Researchers Submit Patent Application, “Privacy Management Systems And Methods”, for Approval (USPTO 20220156657): OneTrust LLC

2022 JUN 07 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- From Washington, D.C., NewsRx journalists report that a patent application by the inventors Brannon, Jonathan Blake (Smyrna, GA, US); Clearwater, Andrew (Brunswick, ME, US); Hecht, Trey (Atlanta, GA, US); Johnson, Wesley (Atlanta, GA, US); Pavlichek, Nicholas Ian (Atlanta, GA, US); Philbrook, Brian (Atlanta, GA, US); Thielova, Linda (London, GB), filed on January 31, 2022, was made available online on May 19, 2022.

The patent’s assignee is OneTrust LLC (Atlanta, Georgia, United States).

News editors obtained the following quote from the background information supplied by the inventors: “Over the past years, privacy and security policies, and related operations have become increasingly important. Breaches in security, leading to the unauthorized access of personal data (which may include sensitive personal data) have become more frequent among companies and other organizations of all sizes. Such personal data may include, but is not limited to, personally identifiable information (PII), which may be information that directly (or indirectly) identifies an individual or entity. Examples of PII include names, addresses, dates of birth, social security numbers, and biometric identifiers such as a person’s fingerprints or picture. Other personal data may include, for example, customers’ Internet browsing habits, purchase history, or even their preferences (e.g., likes and dislikes, as provided or obtained through social media).

“Many organizations that obtain, use, and transfer personal data, including sensitive personal data, have begun to address these privacy and security issues. To manage personal data, many companies have attempted to implement operational policies and processes that comply with legal requirements, such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) or the U.S.’s Health Insurance Portability and Accountability Act (HIPPA) protecting a patient’s medical information. Many regulators recommend conducting privacy impact assessments, or data protection risk assessments along with data inventory mapping. For example, the GDPR requires data protection impact assessments. Additionally, the United Kingdom ICO’s office provides guidance around privacy impact assessments. The OPC in Canada recommends certain personal information inventory practices, and the Singapore PDPA specifically mentions personal data inventory mapping.

“In implementing these privacy impact assessments, an individual may provide incomplete or incorrect information regarding personal data to be collected, for example, by new software, a new device, or a new business effort, for example, to avoid being prevented from collecting that personal data, or to avoid being subject to more frequent or more detailed privacy audits. In light of the above, there is currently a need for improved systems and methods for monitoring compliance with corporate privacy policies and applicable privacy laws in order to reduce a likelihood that an individual will successfully “game the system” by providing incomplete or incorrect information regarding current or future uses of personal data.

“Organizations that obtain, use, and transfer personal data often work with other organizations (“vendors”) that provide services and/or products to the organizations. Organizations working with vendors may be responsible for ensuring that any personal data to which their vendors may have access is handled properly. However, organizations may have limited control over vendors and limited insight into their internal policies and procedures. Therefore, there is currently a need for improved systems and methods that help organizations ensure that their vendors handle personal data properly.”

As a supplement to the background information on this patent application, NewsRx correspondents also obtained the inventors’ summary information for this patent application: “The details of one or more embodiments of the subject matter described in this specification are set forth in the accompanying drawings and the description below. Other features, aspects, and advantages of the subject matter may become apparent from the description, the drawings, and the claims.

“A method, according to various aspects, comprises: (1) receiving, by computing hardware via a first graphical user interface, an indication of a first jurisdiction, an indication of a second jurisdiction, and incident information for a data-related incident impacting an entity; (2) retrieving, by the computing hardware, a first reporting task for the first jurisdiction and a second reporting task for the second jurisdiction from a data structure; (3) determining, by the computing hardware, a first penalty for violation of the first reporting task and a second penalty for violation of the second reporting task; identifying, by the computing hardware, a conflict between satisfying the first reporting task and satisfying the second reporting task; (4) determining, by the computing hardware, a first risk level based on the incident information and the first penalty and a second risk level based on the incident information and the second penalty; (5) generating, by the computing hardware, a customized incident response plan by selecting the first reporting task rather than the second reporting task for inclusion in the incident response plan based on the identified conflict, the first risk level, and the second risk level; (6) generating, by the computing hardware, a second graphical user interface by configuring a presentation element configured for presenting the customized incident response plan on the second graphical user interface; and (7) transmitting, by the computing hardware, an instruction to a user device to retrieve the customized incident response plan and present the second graphical user interface on the user device.

