DETAILED ACTION
This action is in response to a filing filed on November 11th, 2019. Claims 1-27 is/are currently pending. The Information Disclosure Statement (IDS) filed on November 11th, 2019, has been acknowledged.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .  

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-27 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e. an abstract idea) without significantly more.
Step 1: Claims 1-24 is/are drawn to system (i.e., a manufacture), and claims 25-27 is/are drawn to method (i.e., a process). As such, claims 1-27 is/are drawn to one of the statutory categories of invention (Step 1: YES).
Step 2A - Prong One: In prong one of step 2A, the claim(s) is/are analyzed to evaluate whether it/they recite(s) a judicial exception.  
Representative Claim 1: A system to facilitate proprietary data protection for an enterprise, comprising: 
(a) an enterprise proprietary data store containing a set of electronic data records, each electronic data record having with proprietary data and an associated governance structure; 
and (b) a compliance computer platform, coupled to the proprietary data store, including: 
a computer processor, and a computer memory coupled to the computer processor and storing computer instructions that, when executed by the computer processor, cause the compliance computer platform to: 
(i) receive the proprietary data and associated governance structure from the enterprise proprietary data store, 
(ii) define enterprise-wide decision accountabilities for the proprietary data based on the governance structure, 
(iii) define privacy objectives for the proprietary data based on the governance structure, 
and (iv) define specific machine-level controls to test and confirm compliance with the governance structure.
(Examiner notes: The underlined claim terms above are interpreted as additional elements beyond the abstract idea and are further analyzed under Step 2A - Prong Two)
Under their broadest reasonable interpretation, the steps recited an enterprise proprietary data store containing a set of electronic data records, each electronic data record having with proprietary data and an associated governance structure to receive the proprietary data and associated governance structure from the enterprise proprietary data store, define enterprise-wide decision accountabilities for the proprietary data based on the governance structure, define privacy objectives for the proprietary data based on the governance structure, and define specific machine-level controls to test and confirm compliance with the governance structure (i.e., recite a process, that, under their broadest reasonable interpretation, covers performance of the limitation(s) in the commercial interactions (including agreements in the form of contracts; advertising, marketing or sales activities or behaviors; business relationship), then it falls within the “certain methods of organizing human activity” subject matter grouping of abstract ideas and also (i.e., one or more concepts performed in the human mind, such as one or more observations, evaluations, judgments, opinions), then it also falls within the “Mental Processes” and is an abstract idea.
	Dependent claims 2-24 and 26-27 further narrow the abstract idea by automatically create an action plan including a series of tasks to help ensure or demonstrate compliance with the decision accountabilities, privacy objectives, and specific machine-level controls, identity of an external consumer is validated against criteria for confident authentication and flagged for potentially fraudulent activity, contractual constraints are converted into enterprise-wide system requirements, identifies and tags information defining appropriate ownership, a flow of information across repositories is scanned, information around data flowing among inventoried applications is digitized into technology that allows for user reporting and system integration, system connects a user to an enterprise application inventory to extract system ownership and contacts owners with requirements, requirements are generalized for scalability across multiple systems, requirements are converted into tasks, designed in a central reference, and stored in the system such that the tasks can be applied across the enterprise, an inventory of information are integrated into production operations and stored as constraints for inputs within the enterprise, a central reference and master data store with contractual and privacy tags is connected to transactional systems to facilitate compliance and integrity is carried among transactional systems and persistent data assets via Extract, Transform and Load ("ETL") or ELT processing, a dictionary scan of repositories for cryptic identifiers converts the information into regular expressions, compiles, stores, and retrieves information of contractual compliance across systems in an inventory, screens and refines with human knowledge scanning mechanisms to validate process results, remediation of data not meeting contractual or privacy requirements, identified entity data are deleted from business assets and removed from systems across the enterprise, gathered throughout the enterprise and used to validate desired requirements, privacy requirements are applied and controlled with supporting third-party partnerships (i.e., recite a process, that, under their broadest reasonable interpretation, covers performance of the limitation(s) in the commercial interactions (including agreements in the form of contracts; advertising, marketing or sales activities or behaviors; business relationship), then it falls within the “certain methods of organizing human activity” subject matter grouping of abstract ideas and also (i.e., one or more concepts performed in the human mind, such as one or more observations, evaluations, judgments, opinions), then it also falls within the “Mental Processes” and is an abstract idea.
	Independent claim(s) 25 recite/describe nearly identical steps (and therefore also recite limitations that fall within this subject matter grouping of abstract ideas), and this/these claim(s) is/are therefore determined to recite an abstract idea under the same analysis.
	As such, the Examiner concludes that claim 1 recites an abstract idea (Step 2A – Prong One: YES).
