AICPA Privacy Management Framework (PMF)
The AICPA Privacy Management Framework (PMF) was created in 2020 as an update to the 2009 AICPA/CICA Generally Accepted Privacy Principles (GAPP).
Acronyms, Abbreviations, and Initialisms
|Short Form||Full Form|
|AICPA||American Institute of Certified Public Accountants|
|GAPP||Generally Accepted Privacy Principles|
|GDPR||General Data Protection Regulation|
|PMF||Privacy Management Framework|
|TSC||Trust Services Criteria|
The Privacy Management Framework (PMF) is a guide to help organizations address the business activities that involve collecting, creating, using, storing, and transmitting personal information of individuals. It contains nine components relating to privacy.
The PMF aligns with the Privacy Principle of the SOC 2 Trust Services Criteria (TSC).
The PMF components are founded on the following privacy objective:
Personal information (PI) is collected, created, used, processed, retained, disclosed and disposed of in conformity with agreements made between data subjects and users of the entity's products and services, and found in the entity's formal privacy notices and communications and with criteria outlined in the PMF issued by the AICPA.
The nine components of the PMF are as follows:
Management Agreement, notice and communication Collection and creation Use, retention and disposal Access Disclosure to third parties Security for privacy Data integrity and quality Monitoring and enforcement
The entity defines, formally documents, communicates and assigns responsibility and accountability for its PI privacy policies and procedures.
The entity makes formal agreements, notifies and communicates with and offers choices when seeking data subject consents, including reasons why and purposes for which the entity seeks to obtain and use a data subject's PI.
The entity collects and creates PI only for the purposes identified in its agreements with data subjects, and in ongoing communications with and notices provided to data subjects.
The entity limits the use of PI to the purposes identified in the formal agreements/notices, and for which a data subject has provided explicit (or implicit) consent. The entity retains PI for the time necessary to fulfill the stated purposes identified in the formal agreements/notices or as required by laws or regulations. Once those purposes have been met, the entity securely disposes of the information.
The entity provides data subjects with access to their PI when requested or when asked to update and correct data errors or make changes.
The entity discloses PI to third parties only for the purposes identified in data subject privacy agreements and its privacy notice and with the explicit consent of the data subject.
The entity protects PI against unauthorized access, removal, alteration, destruction and disclosure (both physical and logical).
— The entity maintains accurate, complete and relevant PI for the purposes identified in the notice and protects the representational integrity of the PI in its ongoing interactions with data subjects.
The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.
An important update to the PMF is the replacement of the "choice and consent" component. While the choice and consent criteria were relevant to internet-oriented businesses in 2009, the criteria are much less relevant today because of new global privacy regulations such as the General Data Protection Regulation (GDPR).
The PMF mapping tool provides general guidance on privacy and is intended to help practitioners and users effectively manage their privacy risks and comply with applicable privacy laws.
The tool maps each of the nine components of the PMF with Trust Services Criteria (TSC) and the European Union (EU)'s GDPR.
- The PMF contains nine privacy components.
- The PMF aligns with the Privacy Principle of the SOC 2 TSC.
- The adoption of PMF is voluntary.