Abstract: Data stored on a data asset may be migrated to another data asset while maintaining compliance to applicable regulations. A data asset may experience a failure. Based on the type of data stored by that data asset and the applicable regulations, requirements, and/or restrictions that relate to a transfer of that type data from that data asset, a target data asset may be determined. The data stored on the data asset may then be transferred to the target data asset. The disclosed systems may use data models and/or data maps in determining the requirements for a data transfer and selecting target data assets.

Abstract: In general, various aspects of the present invention provide methods, apparatuses, systems, computing devices, computing entities, and/or the like for mapping the existence of target data within computing systems in a manner that does not expose the target data to potential data-related incidents. In accordance with various aspects, a method is provided that comprises: receiving a source dataset that comprises a label assigned to a data element used by a data source in handling target data that identifies a type of target data and data samples gathered for the data element; determining, based on the label, that the data samples are to be anonymized; generating supplemental anonymizing data samples associated with the label that comprise fictitious occurrences of the type of the target data; generating a review dataset comprising the supplemental anonymizing data samples intermingled with the data samples; and sending the review dataset to a review computing system.

Abstract: In general, various aspects provide methods, apparatuses, systems, computing devices, computing entities, and/or the like for performing data discovery on a target computing system. In various aspects, a third party computing connects, via a public data network, to an edge node of the target computing system and instructs the target computing system to execute jobs to discover target data stored in data repositories in a private data network in the target computing system. In some aspects, the third party computing system may schedule the jobs on the target computing system based on computing resource availability on the target computing system.

Abstract: Aspects of the present invention provide methods, apparatuses, systems, computing devices, computing entities, and/or the like for identifying data processing activities associated with various data assets based on data discovery results. In accordance various aspects, a method is provided comprising: identifying and scanning data assets to detect a subset of the data assets, wherein each asset of the subset is associated with a particular data element used for target data; generating a prediction for each pair of data assets of the subset on the target data flowing between the pair; identifying a data flow for the target data based on the prediction generated for each pair; and identifying a data processing activity associated with handling the target data based on a correlation identified for the particular data element, the subset, and/or the data flow with a known data element, subset, and/or data flow for the data processing activity.

Abstract: An application privacy analysis system is described, where the system obtains an application and analyzes it for privacy related data use. The system may determine privacy related activities of the application from established sources of such data and/or may decompile the application and analyze the resulting code to determine the privacy related activities of the application. The system may execute the application and monitor the communications traffic exchanged by the application to determine privacy related activities of the application. The system may store the results of such analyses for future reference.

Abstract: Aspects of the present invention provide methods, apparatuses, systems, computing devices, computing entities, and/or the like for identifying data processing activities associated with various data assets based on data discovery results. In accordance various aspects, a method is provided comprising: identifying and scanning data assets to detect a subset of the data assets, wherein each asset of the subset is associated with a particular data element used for target data; generating a prediction for each pair of data assets of the subset on the target data flowing between the pair; identifying a data flow for the target data based on the prediction generated for each pair; and identifying a data processing activity associated with handling the target data based on a correlation identified for the particular data element, the subset, and/or the data flow with a known data element, subset, and/or data flow for the data processing activity.

Abstract: Aspects of the present invention provide methods, apparatuses, systems, computing devices, computing entities, and/or the like for detecting prejudice bias in machine-learning models and/or data sets used in training, testing, and/or validating the models. In accordance various aspects, a method is provided comprising: receiving a data set used for training, testing, and/or validating a model that comprises data instances; generating, using a classification model, a prediction of applicability for each sub-category of a plurality of sub-categories for each bias category of a plurality of bias categories for each data instance; determining that a particular sub-category for a particular bias category is applicable to a proportion of the data set, wherein predictions of applicability for the particular sub-category generated for the proportion of the data set satisfies a threshold; and determining, based on the proportion, that the data set has a prejudice bias with respect to the particular bias category.

Abstract: System and methods are disclosed for redacting analyzing unstructured data in a request for data associated with a data subject to determine whether the unstructured data is relevant to the request. The relevancy of pieces of the unstructured data may be determined by determining a categorization for each such piece of unstructured data and comparing them to known personal data associated with the data subject having the same categorization. Pieces of the unstructured data that do not match known personal data having the same categorization are redacted from the request before the request is processed.

Abstract: Examples described herein include systems and methods for controlling access to a server, such as an email server or a gateway, in situations where the identity of the requesting device is unknown or where the user device accesses the server using an unknown or unmanaged application. In one example, the system can utilize a user authentication credential included in the request to identify other devices belonging to the user that happen to be enrolled with the system. An out-of-band message can be sent to those enrolled devices, requesting confirmation from the user and, in conjunction with an authentication token, allowing the system to trust the previously unknown device. In the example of an unmanaged application attempting to access an email server, the system can confirm compliance of the requesting device and issue an authentication token that, along with an appropriate command sent to the email server, provides access.

