Invented by Kabir A. Barday, Mihir S. Karanjkar, Steven W. Finch, Ken A. Browne, Nathan W. Heard, Aakash H. Patel, Jason L. Sabourin, Richard L. Daniel, Dylan D. Patton-Kuhl, Kevin Jones, Jonathan Blake Brannon, OneTrust LLC

The market for data processing systems for identifying and assessing data processing risks, as well as remediating them using data modeling, is rapidly growing in today’s digital age. With the exponential increase in data generation and utilization, organizations are facing numerous challenges in managing and securing their data effectively. As a result, there is a pressing need for robust systems that can identify, assess, and remediate data processing risks efficiently. Data processing risks refer to the potential threats and vulnerabilities that can compromise the integrity, confidentiality, and availability of data within an organization. These risks can arise from various sources, including cyberattacks, human errors, system failures, or even natural disasters. To mitigate these risks, organizations need to adopt proactive measures that can identify potential vulnerabilities, assess their impact, and remediate them promptly. Data modeling plays a crucial role in this process by providing a structured framework for understanding and analyzing data. It involves creating a visual representation of data flows, relationships, and dependencies within an organization’s systems and processes. By using data modeling techniques, organizations can gain insights into how data is processed, stored, and transmitted, enabling them to identify potential risks and vulnerabilities. The market for data processing systems that incorporate data modeling capabilities is witnessing significant growth due to several factors. Firstly, the increasing complexity of data processing systems necessitates advanced tools and technologies to manage and secure data effectively. Traditional methods of risk assessment and remediation are no longer sufficient in today’s dynamic and interconnected digital environment. Secondly, regulatory compliance requirements are becoming more stringent, with data protection and privacy regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) imposing heavy penalties for non-compliance. Organizations need robust systems that can help them identify and address potential risks to ensure compliance with these regulations. Thirdly, the rising number of cyber threats and data breaches has highlighted the importance of proactive risk management. Organizations cannot afford to wait for a breach to occur before taking action. Data processing systems that incorporate data modeling can help organizations identify potential vulnerabilities and take preventive measures to mitigate risks before they materialize. Several key players dominate the market for data processing systems with data modeling capabilities. These include established software vendors, specialized risk management firms, and consulting companies. These vendors offer a range of solutions that cater to different organizational needs, from small businesses to large enterprises. The features and functionalities offered by these systems vary, but they typically include capabilities such as data flow visualization, risk assessment algorithms, vulnerability scanning, and remediation planning. Some systems also leverage artificial intelligence and machine learning techniques to enhance risk identification and remediation processes. In conclusion, the market for data processing systems for identifying and assessing data processing risks, as well as remediating them using data modeling, is witnessing rapid growth. The increasing complexity of data processing systems, regulatory compliance requirements, and the rising number of cyber threats are driving the demand for robust risk management solutions. Organizations must invest in these systems to ensure the integrity, confidentiality, and availability of their data in today’s digital landscape.

The OneTrust LLC invention works as follows

In various embodiments, a Data Model Adaptive Execution System can be configured to take a suitable action to mitigate a risk identified in light of one or several regulations (e.g. one or multiple legal regulations, binding corporate rules etc.). In order to comply with one or several standards related to the storage and/or collection of personal data, a company may be required, for example, to change one or more aspects in the way it collects, stores and/or processes personal data. To determine whether a change or another risk trigger is a problem that needs to be addressed, the system can be configured to evaluate the relevance of the risks posed by each risk and identify the processing activities or data assets which may be affected.

Background for Data processing systems for identifying and assessing data processing risks, as well as remediating them using data modeling techniques

Over the last few years, privacy policies and related security operations have gained in importance. Companies and organizations of all sizes are increasingly experiencing breaches in security that lead to unauthorized access to personal data, including sensitive data. Personal data can include but not be limited to personally identifiable information (PII), information that can directly or indirectly identify an individual. PII includes names, addresses and dates of birth. It also includes social security numbers. Other personal information may include the Internet browsing habits of customers, their purchase history or even preferences (e.g. likes and dislikes as provided by social media).

