Abstract: Data processing systems and methods, according to various embodiments, are adapted for determining an applicable privacy policy based on various criteria associated with a user and the associated product or service. User and product criteria may be obtained automatically and/or based on user input and analyzed by a privacy policy rules engine to determine the applicable policy. Text from the applicable policy can then be presented to the user. A default policy can be used when no particular applicable policy can be identified using by the rules engine. Policies may be ranked or prioritized so that a policy can be selected in the event the rules engine identifies two, conflicting policies based on the criteria.

Abstract: In general, various aspects of the present disclosure provide methods, apparatuses, systems, computing devices, computing entities, and/or the like for addressing a modified risk rating identifying a risk to an entity of having computer-implemented functionality provided by a vendor integrated with a computing system of the entity.

Abstract: The present disclosure provides methods, systems, computing devices, computing entities, and/or the like for identifying and/or retrieving targeted data found in unstructured documents.

Abstract: In general, various aspects of the present disclosure provide methods, apparatuses, systems, computing devices, computing entities, and/or the like for addressing a modified risk rating identifying a risk to an entity of having computer-implemented functionality provided by a vendor integrated with a computing system of the entity.

Abstract: A data processing central consent repository system may be configured to, for example: (1) identify a form used to collect one or more pieces of personal data, (2) determine a data asset of a plurality of data assets of the organization where input data of the form is transmitted, (3) add the data asset to the third-party data repository with an electronic link to the form, (4) in response to a user submitting the form, create a unique subject identifier to submit to the third-party data repository and, along with the form data provided by the user in the form, to the data asset, (5) submit the unique subject identifier and the form data provided by the user to the third-party data repository and the data asset, and (6) digitally store the unique subject identifier and the form data in the third-party data repository and the data asset.

Abstract: A mobile application privacy analysis system is described, where the system scans a mobile device to identify files associated with a particular SDK and generates a tokenized name for the SDK. The tokenized name includes tokens representing the SDK vendor and one or more functions of the SDK. Using the tokenized name, the system then determines corresponding categories for each functionality token and score for each such category. Based on the scores, the system determines the most significant category and assigns that category to the SDK for use in privacy analysis. The system may also, or instead, determine a vendor category using the vendor token and assign that category to the SDK. Weighting factors may be applied to the scores for the categories associated with the functionality tokens and vendor tokens.

Abstract: In particular embodiments, a data processing data inventory generation system is configured to: (1) generate a data model (e.g., a data inventory) for one or more data assets utilized by a particular organization; (2) generate a respective data inventory for each of the one or more data assets; and (3) map one or more relationships between one or more aspects of the data inventory, the one or more data assets, etc. within the data model. In particular embodiments, a data asset (e.g., data system, software application, etc.) may include, for example, any entity that collects, processes, contains, and/or transfers personal data (e.g., such as a software application, “internet of things” computerized device, database, website, data-center, server, etc.). The system may be configured to identify particular data assets and/or personal data in data repositories using any suitable intelligent identity scanning technique.

Abstract: A system and method for determining consent user interface validity for a provided consent user interface of a web form presenting consent information, comprising: accessing a consent user interface presented on a web form; determining one or more configuration attributes of the consent user interface; accessing one or more privacy regulations associated with presenting consent information; comparing the one or more configuration attributes of the consent user interface to each of the one or more privacy regulations; determining whether the consent user interface is compliant with each of the one or more privacy regulations; and in response to determining that the consent user interface is not compliant with one or more privacy regulations, flagging the consent user interface.

Abstract: Data processing systems and methods, according to various embodiments, are adapted for efficiently processing data to allow for the streamlined assessment of risk ratings for one or more vendors. In various embodiments, the systems/methods may use one or more particular vendor attributes (e.g., as determined from scanning one or more webpages associated with the particular vendor) and the contents of one or more completed privacy templates for the vendor to determine a vendor risk rating for the particular vendor. As a particular example, the system may scan a website associated with the vendor to automatically determine one or more security certifications associated with the vendor and use that information, along with information from a completed privacy template for the vendor, to calculate a vendor risk rating that indicates the risk of doing business with the vendor.

Abstract: Data processing systems and methods, according to various embodiments, are adapted for mapping various questions regarding a data breach from a master questionnaire to a plurality of territory-specific data breach disclosure questionnaires. The answers to the questions in the master questionnaire are used to populate the territory-specific data breach disclosure questionnaires and determine whether disclosure is required in territory. The system can automatically notify the appropriate regulatory bodies for each territory where it is determined that data breach disclosure is required.

Abstract: Embodiments of the present invention provide methods, apparatus, systems, computing devices, computing entities, and/or the like for permitting or blocking tracking tools used through webpages. In particular embodiments, the method involves: scanning a webpage to identify a tracking tool configured for processing personal data; determining a data destination location that is associated with the tracking tool; and generating program code configured to: determine a location associated with a user who is associated with a rendering of the webpage; determine a prohibited data destination location based on the location associated with the user; determine that the data destination location associated with the tracking tool is not the prohibited data destination location; and responsive to the data destination location associated with the tracking tool not being the prohibited data destination location, permit the tracking tool to execute.

