Generally Accepted Privacy Principles

In accountancy, the Generally Accepted Privacy Principles (GAPP) offer a framework intended to assist chartered accountants and certified public accountants in creating an effective privacy program for managing and preventing privacy risks. The framework was developed through joint consultation between the Canadian Institute of Chartered Accountants (CICA) and the American Institute of Certified Public Accountants (AICPA) through the AICPA/CICA Privacy Task Force. It is a component of SOC 2.^[1]

The GAPP framework was previously known as the AICPA/CICA Privacy Framework, and is founded on a single privacy principle: personally identifiable information must be collected, used, retained and disclosed in compliance with the commitments in the entity's privacy notice and with criteria set out in the GAPP issued by the AICPA/CICA. This privacy objective is supported by ten main principles and over seventy objectives, with associated measurable criteria. The ten principles are:

Management
Notice
Choice and consent
Collection
Use, retention and disposal
Access
Disclosure to third parties
Security for privacy
Quality
Monitoring and enforcement

Privacy is defined in the Generally Accepted Privacy Principles as "the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and disposal of personal information".^[2]

Management

Management gives an overall approach into protecting user’s rights to privacy while also being able to maintain the confidentiality of their collected information and how it is used and disclosed. While most users and companies have some sort of program that they use for privacy, having a privacy management system will further that trust of privacy between the company and their users. The core elements of privacy management come down to data minimization, purpose limitations, data accuracy, data security, and accountability in order to create a successful system for users to trust. This gives a strong focus to the user that only necessary data will be collected and used as intended, the information taken will stay accurate and up to date, that the correct security measures will be taken to protect their data, and that if anything happens the company will take full accountability for what has happened. These elements talked about are able to be grouped into the four key components that make up privacy management which are data collection and consent management, security, privacy impact assessments, and privacy policies and training.^[3]

Data Collection and management: This aspect helps provide clearance to the user about what information is being collected as well as collecting consent from the users to allow for data to be collected. This helps build trust between the user and the company and ensure there is no miscommunications about policies or the process that is occurring with their data. Consent of the user is a requirement by law for companies to acquire so it becomes one of the most important parts of this process. Not only must they acquire the consent of their users, but must also document it to protect themselves from any issues that could come up in the future.^[3]

Security: Security measures help tie in all the other concepts together and make sure the privacy is maintained throughout the process. This works to protect collected data and to check the validity of the date collected to make sure it is up to date. After the data is collected they also make sure to safely dispose of the data so that no others would be able to obtain it afterwards.^[3]

Privacy Policy procedures: These procedures help companies to understand and be able to comply with the laws and standards pertaining to data privacy. Laws are regularly monitored for updates, and updated when needed. Companies must also give their employees training on these rules and regulations so that these rules are not compromised at all. Even if rules are applied to the company, but not followed by their employees, then the rules are practically not there at all so training is essential in order to make sure these laws are maintained.^[4]

Privacy Impact Assessments: (PIAs) PIAs are an analysis of personal information of users to see how it is being collected, used, and maintained. This is important in helping companies see how they are handling user data to make sure there are no issues with the way they are using it. PIAs first became mandatory by the government in 2002 by the E-Government Act. This helps create a strong bond and trust between the company and their users and allows them to clearly communicate how their data is to be used and collected. PIAs are completed by the IT team of the company on the rest of the company in order to make sure everything is up to date and being correctly handled. There are four types of PIAs that can be assessed. The difference in each is all dependent on the type of information collected by that assessment. There are PIAs, which analyze how personal info is handled, Internal PIAs which are similar but are only used for systems that collect personal info of CMS employees and direct contractors, PTAs which are used for systems that do not collect dispose of, maintain or disseminate their data, and TPWA which are used for the analysis of third party websites or applications.^[5]

Notice

Privacy notices are put in place in order to help users make decisions about the data companies will collect and use. The notice is a public document that will come from the company that describes to the user how their data will be collected, protected, used, and any other important part of the process the user would need to know about. The document is presented in a timely manner to the user and in language that makes it as clear to the user as possible and to reduce as much confusion as possible. If a company ends up using a third party to do their data collection, they also must note that to the user so they are aware of it. Overall the goal of the notice is to inform the user of the data collection process as clearly as possible so that they know what is going on and aren’t left in the dark about a lot of their personal info.^[6]