Many organizations who obtain, use and transfer sensitive personal data have started to address privacy and security concerns. Many companies have tried to implement operational processes and policies that are compliant with industry and legal requirements in order to manage personal data. There is a growing need for better systems and methods that manage personal data in compliance with these policies.

As individuals became more aware of the dangers associated with the theft and misuse of their data, they sought out additional tools to manage which entities processed their data. Currently, there is a need for better tools to allow individuals reduce the number of entities who process their personal data. This includes entities with whom the individual does not actively conduct business.

The computer-implemented method of generating a visualization for one of more data transfer between one data asset and another, according to different embodiments, includes: (1) identifying the data assets that are associated with the entity; (2) analyzing them to identify the data elements; (3) defining the physical locations of each data asset and identifying the particular physical location for each data asset; (4) analyzing these data elements to determine the data transfers among the data systems at the various physical locations, and (5) determining the regulations that apply to the data

The computer-implemented methods of identifying and responding one or multiple potential risks based on data models, in different embodiments, include: (1) identifying potential risk factors for an entity, (2) analyzing and assessing the potential risk factors to determine the relevance of risk to the entity, (3) using data modeling techniques to identify data assets that are associated with the entity and may be affected by risk, (4) determining based in part on one of more data assets identified and the relevance to the risk whether to take any actions in response to potential risk

The following will describe various embodiments in greater detail with reference to the drawings. The invention can take many forms, and is not limited to those described here. These embodiments have been provided to ensure that the disclosure is complete and accurate, and that those in the know are fully informed of the scope and nature of the invention. “Like numbers refer to similar elements throughout.

Overview

A data-model generation and populating system according to certain embodiments is configured to create a data-model (e.g. one or more models) that maps a plurality data assets used by a corporation, or another entity (e.g. individual, organization, or the like). In the context of, for instance, one or more business process. In certain embodiments, the plurality data assets (e.g. data systems) can include, for instance, any entity which collects, processes or contains data, and/or that transfers data (e.g. a software program, “internet of Things”). computerized device, database, web site, data-center, server, etc.). A first data asset could be any software or device used by an entity (e.g. servers or other devices) for data collection, processing and transfer.

As shown in FIGS. As shown in FIGS. The data model may store the following information in various embodiments: (1) the organization that owns and/or uses a particular data asset (a primary data asset, which is shown at the center of the data model in FIG. The primary data asset sources the information; (4) one (or more) data subjects or categories of data subject from which the information is collected for the use of the data resource; (5) a particular type of data collected by each application for storage and/or usage by the asset; (6) a particular individual (e.g. particular individuals or types) who is permitted to access or use the stored data; (7) the specific types of data transferred to the destination asset and the particular data transferred. FIGS. As shown in FIGS.

In certain embodiments, the data models stores this information in each of a number of different data assets. It may also include links, such as between a portion of model which provides information on a particular first data asset, and a separate portion of model which provides information on a particular second data asset.

In different embodiments, the system for data model generation and populating may be implemented within any privacy management system configured to ensure compliance with a number of legal and industry standards relating to the collection or storage of private information. In some embodiments, an organization, subgroup, or another entity can initiate a privacy activity or campaign (e.g. processing activity) in the context of its business. In these embodiments, a privacy campaign can include any activity undertaken by an organization, e.g. a project, or any other activity, that involves the collection, entry and/or storing (e.g. in memory) any personal data related to one or more people. A privacy campaign can include, in certain embodiments, any project undertaken by an organisation that involves the use of personal information, or any activity that may have an impact on privacy for one or more people.

In any embodiment described, personal data can include, for instance: (1) a name of a data person (which could be an individual); (2) their address; (3) their telephone number; (4) their e-mail; (5) the social security number of the subject; (6) information relating to one or more credit accounts of the subject (e.g. credit card numbers); (7) banking information of the subject; (8) location data of the subject (e.g. present or previous location); (9) internet searches of the subject; (10) and/ In some embodiments, personal data can include cookies.