Abstract: A method for managing a consent receipt under an electronic transaction, comprising: receiving a request to initiate a transaction between the entity and the data subject; providing a privacy policy associated with the entity and based at least in part on the request to initiate the transaction between the entity and the data subject; accessing the privacy policy associated with the entity; storing one or more provisions of the privacy policy associated with the entity; providing a user interface for consenting to the privacy policy associated with the entity; receiving a selection to consent to the privacy policy associated with the entity and based at least in part on the request to initiate the transaction between the entity and the data subject; generating, by a third-party consent receipt management system, a consent receipt to the data subject; and storing the generated consent receipt.

Abstract: In general, various aspects of the present invention provide methods, apparatuses, systems, computing devices, computing entities, and/or the like for identifying and documenting certain subject matter found in media content, as well as selectively redacting the subject matter found in media content. In accordance with various aspects, a method is provided that comprises: obtaining first metadata for media content, the metadata identifying a context and a portion of content for an individual; identifying, based on the context, a certain subject matter for the media content; determining that a particular item associated with the subject matter is present in the portion of content associated with the individual; generating second metadata to document the particular item present in the portion of content; and using the second metadata to selectively redacting the item from the portion of content associated with the individual upon request to do so with respect to the individual.

Abstract: In particular embodiments, a sensitive data management system is configured to remove sensitive data after a period of non-use. Credentials used to access remote systems and/or third-party systems are stored with metadata that is updated with each use of the credentials. After a period of non-use, determined based on credential metadata, the credentials are deleted. Personal data retrieved to process a consumer request is stored with metadata that is updated with each use of the personal data. After a period of non-use, determined based on personal data metadata, the personal data is deleted. The personal data is also deleted if the system determines that the process or system that caused the personal data to be retrieved is no longer in use. An encrypted version of personal data may be stored for later use in verifying proper consumer request fulfillment.

Abstract: In particular embodiments, a data processing data inventory generation system is configured to: (1) generate a data model (e.g., a data inventory) for one or more data assets utilized by a particular organization; (2) generate a respective data inventory for each of the one or more data assets; and (3) map one or more relationships between one or more aspects of the data inventory, the one or more data assets, etc. within the data model. In particular embodiments, a data asset (e.g., data system, software application, etc.) may include, for example, any entity that collects, processes, contains, and/or transfers personal data (e.g., such as a software application, “internet of things” computerized device, database, website, data-center, server, etc.). For example, a first data asset may include any software or device (e.g., server or servers) utilized by a particular entity for such data collection, processing, transfer, storage, etc.

Abstract: In various aspects, a data transfer discovery and analysis system may query an entity computing system to identify access credentials for third-party computing systems and scan each access credential to determine associated permissions provided by each access credential on the entity computing system. The data transfer discovery and analysis system may further inspect access logs to identify actual data transfers between the entity computing system and third-party computing systems as well as other access activity associated with each of the credentials. The system can generate and store a mapping of all actual data transfers (e.g., based on the access log data) and potential data transfers (e.g., based on particular access permissions) between/among the entity computing system and the third-party computing systems.

Abstract: Aspects of the present disclosure provide methods, apparatuses, systems, computing devices, computing entities, and/or the like for protection of system software, or data from destruction, unauthorized modification, and/or unauthorized disclosure securing by, for example, detecting the transfer and/or processing of target data. Accordingly, a method is provided that involves: scanning a software application to identify functionality configured for processing target data; identifying fields associated with the functionality; identifying metadata associated with a field; generating, from the metadata, an identification of a type of data associated with the field; determining a location based on the processing of the target data by the functionality; determining a risk associated with the functionality processing the target data based on the location and the type of data; determining that the risk satisfies a threshold level of risk; and in response, causing an action to be performed to mitigate the risk.

Abstract: A chat robot may be used to facilitate interaction with a user in the determination of whether to initiate and process a data subject access request (DSAR). At a DSAR submission webpage, the chatbot may interact with a user to determine the information the user is in need of and/or the actions that the user may take. The chatbot may provide the information, avoiding the processing overhead of submission and fulfillment of a DSAR. In addition, data stored on a data asset may be migrated to another data asset while maintaining compliance to applicable regulations. Based on the type of data stored by that data asset and the applicable regulations, requirements, and/or restrictions that relate to a transfer of that type data from that data asset, a target data asset may be determined. The data stored on the data asset may then be transferred to the target data asset.

Abstract: A method of identifying one or more pieces of personal data associated with a data subject based at least in part on one or more triggering action; identifying a storage location of each of the one or more pieces of personal data associated with the data subject; automatically determining that a first portion of the one or more of the pieces of personal data has one or more legal bases for continued storage; automatically maintaining storage of the first portion of the one or more pieces of personal data; and automatically facilitating deletion of a second portion of the one or more pieces of personal data associated with the data subject.

Abstract: In particular embodiments, a consent conversion optimization system is configured to test two or more test consent interfaces against one another to determine which of the two or more consent interfaces results in a higher conversion percentage (e.g., to determine which of the two or more interfaces lead to a higher number of end users and/or data subjects providing a requested level of consent for the creation, storage and use or cookies by a particular website). The system may, for example, analyze end user interaction with each particular test consent interface to determine which of the two or more user interfaces: (1) result in a higher incidence of a desired level of provided consent; (2) are easier to use by the end users and/or data subjects (e.g., take less time to complete, require a fewer number of clicks, etc.); (3) etc.