	Step 2A - Prong Two: In prong two of step 2A, an evaluation is made whether a claim recites any additional element, or combination of additional elements, that integrate the exception into a practical application of that exception. An “addition element” is an element that is recited in the claim in addition to (beyond) the judicial exception (i.e., an element/limitation that sets forth an abstract idea is not an additional element). The phrase “integration into a practical application” is defined as requiring an additional element or a combination of additional elements in the claim to apply, rely on, or use the judicial exception in a manner that imposes a meaningful limit on the judicial exception, such that it is more than a drafting effort designed to monopolize the exception.
The requirement to execute the claimed steps/functions using, computer processor, and a computer memory, and compliance computer platform (Independent Claim(s) 1 and 25 and dependent claims 2-24 and 26-27) is/are equivalent to adding the words “apply it” on a generic computer and/or mere instructions to implement the abstract idea on a generic computer.
Similarly, the limitations of applying on a digital platform, plurality of databases, and artificial intelligence module (Independent Claim(s) 1 and 25 and dependent claims 2-24 and 26-27) are recited at a high level of generality and amount to no more than mere instructions to apply the exception using generic computer components. This/these limitation(s) do/does not impose any meaningful limits on practicing the abstract idea, and therefore do/does not integrate the abstract idea into a practical application (see MPEP 2106.05(f)).
	Further, the additional limitations beyond the abstract idea identified above, serves merely to generally link the use of the judicial exception to a particular technological environment or field of use. Specifically, it/they serve(s) to limit the application of the abstract idea to computerized environments (e.g., receive, define, test, confirm, create, validate, store, convert, compile, retrieve, etc. steps performed by digital platform). This reasoning was demonstrated in Intellectual Ventures I LLC v. Capital One Bank (Fed. Cir. 2015), where the court determined "an abstract idea does not become nonabstract by limiting the invention to a particular field of use or technological environment, such as the Internet [or] a computer"). This/these limitation(s) do/does not impose any meaningful limits on practicing the abstract idea, and therefore do/does not integrate the abstract idea into a practical application (see MPEP 2106.05(h)).	
	The recited additional element(s) of identified above (Claims 1 and 12), additionally and/or alternatively simply append insignificant extra-solution activity to the judicial exception, (e.g., mere pre-solution activity, such as data gathering, in conjunction with an abstract idea). The recited additional element(s) do not meaningfully limit the claim because to receive the proprietary data and associated governance structure from the enterprise proprietary data store, define enterprise-wide decision accountabilities for the proprietary data based on the governance structure, define privacy objectives for the proprietary data based on the governance structure, and define specific machine-level controls to test and confirm compliance with the governance structure would be required in any implementation of the abstract idea. This/these limitation(s) do/does not impose any meaningful limits on practicing the abstract idea, and therefore do/does not integrate the abstract idea into a practical application. (See MPEP 2106.05(g)).
	Dependent claim 2-24 and 26-27 fail to include any additional elements. In other words, each of the limitations/elements recited in respective dependent claims is/are further part of the abstract idea as identified by the Examiner for each respective dependent claim (i.e. they are part of the abstract idea recited in each respective claim).
The Examiner has therefore determined that the additional elements, or combination of additional elements, do not integrate the abstract idea into a practical application. Accordingly, the claim(s) is/are directed to an abstract idea (Step 2A – Prong two: NO).
Step 2B: In step 2B, the claims are analyzed to determine whether any additional element, or combination of additional elements, is/are sufficient to ensure that the claims amount to significantly more than the judicial exception. This analysis is also termed a search for an "inventive concept." An "inventive concept" is furnished by an element or combination of elements that is recited in the claim in addition to (beyond) the judicial exception, and is sufficient to ensure that the claim as a whole amounts to significantly more than the judicial exception itself. Alice Corp., 134 S. Ct. at 2355, 110 USPQ2d at 1981 (citing Mayo, 566 U.S. at 72-73, 101 USPQ2d at 1966).
As discussed above in “Step 2A – Prong 2”, the identified additional elements in independent claim(s) 1 and 25 and dependent claims 2-24 and 26-27 are equivalent to adding the words “apply it” on a generic computer, and/or generally link the use of the judicial exception to a particular technological environment or field of use. Therefore, the claims as a whole do not amount to significantly more than the judicial exception itself. 
The recited additional element(s) of digital platform, databases, etc. (Claim 1 and 25), additionally and/or alternatively simply append insignificant extra-solution activity to the judicial exception, (e.g., mere pre-solution activity, such as data gathering, in conjunction with an abstract idea) i.e. receive the proprietary data and associated governance structure from the enterprise proprietary data store, define enterprise-wide decision accountabilities for the proprietary data based on the governance structure, define privacy objectives for the proprietary data based on the governance structure, and define specific machine-level controls to test and confirm compliance with the governance structure is similar to “Receiving or transmitting data over a network, e.g., using the Internet to gather data”, Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362 (utilizing an intermediary computer to forward information), “Storing and retrieving information in memory”, Versata Dev. Group, Inc. v. SAP Am., Inc., 793 F.3d 1306, 1334, 115 USPQ2d 1681, 1701 (Fed. Cir. 2015); OIP Techs., 788 F.3d at 1363, 115 USPQ2d at 1092-93; buySAFE, Inc. v. Google, Inc., 765 F.3d 1350, 1355, 112 USPQ2d 1093, 1096 (Fed. Cir. 2014) (computer receives and sends information over a network), is a well-understood, routine, and conventional function when it is claimed in a merely generic manner (as it is here) (See MPEP 2106.05(d) (II)).