Abstract: In particular embodiments, a sensitive data management system is configured to remove sensitive data after a period of non-use. Credentials used to access remote systems and/or third-party systems are stored with metadata that is updated with each use of the credentials. After a period of non-use, determined based on credential metadata, the credentials are deleted. Personal data retrieved to process a consumer request is stored with metadata that is updated with each use of the personal data. After a period of non-use, determined based on personal data metadata, the personal data is deleted. The personal data is also deleted if the system determines that the process or system that caused the personal data to be retrieved is no longer in use. An encrypted version of personal data may be stored for later use in verifying proper consumer request fulfillment.

Abstract: Various embodiments provide methods, apparatus, systems, computing devices, computing entities, and/or the like for identifying targeted data for a data subject across a plurality of data objects in a data source. In accordance with one embodiment, a method is provided comprising: receiving a request to identify targeted data for a data subject; identifying a first data object using metadata for a data source that identifies the first data object as associated with a first targeted data type for a data portion from the request; identifying a first data field from a graph data structure of the first data object that identifies the first data field as used for storing data having the first targeted data type; and querying the first data object based on the first data field and the data for the first targeted data type to identify a first targeted data portion for the data subject.

Abstract: Data stored on a data asset may be migrated to another data asset while maintaining compliance to applicable regulations. A data asset may experience a failure. Based on the type of data stored by that data asset and the applicable regulations, requirements, and/or restrictions that relate to a transfer of that type data from that data asset, a target data asset may be determined. The data stored on the data asset may then be transferred to the target data asset. The disclosed systems may use data models and/or data maps in determining the requirements for a data transfer and selecting target data assets.

Abstract: An application privacy analysis system is described, where the system obtains an application and analyzes it for privacy related data use. The system may determine privacy related activities of the application from established sources of such data and/or may decompile the application and analyze the resulting code to determine the privacy related activities of the application. The system may execute the application and monitor the communications traffic exchanged by the application to determine privacy related activities of the application. The system may store the results of such analyses for future reference.

Abstract: Examples described herein include systems and methods for controlling access to a server, such as an email server or a gateway, in situations where the identity of the requesting device is unknown or where the user device accesses the server using an unknown or unmanaged application. In one example, the system can utilize a user authentication credential included in the request to identify other devices belonging to the user that happen to be enrolled with the system. An out-of-band message can be sent to those enrolled devices, requesting confirmation from the user and, in conjunction with an authentication token, allowing the system to trust the previously unknown device. In the example of an unmanaged application attempting to access an email server, the system can confirm compliance of the requesting device and issue an authentication token that, along with an appropriate command sent to the email server, provides access.

Abstract: In particular embodiments, a sensitive data management system is configured to remove sensitive data after a period of non-use. Credentials used to access remote systems and/or third-party systems are stored with metadata that is updated with each use of the credentials. After a period of non-use, determined based on credential metadata, the credentials are deleted. Personal data retrieved to process a consumer request is stored with metadata that is updated with each use of the personal data. After a period of non-use, determined based on personal data metadata, the personal data is deleted. The personal data is also deleted if the system determines that the process or system that caused the personal data to be retrieved is no longer in use. An encrypted version of personal data may be stored for later use in verifying proper consumer request fulfillment.

Abstract: Data stored on a data asset may be migrated to another data asset while maintaining compliance to applicable regulations. A data asset may experience a failure. Based on the type of data stored by that data asset and the applicable regulations, requirements, and/or restrictions that relate to a transfer of that type data from that data asset, a target data asset may be determined. The data stored on the data asset may then be transferred to the target data asset. The disclosed systems may use data models and/or data maps in determining the requirements for a data transfer and selecting target data assets.

Abstract: An application privacy analysis system is described, where the system obtains an application and analyzes it for privacy related data use. The system may determine privacy related activities of the application from established sources of such data and/or may decompile the application and analyze the resulting code to determine the privacy related activities of the application. The system may execute the application and monitor the communications traffic exchanged by the application to determine privacy related activities of the application. The system may store the results of such analyses for future reference.

Abstract: In particular embodiments, a sensitive data management system is configured to remove sensitive data after a period of non-use. Credentials used to access remote systems and/or third-party systems are stored with metadata that is updated with each use of the credentials. After a period of non-use, determined based on credential metadata, the credentials are deleted. Personal data retrieved to process a consumer request is stored with metadata that is updated with each use of the personal data. After a period of non-use, determined based on personal data metadata, the personal data is deleted. The personal data is also deleted if the system determines that the process or system that caused the personal data to be retrieved is no longer in use. An encrypted version of personal data may be stored for later use in verifying proper consumer request fulfillment.

Abstract: Data stored on a data asset may be migrated to another data asset while maintaining compliance to applicable regulations. A data asset may experience a failure. Based on the type of data stored by that data asset and the applicable regulations, requirements, and/or restrictions that relate to a transfer of that type data from that data asset, a target data asset may be determined. The data stored on the data asset may then be transferred to the target data asset. The disclosed systems may use data models and/or data maps in determining the requirements for a data transfer and selecting target data assets.

Abstract: An application privacy analysis system is described, where the system obtains an application and analyzes it for privacy related data use. The system may determine privacy related activities of the application from established sources of such data and/or may decompile the application and analyze the resulting code to determine the privacy related activities of the application. The system may execute the application and monitor the communications traffic exchanged by the application to determine privacy related activities of the application. The system may store the results of such analyses for future reference.