“In some aspects: (1) the first reporting task comprises a requirement to report the incident within a first time period; (2) the second reporting task comprises a requirement to report the incident within a second time period; and (3) identifying the conflict between satisfying the first reporting task and satisfying the second reporting task comprises determining that the first time period does not intersect with the second time period. In still other aspects, identifying, by the computing hardware, the conflict between satisfying the first reporting task and satisfying the second reporting task comprises determining that the first reporting task comprises a requirement to delete data after a deadline and the second reporting task comprises a requirement to retain the data after the deadline.

“According to particular aspects, the method further comprises: (1) configuring, by the computing hardware, the first graphical user interface by configuring a map on the first graphical user interface that includes the first jurisdiction and the second jurisdiction; and (2) receiving the indication of the first jurisdiction and the indication of the second jurisdiction comprises receiving, via the map on the first graphical user interface, a selection of the first jurisdiction and the second jurisdiction.

“In a particular aspect, determining, by the computing hardware, the first risk level based on the incident information and the first penalty comprises: (1) calculating, by the computing hardware, a first penalty enforcement likelihood based on a first jurisdiction enforcement rate corresponding to the first penalty; (2) calculating, by the computing hardware, a first penalty magnitude; and (23) setting, by the computing hardware, the first risk based on the first penalty enforcement likelihood and the first penalty magnitude. In some aspects, determining, by the computing hardware, the second risk level based on the incident information and the second penalty comprises: (1) calculating, by the computing hardware, a second penalty enforcement likelihood based on a second jurisdiction enforcement rate corresponding to the second penalty; (2) calculating, by the computing hardware, a second penalty magnitude; and (3) setting, by the computing hardware, the second risk level based on the second penalty enforcement likelihood and the second penalty magnitude.

“In various aspects, determining, by the computing hardware, the first risk level based on the incident information and the first penalty comprises determining a first reporting task urgency based on at least one of a first reporting task deadline proximity or a first cure period availability; and determining, by the computing hardware, a second risk level based on the incident information and the second penalty comprises determining a second reporting task urgency based on at least one of a second reporting task deadline proximity or a second cure period availability. In still other aspects, generating, by the computing hardware, the second graphical user interface comprises: (1) generating an interactive list of actions corresponding to the customized incident response plan in an order based on at least one of respective action deadlines or respective penalties for noncompliance; (2) generating a map comprising a plurality of jurisdictions, the plurality of jurisdictions comprising a jurisdiction corresponding to a selected reporting task, wherein an indicator on the map for at least one jurisdiction affected by an incident corresponding to the incident information is based on an urgency of the first reporting task; and (3) configuring the second graphical user interface to include the interactive list of actions and the map.

“A system, in various aspects, comprises a non-transitory computer-readable medium storing instructions, and a processing device communicatively coupled to the non-transitory computer-readable medium. In particular aspects, the processing device is configured to execute the instructions and thereby perform operations comprising: (1) receiving, via a first graphical user interface, an indication of a first jurisdiction, an indication of a second jurisdiction, and incident information regarding an incident impacting an entity; (2) retrieving a first reporting task for the first jurisdiction and a second reporting task for the second jurisdiction from a data structure; (3) determining a first penalty for violation of the first reporting task and a second penalty for violation of the second reporting task; (4) determining a first risk level based on the incident information and the first penalty and a second risk level based on the incident information and the second penalty; (5) generating a customized incident response plan by ordering the first reporting task before the second reporting task in an incident response plan based on the first risk level and the second risk level; (6) generating a second graphical user interface by configuring a presentation element configured for presenting the customized incident response plan on the second graphical user interface; and (7) transmitting an instruction to a user device to retrieve the customized incident response plan and present the second graphical user interface on the user device.