The system can generate a data model in various embodiments. For example, it may: (1) identify data assets that are associated with an organization; (2) create a data inventory of each data asset, which includes information like: (a), one or several processing activities associated therewith, (b) data regarding data transfer to/from the data assets and data about which data assets or individuals the data was received from or transferred to (c) data about personal data for each data asset (e.g. particular types of data stored, processed etc. “In particular embodiments, when generating a data model, the system may: (1) identify one or multiple data assets associated with a particular organization; (2) generate a data inventory for each of the one or several data assets. The data inventory includes information such as: (a) one or two processing activities associated with each of the one or many data asset(s); (b) transfer data associated with each one or more data asset(s), including data regarding which data is transferred to/from the data assets and from whom the data was received and/or transferred or transferred or e or individuals or data; (3) (4)

In particular embodiments, one or several techniques to populate the data model can include, for instance: (1) gathering information for the model using one or multiple questionnaires that are associated with a privacy campaign, processing activities, etc. One or more of the intelligent identity scanning techniques described herein can be used to identify and map personal data that is stored in a system to a suitable model, data asset, etc. The data model can be obtained from a third party application or other application using an API.

In certain embodiments, a system is configured for generating and populating a data-model substantially on the fly, e.g. as it receives new data related to particular processing activities. In other embodiments, a data-model is generated and populated based, at least in part, on information already stored in the system (e.g. in one or multiple data assets), using, for example, one or several scanning techniques described in this document.

As can be seen from this disclosure, an organization could undertake different privacy campaigns, activities of processing, etc. This includes the collection and storage personal data. In some embodiments each of the multiple processing activities can collect redundant data, e.g. collect the same data more than once for an individual, and store the data or redundant data at one or several locations (e.g. on one or many different servers, databases, etc.). This allows a specific organization to store personal data at a variety of locations, including known and unknown ones. The system can be configured to generate and populate a model of data assets involved in the collection of personal data and the storage and processing thereof. This data model will facilitate a simple retrieval of the information stored by the organisation. In various embodiments, for example, the system can be configured to use data models to respond substantially automatically to one or multiple data access requests from an individual (e.g. or another organization). In other embodiments, data model generation and populating may enhance the functionality of an organization’s computing system by allowing a more streamlined retrieval from the system. Below, we describe in more detail the various embodiments of a method for creating and populating data models.

The Cross-Border Visualization Generation System can be configured to do the following: “In particular embodiments a Cross-Border Visualization Generation System will identify and analyze one data asset or data systems associated with an entity, and then identify a specific physical location for each data asset.

In various embodiments, a Data Model Adaptive Execution System can be configured to take one of more appropriate actions in light of one or several regulations (e.g. one or multiple legal regulations, binding corporate rules etc.). In order to comply with one or several industry or legal standards relating to the collection or storage of private data (e.g. personal data), a company may be required by law to change one or more aspects in the way it collects, stores and/or processes such data. To determine whether a change or another risk trigger is a problem that needs to be addressed, the system can be configured to evaluate the relevance of the risks posed by a potential risk trigger. It may also identify specific processing activities or data assets which may be affected.

The system can, for example,: 1) identify and/or identify one or more potential triggers of risk; 2) assess and analyze these potential triggers to determine the relevance of risk; (3) use data modeling techniques to identify specific processing activities and/or assets that could be affected by the risks; (4) decide based on the relevance of risk and the affected processes/systems whether to take any actions; and, (5) take an appropriate action as a response to the triggers of risk, if needed.

The risk triggers may include, for example a change in legal or industry standards/regulations related to the collection, storage, and/or processing of personal data, a data breach, or any other suitable risk trigger. To remediate the risks, suitable actions may include, for instance, generating and submitting a report to a privacy officer, or another individual, automatically changing the encryption level of certain data stored by the systems, quarantining specific data, etc.

In various embodiments, the system can be configured to determine, substantially automatically, whether or not to take action in response to one of more identified risk triggers. (e.g. data breaches, regulatory changes, etc.). For example, the system may substantially automatically determine a relevance of a risk posed by (e.g., a risk level) the one or more potential risk triggers based at least in part on one or more previously-determined responses to similar risk triggers. This can include, for instance, one of more previously-determined responses for the entity that identified the current trigger or one or more similar situated entities or any other suitable entity.

Click here to view the patent on Google Patents.