DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are presented for examination.
Responsive to communication filed on 9 June 2022.

Priority
Applicant’s claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. Applicant has not complied with one or more conditions for receiving the benefit of an earlier filing date under 35 U.S.C. 112(a) as follows:
The later-filed application must be an application for a patent for an invention which is also disclosed in the prior application (the parent or original nonprovisional application or provisional application). The disclosure of the invention in the parent application and in the later-filed application must be sufficient to comply with the requirements of 35 U.S.C. 112(a) or the first paragraph of pre-AIA  35 U.S.C. 112, except for the best mode requirement.  See Transco Products, Inc. v. Performance Contracting, Inc., 38 F.3d 551, 32 USPQ2d 1077 (Fed. Cir. 1994).
The disclosure of the prior-filed application, Application No. 17/342,153, fails to provide adequate support or enablement in the manner provided by 35 U.S.C. 112(a) or pre-AIA  35 U.S.C. 112, first paragraph for one or more claims of this application. Claims 1 requires: 
receiving … a completed assessment template …;
coordinating … an audit of the completed assessment template …;
…
after completing the audit, facilitating, by the computing hardware, an electronic transfer of the completed assessment template to a plurality of computer systems, wherein each computer system of the plurality of computer systems is associated with a respective entity of a plurality of entities and each respective entity uses the completed assessment template in conducting a computerized assessment of a respective processing activity, to be executed by the respective entity, that includes the use of the product or service provided by the vendor.


These portions of the instant Specification are not disclosed in the prior-filed application.  Nowhere in the prior-filed application does the term “completed assessment template” appear.  Although the prior-filed application discloses accessing a completed privacy template (US 2021/0342454 at ¶ 12) and conducting privacy audits (Id. at ¶ 42), there is no disclosure of a completed assessment template or coordinating an audit of a completed assessment template.  Further, there is no disclosure of facilitating transfer of a completed assessment template to a plurality of computer systems, wherein each computer system is associated with a respective entity and each entity uses the completed assessment template in conducting an assessment of a respective processing activity.  Accordingly, they do not have support under 35 U.S.C. 112(a).
Regarding claim 3, the prior-file application has no disclosure of measuring maturity of a product or service in meeting a policy or standard.
Regarding claim 6, the prior-file application has no disclosure of determining a risk rating being based on an awareness rating.
Regarding claim 9, the prior-file application has no disclosure of a centralized repository of completed templates or a set of operations performed by an entity.
Regarding claim 9, the prior-file application has no disclosure of a receiving analysis of data records associated with at least one of the vendor, the product, or the service.
Regarding claim 9, the prior-file application has no disclosure of determining a relative risk rating for each of the question/answer pairings.
Claims 9-20 recite similar subject matter or depend on claims reciting the above mentioned subject matter.  Therefore, claims 9-20 do not comply with the requirements of 35 U.S.C. 112(a).
Applicant states that this application is a continuation or divisional application of the prior-filed application. A continuation or divisional application cannot include new matter. Applicant is required to delete the benefit claim or change the relationship (continuation or divisional application) to continuation-in-part because this application contains the above identified matter not disclosed in the prior-filed application.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Claims 1-20 recite or depend on the above mentioned claim requirements, which amount to new matter.  Accordingly, claims 1-20 are rejected under 35 USC 112(a).
Applicant states that this application is a continuation or divisional application of the prior-filed application. A continuation or divisional application cannot include new matter. Applicant is required to delete the benefit claim or change the relationship (continuation or divisional application) to continuation-in-part because this application contains the above identified matter not disclosed in the prior-filed application.