This conclusion is based on a factual determination. Applicant’s own disclosure at paragraph [0028] acknowledges that “present invention information may be processed, managed, and/or used to deploy proprietary data protection mechanisms, such as by deploying and/or using computing components, and results may then be analyzed accurately and used to ensure compliance with applicable restrictions, thus improving the overall performance of an enterprise ...” The applicant’s disclosure discloses to perform the receiving of data, comparing the data between plurality of databases, and enabling a transaction (i.e. conventional nature of receiving and transmitting data/messages over a network). This additional element therefore do not ensure the claim amounts to significantly more than the abstract idea. 
Viewing the additional limitations in combination also shows that they fail to ensure the claims amount to significantly more than the abstract idea. When considered as an ordered combination, the additional components of the claims add nothing that is not already present when considered separately, and thus simply append the abstract idea with words equivalent to “apply it” on a generic computer and/or mere instructions to implement the abstract idea on a generic computer or/and append the abstract idea with insignificant extra solution activity associated with the implementation of the judicial exception, (e.g., mere data gathering, post-solution activity) and/or simply appending well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception.
The dependent claims 2-24 and 26-27 fail to include any additional elements. In other words, each of the limitations/elements recited in respective independent claims is/are further part of the abstract idea as identified by the Examiner for each respective dependent claim (i.e. they are part of the abstract idea recited in each respective claim).
The Examiner has therefore determined that no additional element, or combination of additional claims elements is/are sufficient to ensure the claim(s) amount to significantly more than the abstract idea identified above (Step 2B: NO).
Therefore, claims 1-27 are not eligible subject matter under 35 USC 101.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status:
	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under pre-AIA  35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-5, 7-11, 15, 17-20, and 22-27 are rejected under 35 U.S.C. 103 as being unpatentable over Non Patent Literature “A Structural and Navigational Method for Integrated Organizational Information Privacy Protection” dated 2018 (“Abdullah”) in view U.S. Pub. 20050021360 (“Miller”).   
As per claims 1 and 25, Abdullah discloses, system to facilitate proprietary data protection for an enterprise, comprising: (a) an enterprise proprietary data store containing a set of electronic data records, each electronic data record having with proprietary data and an associated governance structure (“GRC frame of reference by identifying and embedding information privacy protection elements, namely, corporate governance, management, legal, technological aspects, compliance risk management, information security and organisational issues within the GRC frame of reference”) (Pg.2 Col. 2),
(ii) define enterprise-wide decision accountabilities for the proprietary data based on the governance structure (“The GRC playbook presents a logical structure for incorporating the various concepts depicted in Fig. 3 to create a robust method for integrated organizational information privacy protection. The following sections elaborate on each component of the GRC playbook. Each component must be adapted to organizational information privacy protection.”) (Pg.4 Col. 1),
(iii) define privacy objectives for the proprietary data based on the governance structure (“The rule (R1) for corporate governance and management is the organization's internal policies regarding organizational Information privacy protection. Therefore, corporate private policies grouped under business processes (E8) now becomes rule (R1) according to [20]'s GRC frame of reference”) (Pg.4 Col. 2),
and (iv) define specific machine-level controls to test and confirm compliance with the governance structure (“The metrics include measuring the GRC program performance (overall), governance performance management, risk performance management, internal compliance performance management and external compliance monitoring”) (Pg.6 Col. 2).
Abdullah specifically doesn’t disclose, compliance computer platform, coupled to the proprietary data store, including: a computer processor, and a computer memory coupled to the computer processor and storing computer instructions that, when executed by the computer processor, cause the compliance computer platform to receive proprietary data and associated governance structure from the enterprise proprietary data store, however Miller discloses, and (b) a compliance computer platform, coupled to the proprietary data store, including: a computer processor, and a computer memory coupled to the computer processor and storing computer instructions that, when executed by the computer processor, cause the compliance computer platform to (“Data security controls use risk assessment with regard to data systems (e.g., networks and computers)”) (0007): (i) receive the proprietary data and associated governance structure from the enterprise proprietary data store (“showing hierarchy based on risk categories”) (0065, Fig. 2).
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the applicant’s invention to an enterprise proprietary data store containing a set of electronic data records, each electronic data record having with proprietary data and an associated governance structure, define enterprise-wide decision accountabilities for the proprietary data based on the governance structure, define privacy objectives for the proprietary data based on the governance structure, and define specific machine-level controls to test and confirm compliance with the governance structure, as disclosed by Abdullah, compliance computer platform, coupled to the proprietary data store, including: a computer processor, and a computer memory coupled to the computer processor and storing computer instructions that, when executed by the computer processor, cause the compliance computer platform to receive proprietary data and associated governance structure from the enterprise proprietary data store, as taught by Miller for the purpose to efficiently monitor risk, and allow for flexibility in modifying or updating risk policy.

