set and to exclude a second checklist item that corresponds to one or more second requirements that are not included in the data breach response requirement set.

“6. The method of claim 1, further comprising: identifying, by the computing hardware, a first data breach response requirement for a first jurisdiction and a second data breach response requirement for a second jurisdiction; determining, by the computing hardware based on the ontology, that the first data breach response requirement and the second data breach response requirement are incompatible; determining, by the computing hardware, a relative risk for failing to comply with the first data breach response requirement and the second data breach response requirement; configuring, by the computing hardware based on the relative risk, the data breach response requirement set to include the first data breach response requirement and exclude the second data breach response requirement.

“7. The method of claim 6, further comprising configuring, by the computing hardware, the data breach response interface by configuring the checklist to include a third checklist item that corresponds to the first data breach response requirement and exclude a fourth checklist item that corresponds to the second data breach response requirement.

“8. The method of claim 1, wherein the data breach information comprises at least one of a number of data subjects affected by a data breach, a discovery date of the data breach, a type of data affected by the data breach, and a volume of the data affected by the data breach.

“9. A system comprising: a non-transitory computer-readable medium storing instructions; and a processing device communicatively coupled to the non-transitory computer-readable medium, wherein the processing device is configured to execute the instructions and thereby perform operations comprising: providing a data breach information interface soliciting data breach information for a data breach; receiving, via the data breach information interface, the data breach information; accessing, based on the data breach information, an ontology mapping a plurality of data breach response requirements to respective questions in a master questionnaire; determining data responsive to the questions in the master questionnaire based at least in part on the data breach information; determining, based on the ontology and the data responsive to the questions in the master questionnaire, a data breach response requirement set for the data breach; generating a data breach response interface comprising a set of interactive elements, wherein each interactive element from the set of interactive elements corresponds to a respective requirement from the data breach response requirement set; providing the data breach response interface for display on a user device; detecting an interaction with a first interactive element of the set of interactive elements indicating a completion of the respective requirement; generating a data breach disclosure report for the data breach, the data breach disclosure report comprising an indication of the completion of the respective requirement; and providing an interface for accessing the data breach disclosure report.

“10. The system of claim 9, wherein: the set of interactive elements comprises: the first interactive element corresponding to a first data breach response requirement from the data breach response requirement set; and a second interactive element corresponding to a second data breach response requirement from the data breach response requirement set; generating the data breach response interface comprises positioning the first interactive element adjacent the second interactive in an order based on the data responsive to the questions in the master questionnaire.

“11. The system of claim 10, wherein generating the data breach response interface comprises configuring the set of interactive elements such that each interactive element from the set of interactive elements is included in the set of interactive elements according to a respective priority determined based on the data responsive to the questions in the master questionnaire.

“12. The system of claim 11, wherein generating the data breach response interface comprises configuring the set of interactive elements such that the set of interactive elements form an ordered list of each respective requirement from the data breach response requirement set.

“13. The system of claim 9, wherein generating the data breach response interface comprises configuring the data breach response interface by configuring the set of interactive elements to include a third interactive element that corresponds to a third data breach response requirement from the data breach response requirement set and to exclude a fourth interactive element that corresponds to a fourth data breach response requirement that is not included in the data breach response requirement set.

“14. The system of claim 9, wherein the operations further comprise customizing the data breach response interface based on the data responsive to the questions in the master questionnaire by modifying a relative position of at least one interactive element in the set of interactive elements.

“15. The system of claim 9, wherein: the data breach information comprises a first jurisdiction affected by the data breach and a second jurisdiction affected by the data breach; the operations further comprise: determining, based on the data responsive to the questions in the master questionnaire whether to include the first jurisdiction and the second jurisdiction in the data breach disclosure report; and in response to determining to include the first jurisdiction in the data breach disclosure report, generating the data breach disclosure report for the data breach by including the first jurisdiction and excluding the second jurisdiction.

“16. The system of claim 9, wherein the data breach information comprises at least one of a number of jurisdictions, a number of data subjects affected by the data breach, a discovery date of the data breach, a type of data affected by the data breach, and a volume of the data affected by the data breach.”

There are additional claims. Please visit full patent to read further.

For additional information on this patent, see: Brannon, Jonathan Blake. Privacy management systems and methods. U.S. Patent Number 11481710, filed December 6, 2021, and published online on October 25, 2022. Patent URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=11481710.PN.&OS=PN/11481710RS=PN/11481710

(Our reports deliver fact-based news of research and discoveries from around the world.)