Claim Rejections - 35 USC § 101

35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 
Step 2A Prong 1 (MPEP 2106.04 II. A. 1): Claim 1 recite(s): 
conducting, by the computing hardware, an analysis of publicly available data associated with the vendor; 
coordinating, by the computing hardware, an audit of the completed assessment template, wherein coordinating the audit includes calculating, based on the completed assessment template and the analysis of the publicly available data associated with the vendor, a risk rating for the product or service provided by the vendor by: 
identifying a weighting factor for each of the question/answer pairings; 
determining a relative risk rating for each of the question/answer pairings; and 
calculating the risk rating based upon the relative risk rating and the weighting factor for each of the question/answer pairings; and
…
each respective entity uses the completed assessment template in conducting a computerized assessment of a respective processing activity, to be executed by the respective entity, that includes the use of the product or service provided by the vendor.
 These limitations recite an abstract idea because the conducting an analysis, coordinating an audit, identifying a weighting factor, determining a relative risk rating, calculating the risk rating, and conducting a computerized assessment, under its broadest reasonable interpretation, covers performances of the limitation in the mind but for the recitation of generic computer components.  That is, other than reciting “by computing hardware” nothing in the claim elements precludes the step from practically being performed in the mind.  For example, but for the “by computing hardware” language, conducting an analysis, coordinating an audit, identifying a weighting factor, determining a relative risk rating, calculating the risk rating, and conducting a computerized assessment in the context of this claim encompasses a human operator analyzing publicly available data, coordinating an audit, observing weighting factors from a computer monitor, mentally determining relative risks, using pen an paper to calculate a risk rating, and mentally conducting an assessment of processing activity.  If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas.  Accordingly, the claims recite an abstract idea.
Step 2A Prong 2 (MPEP 2106.04 II. A. 2): This judicial exception is not integrated into a practical application.  In particular, the claim additionally recites “facilitating, by the computing hardware, an electronic transfer of the completed assessment template to a plurality of computer systems”.  
This additional recitation does not integrate the abstract idea into a practical application because it amounts to insignificant extra-solution activity of mere data gathering or transmitting (See MPEP 2106.04(d) and 2106.05(g)).  For example, obtaining information about transactions using the internet to verify credit card transactions was found to be mere data gathering which amounted to insignificant extra-solution activity (CyberSource v. Retail Decisions, Inc., 654 F.3d 1366, 1375, 99 USPQ2d 1690, 1694 (Fed. Cir. 2011)).  Further, consulting and updating an activity log was found to be insignificant extra-solution activity (Ultramercial, 772 F.3d at 715, 112 USPQ2d at 1754).
Here, the transferring the completed assessment template corresponds to the obtaining data and updating activity logs in CyberSource and Ultramercial.  Therefore, the claims do not recite additional limitations that amount to significantly more than an abstract idea.
Step 2B (MPEP 2106.05):  The claims additionally recite “receiving, by computing hardware, a completed assessment template from a vendor, wherein the completed assessment template comprises question/answer pairings regarding a product or service provided by the vendor”. 
These additional elements do not amount to significantly more than the judicial exception because it amounts to mere extra solution activity of data gathering (See MPEP 2106.05(g)).  For example, obtaining information about transactions using the internet to verify credit card transactions was found to be mere data gathering which amounted to insignificant extra-solution activity (CyberSource v. Retail Decisions, Inc., 654 F.3d 1366, 1375, 99 USPQ2d 1690, 1694 (Fed. Cir. 2011)).  Further, consulting and updating an activity log was found to be insignificant extra-solution activity (Ultramercial, 772 F.3d at 715, 112 USPQ2d at 1754).
Here, the receiving, by computing hardware, a completed assessment template from a vendor, wherein the completed assessment template comprises question/answer pairings regarding a product or service provided by the vendor corresponds to the obtaining data and updating activity logs in CyberSource and Ultramercial.  Therefore, the claims do not recite additional limitations that amount to significantly more than an abstract idea.
Accordingly, since the independent claims recite an abstract idea (Step 2A Prong 1), do not integrate the recited abstract idea into a practical application (Step 2A Prong 2), and do not recite additional elements that amount to significantly more than an abstract idea (Step 2B), the claims are directed toward a judicial exception (non-statutory subject matter).  Therefore, the independent claims are rejected under 35 USC 101. 
Regarding claim 2, it further refines the audit of the completed assessment template; however, the audit for compliance with a policy or standard is still capable of being performed in the human mind.  Therefore, the subject matter recited in claim 2 is directed toward an abstract idea.
Regarding claim 3, a human operator could use physical observation and mental capacity to measure a maturity of a product or service in meeting a policy or standard.  Therefore, the subject matter is directed toward an abstract idea.
Regarding claim 4, it does not recite additional elements that integrate the abstract idea into a practical application or recite significantly more than an abstract idea because the monitoring, identifying, and calculating can be performed in the human mind.  Accordingly, it is rejected as being directed to an abstract idea without significantly more.
Regarding claim 5, it is directed toward generating a GUI and transmitting an instruction to present the GUI.  This does not integrate the abstract ideas into a practical application because it amounts to insignificant extra-solution activity of transmitting and displaying data.  Accordingly, it is rejected as being directed to an abstract idea without significantly more.
Regarding claim 6, a human operator could generate an awareness rating using mental capacity and physical observations.  Accordingly, it is rejected as being directed to an abstract idea without significantly more.
Regarding claim 7, a human operator could determine an employee title by observing publicly available data and making mental determinations.  Accordingly, it is rejected as being directed to an abstract idea without significantly more.
Regarding claim 8, a human operator could determine whether there are contracts with government entities by observing publicly available data and making mental determinations.  Accordingly, it is rejected as being directed to an abstract idea without significantly more.
Claim(s) 9, 10, 11, 13-16, and 19-20 correspond(s) to claim(s) 1-2 and 6-8, and differ(s) primarily in statutory category. Therefore, it/they is/are rejected for the same reasons. 
Regarding claim 12, a human operator could analyze public records, identify a certification, and calculate a overall risk rating by observing publicly available data and making mental determinations.  Accordingly, it is rejected as being directed to an abstract idea without significantly more.
Regarding claim 17, transferring the completed template using an online portal relies on computer system similar to the cases in CyberSource v. Retail Decisions, Inc. and Ultramercial.  Therefore, transferring the data using a n online portal does not amount to significantly more than an abstract idea.  
Regarding claim 18, the context of raw material is difficult to discern in view of the specification’s disclosure in ¶¶ 14, 67, and claim 18.  Nonetheless, limiting the product to comprising a raw material is not significantly different than the systems disclosed in CyberSource v. Retail Decisions, Inc. and Ultramercial.  Computing systems inherently require raw materials.  Accordingly, claim 18 does not amount to significantly more than an abstract idea.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of copending Application No. 17/670,341.  Although the claims at issue are not identical, they are not patentably distinct from each other because the copending Application No. 17/670,341 claims substantially all the limitations of the instant claims and is a species of the broader genus in the instant claims.  See comparison of representative independent claims below.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.
The claims of the two applications correspond as shown in the representative claims below.
INSTANT APPLICATION
U.S. PATENT APPLICATION 17/670,341
Claim 1: A method comprising: receiving, by computing hardware, a completed assessment template from a vendor, wherein the completed assessment template comprises question/answer pairings regarding a product or service provided by the vendor; conducting, by the computing hardware, an analysis of publicly available data associated with the vendor; coordinating, by the computing hardware, an audit of the completed assessment template, wherein coordinating the audit includes calculating, based on the completed assessment template and the analysis of the publicly available data associated with the vendor, a risk rating for the product or service provided by the vendor by: identifying a weighting factor for each of the question/answer pairings; determining a relative risk rating for each of the question/answer pairings; and calculating the risk rating based upon the relative risk rating and the weighting factor for each of the question/answer pairings; and after completing the audit, facilitating, by the computing hardware, an electronic transfer of the completed assessment template to a plurality of computer systems, wherein each computer system of the plurality of computer systems is associated with a respective entity of a plurality of entities and each respective entity uses the completed assessment template in conducting a computerized assessment of a respective processing activity, to be executed by the respective entity, that includes the use of the product or service provided by the vendor.
Claim 1: A method comprising: receiving, by computing hardware, a completed template from a vendor, the completed template including question/answer pairings regarding a particular product or service provided by the vendor; determining, by the computing hardware based on the completed template, to request an updated version of the completed template from the vendor; requesting, by the computing hardware, the updated version of the completed template from the vendor; receiving, by the computing hardware, the updated version of the completed template that includes updated question/answer pairings regarding the particular product or service; in response to receiving the updated completed template, automatically coordinating, by the computing hardware, an audit of the updated completed template for compliance with standards; receiving, by the computing hardware, an audited updated completed template; calculating, by the computing hardware, a risk rating for the particular product or service based on the audited updated completed template; and facilitating, by the computing hardware, the electronic transfer of the audited updated completed template and the risk rating for the particular product or service to computer systems, each of the computer systems being associated with a different entity, for use in the different entities' respective computerized assessment of at least one respective activity, to be executed by the respective entity, that includes the use of the particular product or service.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claim(s) 1-2, 6-12, and 13-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Barday (US 2017/0287030) and further in view of Barday et al. (US 2018/0182009).

