DETAILED ACTION
Claims 1, 4-5, 9, 13-14 17 & 20-21 have been amended. Claims 3, 8, 11 & 18have been canceled. Claims 1-2, 4-7, 9-10, 12-17 & 19-21 remain pending.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 06/28/2021, 07/22/2021, and 08/10/2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Steven Nugent on September 9, 2021. The application has been amended as follows: 
In the claims:
1.	(Currently Amended) A method comprising:
identifying, by computing hardware, a potential risk trigger involving data for an entity, wherein the potential risk trigger comprises a change in a legal or industry requirement related to the data;
determining, by computing hardware, a similar risk trigger, wherein the similar risk trigger is similar to the potential risk trigger and was previously experienced by at least one of the entity or a similarly situated entity, wherein the similarly situated entity comprises an entity having at least one of a same or similar geographic location as the entity, being in a same or similar industry as the entity, being a same or similar size with respect to employees as the entity, or being governed by a same or similar regulation as the entity;
determining, by the computing hardware, a relevance of a risk posed by the potential risk trigger based on the similar risk trigger;
identifying, by the computing hardware, a data model based on the data, wherein the data model comprises a representation of a plurality of data assets; 
analyzing, by the computing hardware, a respective plurality of inventory attributes for each of the plurality of data assets to identify a processing activity associated with a data asset of the plurality of data assets affected by the risk posed by the potential risk trigger, wherein analyzing the respective plurality of inventory attributes to identify the processing activity associated with the data asset affected by the risk posed by the potential risk trigger comprises identifying one of the plurality of inventory attributes represents the processing activity;  
determining, by the computing hardware, whether to perform an action based on the processing activity and the relevance of the risk posed by the potential risk trigger; and
responsive to determining to perform the action, having the action performed to remediate the risk posed by the potential risk trigger by the computing hardware.

2.	(Original) The method of claim 1, wherein identifying the data model based on the data comprises identifying the data model based on at least one of the plurality of data assets is used to at least one of process, collect, store, or transfer the data. 

3.	(Cancelled) 

4.	(Currently Amended) The method of claim 1, wherein the potential risk trigger comprises a breach of the data.

5.	(Currently Amended) The method of claim 1, wherein the action comprises at least one of modifying a level of encryption of the data or modifying a permission[[s]] for accessing the data.

6.	(Original) The method of claim 1, wherein the action comprises at least one of modifying a source of the data or modifying an amount of time for storing the data.

7.	(Original) The method of claim 1, wherein determining whether to perform the action based on the processing activity and the relevance of the risk posed by the potential risk trigger involves determining whether the relevance of the risk posed by the potential risk trigger satisfies a threshold risk level.

8.	(Cancelled) 

9.	(Currently Amended) A system comprising:
	a non-transitory computer-readable medium storing instructions; and
	a processing device communicatively coupled to the non-transitory computer-readable medium,
	wherein, the processing device is configured to execute the instructions and thereby perform operations comprising: 

determining a similar risk trigger that is similar to the potential risk trigger and was previously experienced by at least one of the entity or a similarly situated entity, wherein the similarly situated entity comprises a second entity having at least one of a same or similar geographic location as the entity, being in a same or similar industry as the entity, being a same or similar size with respect to employees as the entity, or being governed by a same or similar regulation as the entity
determining a relevance of a risk posed by the potential risk trigger based on:
at least one of an amount of the data affected by the risk posed by the potential risk trigger or a type of the data affected by the risk posed by the potential risk trigger; and
the similar risk trigger;
identifying a data model based on the data, wherein the data model comprises a representation of a data asset; 
analyzing a plurality of inventory attributes for the data asset to identify a processing activity associated with the data asset affected by the risk posed by the potential risk trigger, wherein analyzing the plurality of inventory attributes for the data asset to identify the processing activity associated with the data asset affected by the risk posed by the potential risk trigger comprises identifying one of the plurality of inventory attributes represents the processing activity;  
determining whether to perform an action based on the processing activity and the relevance of the risk posed by the potential risk trigger; and
responsive to determining to perform the action, having the action performed to remediate the risk posed by the potential risk trigger.



