Abstract: Responding to a data subject access request includes receiving the request and identifying the requestor and source. In response to identifying the requestor and source, a computer processor determines whether the data subject access request is subject to fulfillment constraints, including whether the requestor or source is malicious. If so, then the computer processor denies the request or requests a processing fee prior to fulfillment. If not, then the computer processor fulfills the request.

Abstract: Embodiments of the present invention provide methods, apparatus, systems, computing devices, computing entities, and/or the like for verifying the identity of a data subject. In one embodiment, a method is provided comprising: receiving, via a browser, a consumer rights request for a data subject for performing an action with regard to personal data associated with the data subject; detecting a state of the browser indicating a location; identifying a law based on the location; determining a level of identity verification required based on the law; generating, based on the level, a GUI by configuring a first prompt on the GUI configured for receiving input for a first type of identity verification; transmitting an instruction to present the GUI; receiving the input for the first type of identity verification; verifying the identity of the data subject based on the input; and responsive to verifying the identity, causing performance of the action.

Abstract: A data processing central consent repository system may be configured to, for example: (1) identify a form used to collect one or more pieces of personal data, (2) determine a data asset of a plurality of data assets of the organization where input data of the form is transmitted, (3) add the data asset to the third-party data repository with an electronic link to the form, (4) in response to a user submitting the form, create a unique subject identifier to submit to the third-party data repository and, along with the form data provided by the user in the form, to the data asset, (5) submit the unique subject identifier and the form data provided by the user to the third-party data repository and the data asset, and (6) digitally store the unique subject identifier and the form data in the third-party data repository and the data asset.

Abstract: A consent receipt management and data processing system may be configured to provide a centralized repository of consent receipt preferences for a plurality of data subjects. In various embodiments, the system is configured to provide an interface to the plurality of data subjects for modifying consent preferences and capture consent preference changes. The system may provide the ability to track the consent status of pending and confirmed consents. In other embodiments, the system may provide a centralized repository of consent receipts that a third-party system may reference when taking one or more actions related to a processing activity.

Abstract: In various embodiments, a system may be configured to analyze data for a particular consent capture point to identify a change in consent capture rate from the capture point. The system may, for example, be configured to automatically detect that the system has stopped receiving consent records from a particular capture point. In such embodiments, the system may be configured to generate an alert, and transmit the alert to any suitable individual (e.g., privacy team member, IT department member, etc.) regarding the capture point. The system may, for example, enable an entity to identify one or more capture points that may have become non-functional (e.g., as a result of one or more changes to the capture point).

Abstract: In various embodiments, a data map generation system is configured to receive a request to generate a privacy-related data map for particular computer code, and, at least partially in response to the request, determine a location of the particular computer code, automatically obtain the particular computer code based on the determined location, and analyze the particular computer code to determine privacy-related attributes of the particular computer code, where the privacy-related attributes indicate types of personal information that the particular computer code collects or accesses. The system may be further configured to generate and display a data map of the privacy-related attributes to a user.

Abstract: Data processing systems and methods, according to various embodiments, are adapted for determining an applicable privacy policy based on various criteria associated with a user and the associated product or service. User and product criteria may be obtained automatically and/or based on user input and analyzed by a privacy policy rules engine to determine the applicable policy. Text from the applicable policy can then be presented to the user. A default policy can be used when no particular applicable policy can be identified using by the rules engine. Policies may be ranked or prioritized so that a policy can be selected in the event the rules engine identifies two, conflicting policies based on the criteria.

Abstract: Data processing systems and methods, according to various embodiments, are adapted for efficiently processing data to allow for the streamlined assessment of risk ratings for one or more vendors. In various embodiments, the systems/methods may use one or more particular vendor attributes (e.g., as determined from scanning one or more webpages associated with the particular vendor) and the contents of one or more completed privacy templates for the vendor to determine a vendor risk rating for the particular vendor. As a particular example, the system may scan a website associated with the vendor to automatically determine one or more security certifications associated with the vendor and use that information, along with information from a completed privacy template for the vendor, to calculate a vendor risk rating that indicates the risk of doing business with the vendor.

Abstract: A chat robot may be used to facilitate interaction with a user in the determination of whether to initiate and process a data subject access request (DSAR). At a DSAR submission webpage, the chatbot may interact with a user to determine the information the user is in need of and/or the actions that the user may take. The chatbot may provide the information desired by the user, avoiding the processing overhead of submission and fulfillment of a DSAR. The chatbot may also facilitate completion of a DSAR on behalf of the user when needed.

Abstract: The disclosed systems facilitate collection and management of personal data management documentation requirements and associated data. A master questionnaire is used to solicit information regarding documentation requirements for several contexts in a single interaction and responsive data can be mapped to questionnaires and/or datasets for particular contexts, such as jurisdictions and business sectors. The system can generate graphical user interfaces for presenting the documentation requirement data for a particular context by generating an interface with navigational elements for various contexts, detecting browser state data indicating user manipulation of one or more such elements, and generating a subsequent graphical user interface based on the browser context data.