Regarding claim 1, Barday teaches: A method comprising: 
receiving, by computing hardware, a completed assessment template from a vendor, wherein the completed assessment template comprises question/answer pairings regarding a product or service provided by the vendor (claim 1, “receiving, by one or more computer processors, a completed privacy template from a centralized repository of completed privacy templates, the completed privacy template comprising a plurality of question/answer pairings regarding a particular vendor, product or service to be used as part of the privacy campaign”); 
coordinating, by the computing hardware, an audit of the completed assessment template (claim 5, “automatically coordinating, by one or more computer processors, an audit of the completed privacy template”), wherein coordinating the audit includes calculating, based on the completed assessment template and the analysis of the publicly available data associated with the vendor, a risk rating for the product or service provided by the vendor by: 
identifying a weighting factor for each of the question/answer pairings (claim 1, “receiving the completed privacy template, receiving, from a user, a weighting factor that is to be applied to at least a particular one of the question/answer pairings in processing data to calculate a risk rating for the privacy campaign”); 
determining a relative risk rating for each of the question/answer pairings (claim 18, “receiving an electronic input from the customer assigning a relative risk rating to each audit result that the customer chooses to include with the privacy campaign”); and 
calculating the risk rating based upon the relative risk rating and the weighting factor for each of the question/answer pairings (claim 18, “using the relative risk rating for each audit result to determine an aggregate risk score associated with the software application associated with the privacy campaign”); and 
after completing the audit, facilitating, by the computing hardware, an electronic transfer of the completed assessment template to a plurality of computer systems, wherein each computer system of the plurality of computer systems is associated with a respective entity of a plurality of entities and each respective entity uses the completed assessment template in conducting a computerized assessment of a respective processing activity, to be executed by the respective entity, that includes the use of the product or service provided by the vendor (claim 6, “after the audit of the updated completed privacy template is complete, facilitating the electronic transfer of the audited updated completed privacy template, via one or more computer networks, to a plurality of computer systems, each computer system being associated with a different entity, for use in the different entities' respective computerized assessments of at least one respective privacy campaign, to be executed by the respective entity, that includes the use of a product or service that is the subject of the completed privacy template”).
Barday does not teach, however, Barday et al. disclose: conducting, by the computing hardware, an analysis of publicly available data associated with the vendor (claim 1, “analyzing one or more pieces of publicly available data associated with the vendor”).
It would have been obvious to a person having ordinary skill in the art, at the effective filing date of the invention, to have applied the known technique of conducting, by the computing hardware, an analysis of publicly available data associated with the vendor, as taught by Barday et al., in the same way to the method, as taught by Barday. Both inventions are in the field of assessing risk of privacy campaigns, and combining them would have predictably resulted in “generating, in an efficient manner, risk assessments associated with particular privacy campaigns”, as indicated by Barday et al. (¶ 2).