As per claims 2, Abdullah discloses, wherein the compliance computer platform is further to automatically create an action plan including a series of tasks to help ensure or demonstrate compliance with the decision accountabilities, privacy objectives, and specific machine-level controls (developing metrics for a privacy program, the organization must identify the strategic goals, the objectives to achieve the goals and develop metrics that facilitates measuring and quantifying performance against the stated objectives. Examples of goals identified by [54] include enabling business initiatives and operations, leverage the right of stakeholders to increase the value of data-driven initiatives, align privacy programs to business objectives, increase the trustworthiness of your brand, establish a culture of privacy that spills over the boundaries of your organization and influence third-party selection and auditing”) (Pg.6 Col. 2).

As per claims 3 and 26, Abdullah discloses, wherein an identity of an external consumer is validated against criteria for confident authentication and flagged for potentially fraudulent activity (“global business technographics security survey of 2015, the top two data types compromised in a breach included PII and authentication credentials”) (Page 1, Col. 1).

As per claims 4 and 27, Abdullah discloses, wherein contractual constraints are converted into enterprise-wide system requirements (“Effectiveness evaluation assists an organization to meet basic requirements and recognition for implementing a program designed around rigorous practices [35]. Murphy [53] propose metrics to monitor the GRC practices of the organization”) (Pg.6 Col. 2).

As per claims 5, Abdullah specifically doesn’t disclose, a mechanism identifies and tags information defining appropriate ownership, however Miller discloses, wherein a mechanism identifies and tags information defining appropriate ownership (“Screening to Inter- or Intra-Data Stores for relevant information about Infrastructure Assets, their ownership or other material "related-to" relationships that could impact risk”) (0112).
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the applicant’s invention to an enterprise proprietary data store containing a set of electronic data records, each electronic data record having with proprietary data and an associated governance structure, define enterprise-wide decision accountabilities for the proprietary data based on the governance structure, define privacy objectives for the proprietary data based on the governance structure, and define specific machine-level controls to test and confirm compliance with the governance structure, as disclosed by Abdullah, a mechanism identifies and tags information defining appropriate ownership, as taught by Miller for the purpose to efficiently monitor risk, and allow for flexibility in modifying or updating risk policy.

As per claims 7, Abdullah discloses, wherein contractual and privacy requirements are tagged to unique entities in a central reference and master data store of entities and individuals for property and causality customers identifying which requirements must be satisfied (“advances in technology such as social media, online gaming, digital tracking and electronic monitoring systems have made it very challenging to conceal personal information”) (Pg.1 Col.2).