“In various aspects, the operations further comprise: (1) configuring the first graphical user interface by configuring a map on the first graphical user interface that includes the first jurisdiction and the second jurisdiction; and/or (2) receiving the indication of the first jurisdiction and the indication of the second jurisdiction comprises receiving, via the map on the first graphical user interface, a selection of the first jurisdiction and the second jurisdiction. According to any aspect described herein: (1) the first reporting task may comprise at least one of a requirement to report the incident within a first time period; (2) the second reporting task may comprise at least one of a requirement to report the incident within a second time period; and (3) determining the first risk level and the second risk level may comprise determining which of the first time period and the second time period is a shorter time period. In still other aspects, the operations further comprise identifying a conflict between satisfying the first reporting task and satisfying the second reporting task and generating the customized incident response plan is further based on the identified conflict. In certain aspects, determining a first risk level based on the incident information and the first penalty comprises determining a first reporting task urgency based on a first cure period availability and determining a second risk level based on the incident information and the second penalty comprises determining a second reporting task urgency based on at least one of a second cure period availability. In particular aspects, generating the second graphical user interface comprises: (1) generating an interactive list of actions corresponding to the customized incident response plan; and (2) generating a map comprising a plurality of jurisdictions, the plurality of jurisdictions comprising the first jurisdiction and the second jurisdiction, wherein at least one jurisdiction affected by an incident corresponding to the incident information is colored according to an urgency of the first reporting task.

“In some aspects, the operations further comprise: (1) determining a compliance cost of an action included in the customized incident response plan by querying a database using the incident information, the database storing past incidents in correlation with respective response times to comply with respective reporting tasks; and (2) deleting the action from the customized incident response plan in response to the compliance cost exceeding a threshold.”

There is additional summary information. Please visit full patent to read further.”

The claims supplied by the inventors are:

“1. A method comprising: receiving, by computing hardware via a first graphical user interface, an indication of a first jurisdiction, an indication of a second jurisdiction, and incident information for a data-related incident impacting an entity; retrieving, by the computing hardware, a first reporting task for the first jurisdiction and a second reporting task for the second jurisdiction from a data structure; determining, by the computing hardware, a first penalty for violation of the first reporting task and a second penalty for violation of the second reporting task; identifying, by the computing hardware, a conflict between satisfying the first reporting task and satisfying the second reporting task; determining, by the computing hardware, a first risk level based on the incident information and the first penalty and a second risk level based on the incident information and the second penalty; generating, by the computing hardware, a customized incident response plan by selecting the first reporting task rather than the second reporting task for inclusion in the incident response plan based on the identified conflict, the first risk level, and the second risk level; generating, by the computing hardware, a second graphical user interface by configuring a presentation element configured for presenting the customized incident response plan on the second graphical user interface; and transmitting, by the computing hardware, an instruction to a user device to retrieve the customized incident response plan and present the second graphical user interface on the user device.

“2. The method of claim 1, wherein: the first reporting task comprises a requirement to report the incident within a first time period; the second reporting task comprises a requirement to report the incident within a second time period; and identifying the conflict between satisfying the first reporting task and satisfying the second reporting task comprises determining that the first time period does not intersect with the second time period.

“3. The method of claim 1, wherein: identifying, by the computing hardware, the conflict between satisfying the first reporting task and satisfying the second reporting task comprises determining that the first reporting task comprises a requirement to delete data after a deadline and the second reporting task comprises a requirement to retain the data after the deadline.

“4. The method of claim 1, wherein: the method further comprises configuring, by the computing hardware, the first graphical user interface by configuring a map on the first graphical user interface that includes the first jurisdiction and the second jurisdiction; and receiving the indication of the first jurisdiction and the indication of the second jurisdiction comprises receiving, via the map on the first graphical user interface, a selection of the first jurisdiction and the second jurisdiction.

“5. The method of claim 1, wherein: determining, by the computing hardware, the first risk level based on the incident information and the first penalty comprises: calculating, by the computing hardware, a first penalty enforcement likelihood based on a first jurisdiction enforcement rate corresponding to the first penalty; calculating, by the computing hardware, a first penalty magnitude; and setting, by the computing hardware, the first risk based on the first penalty enforcement likelihood and the first penalty magnitude; and determining, by the computing hardware, the second risk level based on the incident information and the second penalty comprises: calculating, by the computing hardware, a second penalty enforcement likelihood based on a second jurisdiction enforcement rate corresponding to the second penalty; calculating, by the computing hardware, a second penalty magnitude; and setting, by the computing hardware, the second risk level based on the second penalty enforcement likelihood and the second penalty magnitude.