Regarding claim 2, Barday teaches: the audit of the completed assessment template is an audit for compliance with a policy or a standard (¶ 9, “a system and method are provided to facilitate the assessment of one or more vendors' compliance with one or more privacy assessment standards (e.g., privacy laws, privacy standards)”).

Regarding claim 6, Barday et al. disclose: generating, by the computing hardware, an awareness rating for the vendor based on the analyzed publicly available data, wherein the risk rating is further based on the awareness rating (¶ 249, “calculate a privacy awareness score for a particular vendor. The system may then, in various embodiments, use the privacy awareness score in order to calculate a risk rating or other risk score for a particular piece of software or other service provided by the vendor”).

Regarding claim 7, Barday et al. disclose: analyzing the publicly available data comprises: determining at least one of employee titles, employee roles, or available job posts associated with the vendor based on analyzing at least one of a social networking website or a business related job website (¶ 119, “use social networking and other data to identify one or more employee titles of the business unit, one or more job roles for one or more employees in the group, one or more job postings for the for the business unit (e.g., group), etc”).

Regarding claim 8, Barday et al. disclose: analyzing the publicly available data comprises: determining the vendor has a plurality of contracts with a plurality of government entities (¶ 120, “the system may be configured to calculate a relatively high privacy maturity score for a group that has one or more contracts with one or more government entities (e.g., because an existence of such a contract may indicate that the group has passed one or more vetting requirements imposed by the one or more government entities)”).

Claim(s) 9-11, 13-16, and 19-20 correspond(s) to claim(s) 1, 2, and 6-8, and differ(s) in statutory category. Therefore, it/they is/are rejected for the same reasons. 

Regarding claim 12, Barday et al. disclose: the operations further comprise: analyzing a public record database associated with at least one of the vendor, the product, or the service; identifying a certification associated with at least one of the vendor, the product, or the service from the public record database, and calculating the overall risk rating is also based on the certification (¶ 256, “when calculating the privacy awareness score, the system may assign a first weighting factor to whether the vendor has one or more suitable privacy notices posted on the vendor website, a second weighting factor to whether the vendor has one or more particular security certifications, etc. The system may, for example, assign one or more weighting factors using any suitable technique described herein with relation to risk rating determination”).