11.	(Cancelled) 

12.	(Original) The system of claim 9, wherein determining the relevance of the risk posed by the potential risk trigger involves:
determining a similar risk trigger, wherein the similar risk trigger is similar to the potential risk trigger and was previously experienced by at least one of the entity or a similarly situated entity; and
determining the at least one of the amount of the data affected by the risk posed by the potential risk trigger or the type of the data affected by the risk posed by the potential risk trigger based on an amount of data affected by a risk posed by the similar risk trigger or a type of the data affected by the risk posed by the similar risk trigger.

13.	(Currently Amended) The system of claim 9, wherein the potential risk trigger comprises a breach of the data.

14.	(Currently Amended) The system of claim 9, wherein the action comprises at least one of modifying a level of encryption of the data or modifying a permission[[s]] for accessing the data.

15.	(Original) The system of claim 9, wherein the action comprises at least one of modifying a source of the data or modifying an amount of time for storing the data.

16.	(Original) The system of claim 9, wherein determining whether to perform the action based on the processing activity and the relevance of the risk posed by the potential risk trigger 

17. 	(Currently Amended) A non-transitory computer-readable medium storing computer-executable instructions that, when executed by processing hardware, configure the processing hardware to perform operations comprising: 
identifying a potential risk trigger involving data for an entity, wherein the potential risk trigger comprises a change in a legal or industry requirement related to the data;
determining a similar risk trigger, wherein the similar risk trigger is similar to the potential risk trigger and was previously experienced by at least one of the entity or a similarly situated entity, wherein the similarly situated entity comprises an entity having at least one of a same or similar geographic location as the entity, being in a same or similar industry as the entity, being a same or similar size with respect to employees as the entity, or being governed by a same or similar regulation as the entity;
determining a relevance of a risk posed by the potential risk trigger based on the similar risk trigger;
analyzing a plurality of inventory attributes found in a data model representing a data asset associated with the data to identify a processing activity associated with the data asset affected by the risk posed by the potential risk trigger, wherein analyzing the plurality of inventory attributes found in the data model representing the data asset associated with the data to identify the processing activity associated with the data asset affected by the risk posed by the potential risk trigger comprises identifying one of the plurality of inventory attributes represents the processing activity; and
determining whether to perform an action based on the processing activity and the relevance of the risk posed by the potential risk trigger, wherein responsive to determining to perform the action, the action is performed to remediate the risk posed by the potential risk trigger.

18.	(Cancelled)  

19.	(Original) The non-transitory computer-readable medium of claim 17, wherein determining the relevance of the risk posed by the potential risk trigger involves:
determining at least one of an amount of the data affected by the risk posed by the potential risk trigger or a type of the data affected by the risk posed by the potential risk trigger based on an amount of data affected by a risk posed by the similar risk trigger or a type of the data affected by the risk posed by the similar risk trigger; and
determining the relevance of the risk posed by the potential risk trigger based on the amount of the data affected by the risk posed by the potential risk trigger or the type of the data affected by the risk posed by the potential risk trigger.

20.	(Currently Amended) The non-transitory computer-readable medium of claim 17, wherein the potential risk trigger comprises a breach of the data.

21.	(Currently Amended) A computing system comprising:

the potential risk trigger comprises a change in a legal or industry requirement related to the data; and
 the similar risk trigger is similar to the potential risk trigger and was previously experienced by at least one of the entity or a similarly situated entity, wherein the similarly situated entity comprises a second entity having at least one of a same or similar geographic location as the entity, being in a same or similar industry as the entity, being a same or similar size with respect to employees as the entity, or being governed by a same or similar regulation as the entity;



PLEASE CANCEL CLAIMS 3, 8 & 11. 

Allowable Subject Matter
Claims 1-2, 4-7, 9-10, 12-17 & 19-21 are allowed. No reason for allowance is needed as the record is clear in light of applicant’s arguments and examiner amendment above. See MPEP 1302.14(l).

According to MPEP 1302.14 (I): “In most cases, the examiner’s actions and the applicant’s replies make evident the reasons for allowance, satisfying the “record as a whole” proviso of the rule. This is particularly true when applicant fully complies with 37 CFR 1.111 (b) and (c) and 37 CFR 1.133(b). Thus, where the examiner’s actions clearly point out the reasons for rejection and the applicant’s reply explicitly presents reasons why claims are patentable over the reference, the reasons for allowance are in all probability evident from the record and no statement should be necessary.”
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHARIF E ULLAH whose telephone number is (571)272-5453.  The examiner can normally be reached on Mon-Fri 7:00-5:30.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SHARIF E ULLAH/Primary Examiner, Art Unit 2495