“6. The method of claim 1, wherein: determining, by the computing hardware, the first risk level based on the incident information and the first penalty comprises determining a first reporting task urgency based on at least one of a first reporting task deadline proximity or a first cure period availability; and determining, by the computing hardware, a second risk level based on the incident information and the second penalty comprises determining a second reporting task urgency based on at least one of a second reporting task deadline proximity or a second cure period availability.

“7. The method of claim 1, wherein generating, by the computing hardware, the second graphical user interface comprises: generating an interactive list of actions corresponding to the customized incident response plan in an order based on at least one of respective action deadlines or respective penalties for noncompliance; generating a map comprising a plurality of jurisdictions, the plurality of jurisdictions comprising a jurisdiction corresponding to a selected reporting task, wherein an indicator on the map for at least one jurisdiction affected by an incident corresponding to the incident information is based on an urgency of the first reporting task; and configuring the second graphical user interface to include the interactive list of actions and the map.

“8. A system comprising: a non-transitory computer-readable medium storing instructions; and a processing device communicatively coupled to the non-transitory computer-readable medium, wherein, the processing device is configured to execute the instructions and thereby perform operations comprising: receiving, via a first graphical user interface, an indication of a first jurisdiction, an indication of a second jurisdiction, and incident information regarding an incident impacting an entity; retrieving a first reporting task for the first jurisdiction and a second reporting task for the second jurisdiction from a data structure; determining a first penalty for violation of the first reporting task and a second penalty for violation of the second reporting task; determining a first risk level based on the incident information and the first penalty and a second risk level based on the incident information and the second penalty; generating a customized incident response plan by ordering the first reporting task before the second reporting task in an incident response plan based on the first risk level and the second risk level; generating a second graphical user interface by configuring a presentation element configured for presenting the customized incident response plan on the second graphical user interface; and transmitting an instruction to a user device to retrieve the customized incident response plan and present the second graphical user interface on the user device.

“9. The system of claim 8, wherein: the operations further comprise configuring the first graphical user interface by configuring a map on the first graphical user interface that includes the first jurisdiction and the second jurisdiction; and receiving the indication of the first jurisdiction and the indication of the second jurisdiction comprises receiving, via the map on the first graphical user interface, a selection of the first jurisdiction and the second jurisdiction.

“10. The system of claim 8, wherein: the first reporting task comprises at least one of a requirement to report the incident within a first time period; the second reporting task comprises at least one of a requirement to report the incident within a second time period; and determining the first risk level and the second risk level comprises determining which of the first time period and the second time period is a shorter time period.

“11. The system of claim 8, wherein: the operations further comprise identifying a conflict between satisfying the first reporting task and satisfying the second reporting task; and generating the customized incident response plan is further based on the identified conflict.

“12. The system of claim 8, wherein: determining a first risk level based on the incident information and the first penalty comprises determining a first reporting task urgency based on a first cure period availability; and determining a second risk level based on the incident information and the second penalty comprises determining a second reporting task urgency based on at least one of a second cure period availability.

“13. The system of claim 8, wherein generating the second graphical user interface comprises: generating an interactive list of actions corresponding to the customized incident response plan; and generating a map comprising a plurality of jurisdictions, the plurality of jurisdictions comprising the first jurisdiction and the second jurisdiction, wherein at least one jurisdiction affected by an incident corresponding to the incident information is colored according to an urgency of the first reporting task.

“14. The system of claim 8, the operations further comprising: determining a compliance cost of an action included in the customized incident response plan by querying a database using the incident information, the database storing past incidents in correlation with respective response times to comply with respective reporting tasks; and deleting the action from the customized incident response plan in response to the compliance cost exceeding a threshold.”

There are additional claims. Please visit full patent to read further.

For additional information on this patent application, see: Brannon, Jonathan Blake; Clearwater, Andrew; Hecht, Trey; Johnson, Wesley; Pavlichek, Nicholas Ian; Philbrook, Brian; Thielova, Linda. Privacy Management Systems And Methods. Filed January 31, 2022 and posted May 19, 2022. Patent URL: https://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PG01&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.html&r=1&f=G&l=50&s1=%2220220156657%22.PGNR.&OS=DN/20220156657&RS=DN/20220156657

(Our reports deliver fact-based news of research and discoveries from around the world.)