Regarding claim 17, Barday discloses: the electronic transfer of the completed assessment template to the computer system is carried out through on online portal integrated with an instance of the computer system (¶ 143, “These options may be presented concurrently with the display of templates when the customer accesses the central community portal”).

Regarding claim 18, Barday discloses: the product comprises a raw material (¶ 76, “Vendors may supply a component or raw material to the organization, or an outside contractor responsible for the marketing or legal work of the organization”).

Claim(s) 3 is/are rejected under 35 U.S.C. 103 as being unpatentable over Barday and Barday et al., as applied above, and further in view of Barday et al. II (US 2018/0341782).

Regarding claim 3, Barday and Barday et al. do not teach, however, Barday et al. II disclose: the computerized assessment of the respective processing activity is configured to measure a maturity of the product or service in meeting a policy or standard (¶ 116, “calculate the privacy maturity score based at least in part on a presence of one or more suitable privacy notices, one or more contents of one or more blog posts on the group site (e.g., whether the group site has one or more blog posts directed toward user privacy), a presence of one or more preference or control centers that enable visitors to the site to opt in or out of certain data collection policies (e.g., cookie policies, etc.), etc”).
It would have been obvious to a person having ordinary skill in the art, at the effective filing date of the invention, to have applied the known technique of the computerized assessment of the respective processing activity is configured to measure a maturity of the product or service in meeting a policy or standard, as taught by Barday et al. II, in the same way to the computerized assessment, as taught by Barday. Both inventions are in the field of assessing risk of privacy campaigns, and combining them would have predictably resulted in “determining respective privacy maturity ratings for one or more groups within an organization, and processing the relevant data”, as indicated by Barday et al. II (¶ 2).

Claim(s) 4-5 is/are rejected under 35 U.S.C. 103 as being unpatentable over Barday and Barday et al., as applied above, and further in view of Brannon et al. (US 2020/0004938).

Regarding claim 4, Barday and Barday et al. do not teach, however, Brannon et al. disclose: generating, by the computing hardware and based on the risk rating, a graphical user interface by configuring a navigation element on the graphical user interface (¶ 12, “generating an interface comprising a user-selectable object associated with an indication of satisfaction of the notification obligation; receiving an indication of a selection of the user-selectable object”), wherein the navigation element is configured for initiating a responsive action based on the risk rating; 
transmitting, by the computing hardware, an instruction to a user device to present the graphical user interface on the user device (¶ 19, “presenting, by one or more processors on a graphical user interface: the risk score for the particular vendor”); 
receiving, by the computing hardware, an indication of a selection of the navigation element (¶ 18, “detecting a selection of a user-selectable control for adding the new vendor on a second graphical user interface”); and 
responsive to receiving the indication, initiating, by the computing hardware, the responsive action.
It would have been obvious to a person having ordinary skill in the art, at the effective filing date of the invention, to have applied the known technique of generating, by the computing hardware and based on the risk rating, a graphical user interface by configuring a navigation element on the graphical user interface, wherein the navigation element is configured for initiating a responsive action based on the risk rating; transmitting, by the computing hardware, an instruction to a user device to present the graphical user interface on the user device; receiving, by the computing hardware, an indication of a selection of the navigation element; and responsive to receiving the indication, initiating, by the computing hardware, the responsive action, as taught by Brannon et al., in the same way to the method, as taught by Barday. Both inventions are in the field of assessing risk of privacy campaigns, and combining them would have predictably resulted in “retrieving data regarding a plurality of privacy campaigns, and for using that data to assess a relative risk associated with the data privacy campaign”, as indicated by Brannon et al. (¶ 2).

Regarding claim 5, Brannon et al. disclose: generating, by the computing hardware, a second graphical user interface comprising an indication of the risk rating; and transmitting, by the computing hardware, a second instruction to a third-party computing device to present the second graphical user interface on the third-party computing device (¶ 18, “responsive to detecting the selection of the user-selectable control for adding the new vendor, presenting a third graphical user interface configured to receive the vendor information associated with the particular vendor”).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JACOB D DASCOMB whose telephone number is (571)272-9993. The examiner can normally be reached M-F 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lewis Bullock can be reached on 5712723759. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JACOB D DASCOMB/Primary Examiner, Art Unit 2199