Jeff Lowder

Review and Critique of Generally Accepted Privacy Principles (GAPP) — Part 1

1. Overview

Service management has ITIL. Quality has ISO 9000. Information security has numerous options, including ISO/IEC 27001, COBIT, and NIST SP 800-53. What about information privacy?

Many regulatory and standards organizations have adopted their own frameworks or approaches to information privacy, including the Organisation for Economic Co-operation and Development (“OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data“), the European Union (the so-called “Data Protection Directive“), the U.S. Federal Trade Commission (“Fair Information Practice Principles“), Australia (“Information Privacy Principles“), and others. But these numerous approaches to privacy have led to a “patchwork quilt” of privacy laws across different jurisdictions. The task of converting this patchwork quilt of privacy laws into an integrated, actionable set of requirements can be a major project for privacy officers.

Enter the Generally Accepted Privacy Principles (GAPP). Originally published in 2003 and revised in 2009, the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute  of Chartered Accountants (CICA) introduced GAPP to provide “a comprehensive resource providing guidance on a number of areas related to privacy.” In their words:

“Generally Accepted Privacy Principles (GAPP) have been developed from a business perspective, referencing some, but by no means all, significant local, national and international privacy regulations. GAPP operationalizes complex privacy requirements into a single privacy objective that is supported by 10 privacy principles. Each principle is supported by objective, measurable criteria that form the basis for effective management of privacy risk and compliance in an organization. Illustrative policy requirements, communications and controls, including monitoring controls, are provided as support for the criteria.” (italics mine)

Elsewhere, AICPA/CICA describe the purposes of GAPP as follows:

With these issues in mind, the AICPA and CICA developed Generally Accepted Privacy Principles to be used as an operational framework to help management address privacy in a manner that takes into consideration many local, national, or international requirements. The primary objective is to facilitate privacy compliance and effective privacy management. The secondary objective is to provide suitable criteria against which a privacy attestation engagement (usually referred to as a privacy audit) can be performed.

GAPP defines “personal information” as “information that is or can be about or related to an identifiable individual.” Using that definition, we can now make better sense of GAPP’s “single privacy objective”:

Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA and CICA .

What, then, are the Generally Accepted Privacy Principles? Here is the AICPA and CICA:

1. Management. The entity defines, documents, communicates and assigns accountability for its privacy policies and procedures.

One Comment

  1. Kevin Lam May 5, 2014 at 1:15 pm | Permalink

    Thanks for writing this article on analyzing GAPP in further detail. I wrote an article on how CPA firms (who aren’t already security experts) can implement the GAPP checklist items at

    Thanks, hope your readers find this useful.


Post a Comment

Your email is never published nor shared. Required fields are marked *