US2023161906A1PendingUtilityA1

Data processing systems for data transfer risk identification and related methods

68
Assignee: ONETRUST LLCPriority: Jun 10, 2016Filed: Jan 20, 2023Published: May 25, 2023
Est. expiryJun 10, 2036(~9.9 yrs left)· nominal 20-yr term from priority
G06F 40/174G06F 16/951G06F 40/20G06F 16/972G06F 21/31G06F 21/6245G06F 16/955G06F 21/84
68
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A data processing central consent repository system may be configured to, for example: (1) identify a form used to collect one or more pieces of personal data, (2) determine a data asset of a plurality of data assets of the organization where input data of the form is transmitted, (3) add the data asset to the third-party data repository with an electronic link to the form, (4) in response to a user submitting the form, create a unique subject identifier to submit to the third-party data repository and, along with the form data provided by the user in the form, to the data asset, (5) submit the unique subject identifier and the form data provided by the user to the third-party data repository and the data asset, and (6) digitally store the unique subject identifier and the form data in the third-party data repository and the data asset.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method in which first computing hardware performs operations comprising:
 instructing second computing hardware to evaluate a data transfer risk between a first data asset and a second data asset, wherein the second computing hardware evaluates the data transfer risk by:
 analyzing a data model associated with the first data asset and the second data asset to identify a transfer of data between the first data asset and the second data asset, wherein:
 the data model comprises a data structure defining a first set of data attributes for the first data asset and a second set of data attributes for the second data asset, 
 at least one of the first set of data attributes or the second set of data attributes identifies the transfer of the data, and 
 analyzing the data model to identify the transfer of the data comprises analyzing at least one of the first set of data attributes or the second set of data attributes to identify the transfer of the data; 
 
   performing a data transfer assessment to identify the data transfer risk by using a set of data transfer rules applicable to the transfer of the data based on a type for the data; and   generating a risk rating for the transfer of the data from the first data asset to the second data asset based on the data transfer risk; and   performing an action to address the data transfer risk, wherein the action comprises at least one of (i) generating a secure link between the first data asset and the second data asset so that the transfer of the data can be conducted via the secure link, (ii) terminating the transfer of the data from the first data asset to the second data asset, or (iii) having the data involved in the transfer encrypted.   
     
     
         2 . The method of  claim 1  further comprising determining the risk rating satisfies a risk threshold, wherein performing the action is in response to determining that the risk rating satisfies the risk threshold. 
     
     
         3 . The method of  claim 1 , wherein the second computing hardware further evaluates the data transfer risk by determining the risk rating satisfies a risk threshold, and performing the action is in response to determining that the risk rating satisfies the risk threshold. 
     
     
         4 . The method of  claim 1 , wherein the action that involves terminating the transfer of the data from the first data asset to the second data asset comprises:
 requesting, via a user interface, user approval of the transfer of the data from the first data asset to the second data asset;   receiving an indication of user disapproval of the transfer of the data originating from the user interface; and   responsive to receiving the indication of user disapproval, causing termination of the transfer of the data from the first data asset to the second data asset.   
     
     
         5 . The method of  claim 1 , wherein the set of data transfer rules comprise at least one of:
 (a) rules associated with at least one encryption level,   (b) rules associated with at least one storage time limitation, or   (c) rules associated with at least one access restriction.   
     
     
         6 . The method of  claim 1 , wherein each of the first data asset and the second data asset comprises at least one of software or a hardware device. 
     
     
         7 . The method of  claim 1 , wherein the set of data transfer rules comprises at least one of:
 a privacy law framework appliable to at least one of a first location associated with the first data asset or a second location associated with the second data asset, or   an entity framework applicable to at least one of a first entity associated with the first data asset or a second entity associated with the second data asset.   
     
     
         8 . A non-transitory computer-readable medium storing computer-executable instructions that, when executed by first processing hardware, configure the first processing hardware to perform operations comprising:
 instructing second processing hardware to evaluate a data transfer risk between a first data asset and a second data asset, wherein the second processing hardware evaluates the data transfer risk by:
 analyzing a data model associated with the first data asset to identify a transfer of the data between the first data asset and the second data asset, wherein:
 the data model comprises a data structure defining a first set of data attributes for the first data asset, 
 the first set of data attributes identifies the transfer of the data, and 
 analyzing the data model to identify the transfer of the data comprises 
 
 analyzing the first set of data attributes to identify the transfer of the data; 
   performing a data transfer assessment to identify the data transfer risk by using a set of data transfer rules applicable to the transfer of the data based on a type for the data; and   generating a risk rating for the transfer of the data from the first data asset to the second data asset based on the data transfer risk; and   performing an action to address the data transfer risk, wherein the action comprises at least one of (i) generating a secure link between the first data asset and the second data asset so that the transfer of the data can be conducted via the secure link, (ii) terminating the transfer of the data from the first data asset to the second data asset, or (iii) having the data involved in the transfer encrypted.   
     