Abstract: Data processing systems and methods, according to various embodiments, are adapted for automatically assessing the level of security and/or privacy risk associated with doing business with a particular vendor or other entity and for generating training material for such vendors. In various embodiments, the systems may automatically obtain and use any suitable information to assess such risk levels including, for example: (1) any security and/or privacy certifications held by the vendor; (2) the terms of one or more contracts between a particular entity and the vendor; (3) the results of one or more privacy impact assessments for the vendor; and/or (4) any other suitable data. The system may be configured to automatically approve or reject a particular vendor based on the assessed risk level associated with the vendor and this information may be automatically communicated to an entity considering doing business with the vendor and/or the vendor itself.

Abstract: In particular embodiments, an Orphaned Data Action System is configured to analyze one or more data systems (e.g., data assets), identify one or more pieces of personal data that are one or more pieces of personal data that are not associated with one or more privacy campaigns of the particular organization, and notify one or more individuals of the particular organization of the one or more pieces of personal data that are one or more pieces of personal data that are not associated with one or more privacy campaigns of the particular organization.

Abstract: Data processing systems and methods, according to various embodiments, are adapted for automatically assessing the level of security and/or privacy risk associated with doing business with a particular vendor or other entity and for generating training material for such vendors. In various embodiments, the systems may automatically obtain and use any suitable information to assess such risk levels including, for example: (1) any security and/or privacy certifications held by the vendor; (2) the terms of one or more contracts between a particular entity and the vendor; (3) the results of one or more privacy impact assessments for the vendor; and/or (4) any other suitable data. The system may be configured to automatically approve or reject a particular vendor based on the assessed risk level associated with the vendor and this information may be automatically communicated to an entity considering doing business with the vendor and/or the vendor itself.

Abstract: Data processing systems and methods, according to various embodiments, are adapted for mapping various questions regarding a data breach from a master questionnaire to a plurality of territory-specific data breach disclosure questionnaires. The answers to the questions in the master questionnaire are used to populate the territory-specific data breach disclosure questionnaires and determine whether disclosure is required in territory. The system can automatically notify the appropriate regulatory bodies for each territory where it is determined that data breach disclosure is required.

Abstract: In particular embodiments, in response a data subject submitting a request to delete their personal data from an organization's systems, the system may: (1) automatically determine where the data subject's personal data is stored; (2) in response to determining the location of the data (which may be on multiple computing systems), automatically facilitate the deletion of the data subject's personal data from the various systems; and (3) determine a cause of the request to identify one or more processing activities or other sources that result in a high number of such requests.

Abstract: A privacy management system that is adapted for, in the course of processing a particular data subject access request, automatically determining a type of the data subject access request, such as: (1) a request to delete personal data of the requestor that is being stored by a particular organization; (2) a request to provide, to the requestor, personal data of the requestor that is being stored by the particular organization; (3) a request to update personal data of the requestor that is being stored by the particular organization; and (4) a request to opt out of having the particular organization use the requestor's personal information in one or more particular ways. After making this determination, the system may determine, based on the determined type of data subject access request, a particular workflow to follow in authenticating the data subject before fulfilling the data subject access request.

Abstract: In particular embodiments, a sensitive data management system is configured to remove sensitive data after a period of non-use. Credentials used to access remote systems and/or third-party systems are stored with metadata that is updated with each use of the credentials. After a period of non-use, determined based on credential metadata, the credentials are deleted. Personal data retrieved to process a consumer request is stored with metadata that is updated with each use of the personal data. After a period of non-use, determined based on personal data metadata, the personal data is deleted. The personal data is also deleted if the system determines that the process or system that caused the personal data to be retrieved is no longer in use. An encrypted version of personal data may be stored for later use in verifying proper consumer request fulfillment.

Abstract: In particular embodiments, a data subject request processing system may be configured to utilize one or more local storage nodes in order to process a data subject access request on behalf of a data subject. In particular embodiments, the one or more local storage nodes may be local to the data subject making the request (e.g., in the same country as the data subject, in the same jurisdiction, in the same geographic area, etc.). The system may, for example, be configured to: (1) receive a data subject access request from a data subject (e.g., via a web form); (2) identify a suitable local storage node based at least in part on the request and/or the data subject; (3) route the data subject access request to the identified local storage node; and (4) process the data subject access request at the identified local storage node.

Abstract: Data processing systems and methods, according to various embodiments, are adapted for mapping various questions regarding a data breach from a master questionnaire to a plurality of territory-specific data breach disclosure questionnaires. The answers to the questions in the master questionnaire are used to populate the territory-specific data breach disclosure questionnaires and determine whether disclosure is required in territory. The system can automatically notify the appropriate regulatory bodies for each territory where it is determined that data breach disclosure is required.

Abstract: A data transfer analysis system is disclosed that analyzes data transfer log entries to determine whether a data transfer is authorized. The system determines information about the data assets involved in the data transfer (e.g., network address, geographical location, etc.) and uses a data map to determine if data transfers are authorized between the two data assets. If not, the system may take one or more actions, such as generating a notification, terminating the data transfer, restricting the access of the user that initiated the transfer, modifying network communications capabilities between the assets to prevent future transfers, and storing metadata that can be used to prevent future such transfers.