As per claims 8, Abdullah specifically doesn’t disclose, one code that may be scanned and provide information on the object of the transaction, however Miller discloses, wherein a flow of information across repositories is scanned (“once connected, the one or more scripts execute the series of tests against the target application. At step 712, the one or more scripts collect the results of the executed tests, store the results in a database, and distribute the test results to the end user. This distribution can be the creation/population of a file or database or an email notification with the pass/fail results of the executed tests”) (0045).

As per claims 9, Abdullah specifically doesn’t disclose, information around data flowing among inventoried applications is digitized into technology that allows for user reporting and system integration, however Miller discloses, wherein information around data flowing among inventoried applications is digitized into technology that allows for user reporting and system integration (“once connected, the one or more scripts execute the series of tests against the target application. At step 712, the one or more scripts collect the results of the executed tests, store the results in a database, and distribute the test results to the end user. This distribution can be the creation/population of a file or database or an email notification with the pass/fail results of the executed tests”) (0045).
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the applicant’s invention to an enterprise proprietary data store containing a set of electronic data records, each electronic data record having with proprietary data and an associated governance structure, define enterprise-wide decision accountabilities for the proprietary data based on the governance structure, define privacy objectives for the proprietary data based on the governance structure, and define specific machine-level controls to test and confirm compliance with the governance structure, as disclosed by Abdullah, information around data flowing among inventoried applications is digitized into technology that allows for user reporting and system integration, as taught by Miller for the purpose to efficiently monitor risk, and allow for flexibility in modifying or updating risk policy.

As per claims 10, Abdullah discloses, wherein acquisition, quoting, issuance, and maintenance of property and casualty customers is integrated into enterprise systems (i.e. the foregoing claim limitation amounts to nonfunctional descriptive material entitled to little if any patentable weight (see MPEP §2111.05 and authorities cited therein) as it merely describes the a enterprise systems that has nonfunctional descriptive i.e. simply an information stored in database that includes acquisition, quoting, issuance, and maintenance of property and casualty customers is integrated) (“Aspects related to organizational information privacy protection operations include: (1) Maintaining personal data inventory and data transfer mechanisms, (2). Maintaining data privacy policies, (3) Embedding data privacy into operations and (4) AC2.4.Maintaining notices. The Nymity privacy management accountability framework [24] contains guidelines on each of the four aspects. There are additional guidelines for data privacy policies”) (Pg.7 Col.1).

As per claims 11, Abdullah specifically doesn’t disclose, connects a user to an enterprise application inventory to extract system ownership and contacts owners with requirements, however Miller discloses, wherein the system connects a user to an enterprise application inventory to extract system ownership and contacts owners with requirements (“One or more client systems 110 connects to one or more enterprise application servers 120 through a network 150. The one or more application servers 120 execute an implementation of an enterprise application”) (0017).
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the applicant’s invention to an enterprise proprietary data store containing a set of electronic data records, each electronic data record having with proprietary data and an associated governance structure, define enterprise-wide decision accountabilities for the proprietary data based on the governance structure, define privacy objectives for the proprietary data based on the governance structure, and define specific machine-level controls to test and confirm compliance with the governance structure, as disclosed by Abdullah, connects a user to an enterprise application inventory to extract system ownership and contacts owners with requirements, as taught by Miller for the purpose to efficiently monitor risk, and allow for flexibility in modifying or updating risk policy.

As per claims 15, Abdullah discloses, wherein a central reference and master data store with contractual and privacy tags is connected to transactional systems to facilitate compliance and integrity (“GRC is an integrated, holistic approach to organization-wide governance, risk and compliance ensuring that an organization acts ethically correct and in accordance with its risk appetite, internal policies and external regulations through the alignment of strategy, processes, technology and people thereby improving efficiency and effectiveness”) (Pg.2 Col.2).