     
         9 . The non-transitory computer-readable medium of  claim 8 , wherein the operations further comprise determining the risk rating satisfies a risk threshold, and performing the action is in response to determining that the risk rating satisfies the risk threshold. 
     
     
         10 . The non-transitory computer-readable medium of  claim 8 , wherein the second processing hardware further evaluates the data transfer risk by determining the risk rating satisfies a risk threshold, and performing the action is in response to determining that the risk rating satisfies the risk threshold. 
     
     
         11 . The non-transitory computer-readable medium of  claim 8 , wherein the action that involves terminating the transfer of the data from the first data asset to the second data asset comprises:
 requesting, via a user interface, user approval of the transfer of the data from the first data asset to the second data asset;   receiving an indication of user disapproval of the transfer of the data originating from the user interface; and   responsive to receiving the indication of user disapproval, causing termination of the transfer of the data from the first data asset to the second data asset.   
     
     
         12 . The non-transitory computer-readable medium of  claim 8 , wherein the set of data transfer rules comprise at least one of:
 (a) rules associated with at least one encryption level,   (b) rules associated with at least one storage time limitation, or   (c) rules associated with at least one access restriction.   
     
     
         13 . The non-transitory computer-readable medium of  claim 8 , wherein each of the first data asset comprises at least one of software or a hardware device. 
     
     
         14 . The non-transitory computer-readable medium of  claim 8 , wherein the set of data transfer rules comprises at least one of:
 a privacy law framework appliable to at least one of a first location associated with the first data asset or a second location associated with the second data asset, or   an entity framework applicable to at least one of a first entity associated with the first data asset or a second entity associated with the second data asset.   
     
     
         15 . A system comprising:
 first computing hardware configured to perform operations comprising:
 analyzing a data model associated with a first data asset and a second data asset to identify a transfer of data between the first data asset and the second data asset, wherein:
 the data model comprises a data structure defining a first set of data attributes for the first data asset and a second set of data attributes for the second data asset, 
 at least one of the first set of data attributes or the second set of data attributes identifies the transfer of the data, and 
 analyzing the data model to identify the transfer of the data comprises analyzing at least one of the first set of data attributes or the second set of data attributes to identify the transfer of the data; 
 
   performing a data transfer assessment to identify a data transfer risk by using a set of data transfer rules applicable to the transfer of the data based on a type for the data; and   generating a risk rating for the transfer of the data from the first data asset to the second data asset based on the data transfer risk; and   second computing hardware communicatively coupled to the first computing hardware, the second computing hardware configured to perform an action to address the data transfer risk, wherein the action comprises at least one of (i) generating a secure link between the first data asset and the second data asset so that the transfer of the data can be conducted via the secure link, (ii) terminating the transfer of the data from the first data asset to the second data asset, or (iii) having the data involved in the transfer encrypted.   
     
     
         16 . The system of  claim 15 , wherein the first computing hardware is further configured to perform operations comprising determining the risk rating satisfies a risk threshold, and performing the action is in response to determining that the risk rating satisfies the risk threshold. 
     
     
         17 . The system of  claim 15 , wherein the second computing hardware is configured to perform operations comprising determining the risk rating satisfies a risk threshold, and performing the action is in response to determining that the risk rating satisfies the risk threshold. 
     
     
         18 . The system of  claim 15 , wherein the action that involves terminating the transfer of the data from the first data asset to the second data asset comprises:
 requesting, via a user interface, user approval of the transfer of the data from the first data asset to the second data asset;   receiving an indication of user disapproval of the transfer of the data originating from the user interface; and   responsive to receiving the indication of user disapproval, causing termination of the transfer of the data from the first data asset to the second data asset.   
     
     
         19 . The system of  claim 15 , wherein the set of data transfer rules comprise at least one of:
 (a) rules associated with at least one encryption level,   (b) rules associated with at least one storage time limitation, or   (c) rules associated with at least one access restriction.   
     
     
         20 . The system of  claim 15 , wherein the set of data transfer rules comprises at least one of:
 a privacy law framework appliable to at least one of a first location associated with the first data asset or a second location associated with the second data asset, or   an entity framework applicable to at least one of a first entity associated with the first data asset or a second entity associated with the second data asset.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.