AICPA/CICA Generally Accepted Privacy Principles (GAPP)
The AICPA Privacy Management Framework (PMF) was created in 2020 as an update to the 2009 AICPA/CICA Generally Accepted Privacy Principles (GAPP).
Acronyms, Abbreviations, and Initialisms
|Short Form||Full Form|
|AICPA||American Institute of Certified Public Accountants|
|CICA||Canadian Institute of Chartered Accountants|
|GAPP||Generally Accepted Privacy Principles|
|PMF||Privacy Management Framework|
|TSC||Trust Services Criteria|
|TSP||Trust Services Principles|
The Generally Accepted Privacy Principles (GAPP) is a framework developed by the American Institute of Certified Public Accountants (AICPA) that consists of 10 key privacy principles containing 74 privacy objectives and associated methods for measuring and evaluating criteria. GAPP has been developed to help management create an effective privacy program that addresses privacy risks and obligations, and business opportunities.
GAPP aligns with the Privacy Principle of the SOC 2 Trust Services Principles (TSP).
The privacy principles and criteria are founded on the following privacy objective:
Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity's privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA and CICA.
The privacy principles are essential to the proper protection and management of personal information. They are based on internationally known fair information practices included in many privacy laws and regulations of various jurisdictions around the world and recognized good privacy practices.
The following are the 10 generally accepted privacy principles:
Management Notice Choice and consent Collection Use, retention, and disposal Access Disclosure to third parties Security for privacy Quality Monitoring and enforcement
The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.
The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
The entity collects personal information only for the purposes identified in the notice.
The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.
The entity provides individuals with access to their personal information for review and update.
The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
The entity protects personal information against unauthorized access (both physical and logical).
The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.
The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy related complaints and disputes.
- GAPP consists of 10 key privacy principles.
- GAPP contains 74 privacy objectives.
- GAPP aligns with the Privacy Principle of the SOC 2 TSP.