As per claims 17, Abdullah specifically doesn’t disclose, mechanism for a dictionary scan of repositories for cryptic identifiers converts the information into regular expressions, however Miller discloses, wherein a mechanism for a dictionary scan of repositories for cryptic identifiers converts the information into regular expressions (“Such a policy could be that any confidential digital data leaving the organization must be encrypted while in transit, whereas internally transmitted data need not be encrypted. A Document may thus specify whether data leaving an internal server is encrypted. Thereby, for the internal policy, the "confidentiality" Risk Category would generally not affect transmission from the internal server to that or another internal server. However an answer of "NO" with regard to encryption for that document would affect the risk for the "confidentiality" Risk Category if the attempted transmission was external. Thus, in this example, the confidentiality Risk Category score has different results under different policies”) (0067).
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the applicant’s invention to an enterprise proprietary data store containing a set of electronic data records, each electronic data record having with proprietary data and an associated governance structure, define enterprise-wide decision accountabilities for the proprietary data based on the governance structure, define privacy objectives for the proprietary data based on the governance structure, and define specific machine-level controls to test and confirm compliance with the governance structure, as disclosed by Abdullah, mechanism for a dictionary scan of repositories for cryptic identifiers converts the information into regular expressions, as taught by Miller for the purpose to efficiently monitor risk, and allow for flexibility in modifying or updating risk policy.

As per claims 18, Abdullah discloses, wherein the system compiles, stores, and retrieves information of contractual compliance across systems in an inventory (“organizations capitalize in interrelated information and communication technologies that facilitate the ability to capture, store and process large amounts of data rapidly and proficiently, the privacy impact of these investments for customers, employees, organizations, industries and society escalates in importance”) (Pg.1 Col. 1).

As per claims 19, Abdullah specifically doesn’t disclose, a mechanism screens and refines with human knowledge scanning mechanisms to validate process results, however Miller discloses, wherein a mechanism screens and refines with human knowledge scanning mechanisms to validate process results (“As an example, if the Trust Manager is a PKI and messages sent by sender are signed, the RDS may validate the signature based on a certificate. The RDS, which may also be an Aggregator, receives the Template, which may be authenticated, and may incorporate the Policy Template into subsequent evaluations”) (0078).
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the applicant’s invention to an enterprise proprietary data store containing a set of electronic data records, each electronic data record having with proprietary data and an associated governance structure, define enterprise-wide decision accountabilities for the proprietary data based on the governance structure, define privacy objectives for the proprietary data based on the governance structure, and define specific machine-level controls to test and confirm compliance with the governance structure, as disclosed by Abdullah, a mechanism screens and refines with human knowledge scanning mechanisms to validate process results, as taught by Miller for the purpose to efficiently monitor risk, and allow for flexibility in modifying or updating risk policy.

As per claims 20, Abdullah discloses, wherein checks facilitated by contractual and privacy tags log events are stored in a centralized repository for remediation of data not meeting contractual or privacy requirements (“GRC is an integrated, holistic approach to organization-wide governance, risk and compliance ensuring that an organization acts ethically correct and in accordance with its risk appetite, internal policies and external regulations through the alignment of strategy, processes, technology and people thereby improving efficiency and effectiveness”) (Pg.2, Col.2).

As per claims 22, Abdullah discloses, wherein inputs are gathered throughout the enterprise and used to validate desired requirements (“GRC is an integrated, holistic approach to organization-wide governance, risk and compliance ensuring that an organization acts ethically correct and in accordance with its risk appetite, internal policies and external regulations through the alignment of strategy, processes, technology and people thereby improving efficiency and effectiveness”) (Pg.2, Col.2)..

As per claims 23, Abdullah discloses, wherein privacy requirements are applied and controlled with supporting third-party partnerships (“Examples of goals identified by [54] include enabling business initiatives and operations, leverage the right of stakeholders to increase the value of data-driven initiatives, align privacy programs to business objectives, increase the trustworthiness of your brand, establish a culture of privacy that spills over the boundaries of your organization and influence third-party selection and auditing”) (Pg.6 Col. 2).

As per claims 24, Abdullah discloses, wherein privacy requirements are managed and integrated with additional non-privacy enterprise policies (“Reference [21]'s previously identified information privacy protection elements is updated to include organizational information privacy protection elements from the following sources in the literature”) (Pg.2 Col. 2).

