Data Privacy
Generally Accepted Privacy Principles (GAAP)
Generally Accepted Privacy Principles (GAAP) are a set of guidelines designed to help organizations manage and protect personal information responsibly.
The GAPP were developed through a collaboration of several professional organizations to provide a comprehensive framework for managing privacy risks and ensuring the responsible handling of personal information. The four key organizations involved in the development of GAAP are:
- American Institute of Certified Public Accountants (AICPA)
- Canadian Institute of Chartered Accountants (CICA)
- Information Systems Audit and Control Association (ISACA)
- Institute of Internal Auditors (IIA)
These organizations worked together to create a set of principles that can be applied across various industries and jurisdictions. These principles are:
- Management
- Notice
- Choice and Consent
- Collection
- Use, Retention, and Disposal
- Access
- Disclosure to Third Parties
- Security
- Quality
- Monitoring and Enforcement
1. Management
Organizations handling private information should have policies, procedures, and governance structures in place of protect privacy. This ensures that privacy responsibilities are well-defined and consistently applied throughout the organization.
- Assign a designated privacy officer or team.
- Develop and document privacy policies and procedures.
- Conduct regular privacy training and awareness programs.
2. Notice
Organizations must inform individuals about their data collection, use, and sharing practices. Providing clear and transparent privacy notices helps build trust and ensures individuals are aware of how their information is handled.
- Use plain language in privacy notices.
- Ensure notices are easily accessible to individuals.
- Update notices regularly to reflect changes in practices.
3. Choice and Consent
Organizations should obtain and document individuals' consent for data collection and use. Providing choices about how personal information is used and shared empowers individuals to control their data.
- Offer opt-in or opt-out options for data use.
- Document consent preferences and changes.
- Provide mechanisms for individuals to update their preferences.
4. Collection
Organizations should collect personal information only for specific, legitimate purposes. Limiting data collection to what is necessary helps reduce privacy risks and ensures compliance with data protection laws.
- Clearly define data collection purposes.
- Minimize data collection to necessary information.
- Regularly review data collection practices.
5. Use, Retention, and Disposal
Personal information should be used only for the purposes specified in the privacy notice. Retaining data only as long as necessary and securely disposing of it when no longer needed helps protect privacy.
- Implement data retention schedules.
- Regularly audit data usage practices.
- Ensure secure data disposal methods.
6. Access
Organizations must provide individuals with access to their personal information. Allowing individuals to correct inaccuracies and update their information ensures data accuracy and builds trust.
- Establish processes for handling access requests.
- Verify identities before granting access.
- Provide clear instructions for updating information.
7. Disclosure to Third Parties
Organizations should share personal information with third parties only as described in the privacy notice and with individuals' consent. Ensuring third parties adhere to privacy standards helps protect shared information.
- Conduct due diligence on third parties.
- Implement agreements with privacy protections.
- Monitor third-party compliance with privacy standards.
8. Security
Implementing appropriate safeguards protects personal information from unauthorized access, alteration, or destruction. Regular risk assessments and updates to security measures are essential for maintaining data security.
- Use encryption and other technical safeguards.
- Conduct regular security audits and assessments.
- Train employees on security best practices.
9. Quality
Maintaining accurate, complete, and relevant personal information is essential for effective privacy management. Implementing data quality controls helps ensure information is reliable and up-to-date.
- Implement data validation processes.
- Regularly review and update information.
- Correct inaccuracies promptly.
10. Monitoring and Enforcement
Regularly reviewing and auditing privacy practices helps ensure compliance and identify areas for improvement. Implementing mechanisms for addressing privacy complaints and breaches demonstrates a commitment to privacy.
- Conduct regular privacy audits.
- Establish procedures for handling privacy complaints.
- Take corrective actions for policy violations.
- Provide a dispute mechanism.
Limiting Data Collection
Limiting data collection is essential to protect individuals' privacy and ensure compliance with privacy principles. Organizations should be transparent about their data collection practices, collect only what is necessary, and secure consent before gathering any new information.
- Never collect undisclosed information, even if incidental.
- Revise disclosures and notify individuals of new data being collected.
- Obtain new consent before collecting additional information.
- Collect only the minimum information needed for disclosed purposes.
- Do not retain information longer than necessary.
- Disclose and manage technical limitations that exceed data minimization principles.
- Monitor and verify third parties' privacy practices.
- Be upfront with users about the sources of collected information.
Make your data practices transparent and avoid being dishonest or deceitful. Ensure that all data collection activities are conducted ethically and lawfully, and clearly communicate with individuals about how their information is being collected, used, and protected. This builds trust and maintains the integrity of your organization's privacy commitments.