# AICPA Privacy Management Framework (PMF)

# Acronyms, Abbreviations, and Initialisms

Short Form Full Form
AICPA American Institute of Certified Public Accountants
EU European Union
GAPP Generally Accepted Privacy Principles
GDPR General Data Protection Regulation
PI Personal Information
PMF Privacy Management Framework
TSC Trust Services Criteria

# Overview

The Privacy Management Framework (PMF) is a guide to help organizations address the business activities that involve collecting, creating, using, storing, and transmitting personal information of individuals. It contains nine components relating to privacy.

# Components

The PMF components are founded on the following privacy objective:

Personal information (PI) is collected, created, used, processed, retained, disclosed and disposed of in conformity with agreements made between data subjects and users of the entity's products and services, and found in the entity's formal privacy notices and communications and with criteria outlined in the PMF issued by the AICPA.

The nine components of the PMF are as follows:

  1. Management
  2. Agreement, notice and communication
  3. Collection and creation
  4. Use, retention and disposal
  5. Access
  6. Disclosure to third parties
  7. Security for privacy
  8. Data integrity and quality
  9. Monitoring and enforcement

The entity defines, formally documents, communicates and assigns responsibility and accountability for its PI privacy policies and procedures.

The entity makes formal agreements, notifies and communicates with and offers choices when seeking data subject consents, including reasons why and purposes for which the entity seeks to obtain and use a data subject's PI.

The entity collects and creates PI only for the purposes identified in its agreements with data subjects, and in ongoing communications with and notices provided to data subjects.

The entity limits the use of PI to the purposes identified in the formal agreements/notices, and for which a data subject has provided explicit (or implicit) consent. The entity retains PI for the time necessary to fulfill the stated purposes identified in the formal agreements/notices or as required by laws or regulations. Once those purposes have been met, the entity securely disposes of the information.

The entity provides data subjects with access to their PI when requested or when asked to update and correct data errors or make changes.

The entity discloses PI to third parties only for the purposes identified in data subject privacy agreements and its privacy notice and with the explicit consent of the data subject.

The entity protects PI against unauthorized access, removal, alteration, destruction and disclosure (both physical and logical).

— The entity maintains accurate, complete and relevant PI for the purposes identified in the notice and protects the representational integrity of the PI in its ongoing interactions with data subjects.

The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.

# Mapping Tool

The PMF mapping tool provides general guidance on privacy and is intended to help practitioners and users effectively manage their privacy risks and comply with applicable privacy laws.

The tool maps each of the nine components of the PMF with Trust Services Criteria (TSC) and the European Union (EU)'s GDPR.

# Noteworthy

  • The PMF contains nine privacy components.
  • The PMF aligns with the Privacy Principle of the SOC 2 TSC.
  • The adoption of PMF is voluntary.

# Sources