Claims 6, 14, and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Non-Patent Literature “A Structural and Navigational Method for Integrated Organizational Information Privacy Protection” dated 2018 (“Abdullah”) in view U.S. Pub. 20050021360 (“Miller”) in view of U.S Pub. 20200104242 (“Villani”).
As per claims 6, Abdullah specifically doesn’t disclose, mechanism identifies and tags information when ownership of the information changes, however Villani discloses, wherein the mechanism identifies and tags information when ownership of the information changes (“ensure compliance with regulatory standards as well as corporate standards. There are many regulatory standards that govern the operation of organizations”) (0026).
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the applicant’s invention to an enterprise proprietary data store containing a set of electronic data records, each electronic data record having with proprietary data and an associated governance structure, define enterprise-wide decision accountabilities for the proprietary data based on the governance structure, define privacy objectives for the proprietary data based on the governance structure, and define specific machine-level controls to test and confirm compliance with the governance structure, as disclosed by Abdullah, mechanism identifies and tags information when ownership of the information changes, as taught by Villani for the purpose to create recommendations for improving the quality of the application by detailing the dependencies of each application component and recommending test cases based on the objects that are being created and/or modified.

As per claims 14, Abdullah specifically doesn’t disclose, systems and requirements for an inventory of information are integrated into production operations and stored as constraints for inputs within the enterprise, however Villani discloses, wherein systems and requirements for an inventory of information are integrated into production operations and stored as constraints for inputs within the enterprise (“ a database and generates an inventory of application components and available security reports. This inventory may be used to generate the final reports delivered to the end user. Application components may be objects created within an enterprise application 121 to meet the needs of the organization or group that is using the software. FIG. 3 show a screenshot of a Master Data Management application 300 (e.g., Oracle® Data Relationship Management (DRM)), according to an example embodiment. Application 300 (i.e., an example of an enterprise application 121) may be a utility to manage hierarchies, mappings, and other master data for an organization. Within application 300, components 302 may include, by way of example, hierarchies, accounts, custom properties, custom validations, imports, exports, etc. A hierarchy, such as a chart of accounts, may be stored within the software and can be exported in a variety of different formats to be ingested by other target systems”) (0021).
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the applicant’s invention to an enterprise proprietary data store containing a set of electronic data records, each electronic data record having with proprietary data and an associated governance structure, define enterprise-wide decision accountabilities for the proprietary data based on the governance structure, define privacy objectives for the proprietary data based on the governance structure, and define specific machine-level controls to test and confirm compliance with the governance structure, as disclosed by Abdullah, systems and requirements for an inventory of information are integrated into production operations and stored as constraints for inputs within the enterprise, as taught by Villani for the purpose to create recommendations for improving the quality of the application by detailing the dependencies of each application component and recommending test cases based on the objects that are being created and/or modified.

As per claims 21, Abdullah specifically doesn’t disclose, identified entity data are deleted from business assets and removed from systems across the enterprise, however Villani discloses, wherein identified entity data are deleted from business assets and removed from systems across the enterprise (“AIRE 122 creates recommended test cases based on the application components collected in its inventory. AIRE 122 may allow a user to override, modify, add, or delete test cases from the recommended tests. AIRE 122 may further generate automated programs and/or scripts to systematically run tests”) (0031).
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the applicant’s invention to an enterprise proprietary data store containing a set of electronic data records, each electronic data record having with proprietary data and an associated governance structure, define enterprise-wide decision accountabilities for the proprietary data based on the governance structure, define privacy objectives for the proprietary data based on the governance structure, and define specific machine-level controls to test and confirm compliance with the governance structure, as disclosed by Abdullah, identified entity data are deleted from business assets and removed from systems across the enterprise, as taught by Villani for the purpose to create recommendations for improving the quality of the application by detailing the dependencies of each application component and recommending test cases based on the objects that are being created and/or modified.

Claims 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over Non-Patent Literature “A Structural and Navigational Method for Integrated Organizational Information Privacy Protection” dated 2018 (“Abdullah”) in view U.S. Pub. 20050021360 (“Miller”) in view of U.S Pub. 20120150796 (“Martick”).
As per claims 12, Abdullah specifically doesn’t disclose, requirements are generalized for scalability across multiple systems, however Martick discloses, wherein requirements are generalized for scalability across multiple systems (“efficient caching of configuration data can be achieved with minimal coding complexity. Further, the sharing of the same persistence module versions across multiple systems improves scalability and safety by allowing any of the systems in the distributed environment having the same the persistence module to be designated and configured as a controller system at any time. Accordingly, as described below in connection with FIG. 6, the controller designation for the distributed landscape can be automatically and seamlessly switched from one system 220 to a different system 210”) (0047).
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the applicant’s invention to an enterprise proprietary data store containing a set of electronic data records, each electronic data record having with proprietary data and an associated governance structure, define enterprise-wide decision accountabilities for the proprietary data based on the governance structure, define privacy objectives for the proprietary data based on the governance structure, and define specific machine-level controls to test and confirm compliance with the governance structure, as disclosed by Abdullah, identified entity data are deleted from business assets and removed from systems across the enterprise, as taught by Martick for the purpose to provide transparent caching of configuration data in distributed landscapes.

As per claims 13, Abdullah specifically doesn’t disclose, requirements are converted into tasks, designed in a central reference, and stored in the system such that the tasks can be applied across the enterprise, however Martick discloses, wherein requirements are converted into tasks, designed in a central reference, and stored in the system such that the tasks can be applied across the enterprise (“the configuration data can be maintained, updated, and managed at a central system. The central system may be a dedicated system used as a central server to coordinate requests from other systems in the environment for the configuration data, for example. In instances where the central system may not be a dedicated server for managing configuration data, the system may still require specific software and interfaces for maintenance of configuration data used by multiple systems in the environment. In any event, the system used for managing the configuration data stores the configuration data for other systems to access. The other systems may send requests to the central system to retrieve configuration data or obtain the status of configuration data when needed at the remote systems”) (0003).
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the applicant’s invention to an enterprise proprietary data store containing a set of electronic data records, each electronic data record having with proprietary data and an associated governance structure, define enterprise-wide decision accountabilities for the proprietary data based on the governance structure, define privacy objectives for the proprietary data based on the governance structure, and define specific machine-level controls to test and confirm compliance with the governance structure, as disclosed by Abdullah, requirements are converted into tasks, designed in a central reference, and stored in the system such that the tasks can be applied across the enterprise, as taught by Martick for the purpose to provide transparent caching of configuration data in distributed landscapes.

Claims 16 are rejected under 35 U.S.C. 103 as being unpatentable over Non-Patent Literature “A Structural and Navigational Method for Integrated Organizational Information Privacy Protection” dated 2018 (“Abdullah”) in view U.S. Pub. 20050021360 (“Miller”) in view of U.S Pub. 20200004751 (“Stennett”).
As per claims 16, Abdullah specifically doesn’t disclose, central reference and master data store with contractual and privacy tags is carried among transactional systems and persistent data assets via Extract, Transform and Load ("ETL"), however Stennett discloses, wherein the central reference and master data store with contractual and privacy tags is carried among transactional systems and persistent data assets via Extract, Transform and Load ("ETL") or ELT processing (“The data services within a system's data platform can have an integrated data layer to enable connecting and storing metadata to existing data stores and/or object storage, which may be external to the data platform. For those data services and storage, data management and governance capabilities for ingestion (e.g., extract, transform, load), audit, lineage, entity resolution, master data management, and global name management can be made available as applicable”) (0034).
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the applicant’s invention to an enterprise proprietary data store containing a set of electronic data records, each electronic data record having with proprietary data and an associated governance structure, define enterprise-wide decision accountabilities for the proprietary data based on the governance structure, define privacy objectives for the proprietary data based on the governance structure, and define specific machine-level controls to test and confirm compliance with the governance structure, as disclosed by Abdullah, central reference and master data store with contractual and privacy tags is carried among transactional systems and persistent data assets via Extract, Transform and Load ("ETL") or ELT processing, as taught by Stennett for the purpose to analyze the real-time data to derive at least one insight, and generate an output associated with the at least one insight for real-time visualization.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
U.S. Pub. No. 20130198129 (“Gorman”)
Gorman discloses, Enterprise Network includes a master data management (MDM) system that is linked to two or more data sources each of which include means for storing local management information. The MDM system builds a master management information database that is comprised of some or all of the management information stored by the data sources. The master database in the MDM includes master records each of which is comprised of one or more attributes. The MDM system is configured to only update particular master record attributes with selected management information received from a trusted data source.
U.S. Pub. No. 20100324952 (“Bastos”).
Bastos discloses, method for managing Governance, Risk and Compliance (GRC) within an integrated framework includes inventorying assets and relationships with business components of an organization structure (101), determining risk and compliance indexes for at least each asset and business component (102), evaluating the risk and compliance indexes for GRC decisions (103), and determining and managing a treatment process based on an evaluation of the risk and compliance indexes (104). 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to GAUTAM UBALE whose telephone number is (571)272-9861. The examiner can normally be reached Mon-Fri. 8:00 AM- 5:30 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Waseem Ashraf can be reached on (571) 270-3948. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/GAUTAM UBALE/Primary Examiner, Art Unit 3682