Choice and Consent

Choice and consent primarily help to ensure data protection by letting people be able to customize the amount of personal data collected online. Factors such as the jurisdiction, the industry it takes place in as well as the sector of the user and what kind of information is being shared all play a big factor in how data can be handled. If it is serious enough, consent will also be required from the user in order for their data to be collected. Users will usually have the choice of opting in or out of the process which will be clearly visible for the user to ensure there is no miscommunication.^[7]

Collection

Collection principles work to protect a lot of the core financial and data principles. The financial principles work to protect and maintain the collection of payments, protection of relationships between clients, as well as staying efficient through the process. For the principles of data collection, they work to ensure the protection of data during the collection process, checking for validity of the data collected, as well as letting users know that their data will be collected, and asking for consent to collect it. During the data collection process, not only is consent an important part of the process but also informing the users of the purpose of why the data is being collected is just as important.^[8]

Use, retention and disposal

Use, retention and disposal principles all work to ensure that data collected and retained for a reasonable amount of time, and no data is held permanently, as well as the proper and safe ways of disposing of the data when it is no longer needed. The time that data is usually held for is all dependent on the retention period which can vary between companies. The retention period gives a clear timeline on how long data is to be retained for. In terms of actually disposing of the information, companies must safely secure the data before destroying it, and make it so the data wouldn’t be able to be reattained. They do this by destroying the data collected so much that no part of the data could be recovered at all.^[9]

Access

The right of access is used to users to be able to have the access to information regarding data. Having access to things such as knowing if your data is being collected, verifying the accuracy of the data, as well as having the right to have data deleted if it is not valid. Users have the right to ask for access to their data, and companies should always try to do their best to provide that access. There are cases where the user might be denied access if the data they want access to would end up violating another user's privacy or rights.^[2]

Disclosure to third parties

Disclosure to third parties principles give protection to the sharing of personal data and information to external parties, other than the ones intended to have the information. Information like phone numbers, finance account details, transaction history, or any personal information are all protected under this principle. There are some times where there are needs to disclose information to third parties like for certain legal issues like credit evaluations, or fraud prevention, but during these processes, your information is being handled carefully, and will be protected. Giving access to third parties is sometimes required, or will very much benefit the company, but it all comes down to being able to do it the correct way and following the laws and regulations that come along with it.^[10]

Security for privacy

Security and Privacy principles are what protect user’s data from unauthorized access, attacks and breaches, as well as other malicious attempts. These security measures will both internally and externally protect your data, and will stop any type of data altercations or data loss from occurring. Within security and privacy, there are two main parts that make use of the principle that being data security and data privacy. Data security intends to protect users from threats and malicious content, where as data privacy is used to manage the data of users concerning their rights. So while data security is primarily for the physical protections against attacks, data privacy is used more as protection to the way data is handled, and protecting users rights with their data. A key point of the security comes with a framework called the CIA Triad which helps to protect the confidentiality, integrity, and availability of data. Going into some more depth, confidentiality makes it so only authorized users can access sensitive data. Integrity makes it so the content of the data is accurate and reliable during its lifecycle, and availability protects from data not being able to be accessed by a user if they needed to do so.^[11]

Quality

Quality focus keeping the integrity of the data up to a peak condition. This involves aspects like the accuracy of the data, making sure there is no data loss, and maintaining only the necessary data needed that was mentioned in the privacy notice. The quality aspect of GAPP works a lot with all of the other parts in order to make the best of what it is meant to do.^[12]

Monitoring and Enforcement

Companies are required to comply with privacy laws, take accountability when things go wrong, and resolve those issues when needed. This begins a lot of the time with compliance training of employees in the company on privacy laws and regulations, so that hopefully nothing bad goes wrong during the process. If something were to happen, the company would need to be ready to address any possible issues the users have.^[13]

Implementing a privacy program

Once a company is able to understand GAPP principles they can begin to create their own privacy program in order to help enforce these principles into their everyday actions. First they must define their action plan that will define privacy ownership, assign responsibility and tasks, establish an implementation schedule so that companies are able to measure their goals and progress along this process.

This plan should always be monitored and updated when new privacy practices come about, and should always be sustained and used by employees. The biggest way to go about informing the company about this plan is through training, where employees will go through a process that helps them understand this action plan so they can better perform under its regulations.^[14]

If companies were to not do this they could be susceptible to a lot of problematic issues regarding privacy of users, which could completely hurt a company's reputation. GAPP has given companies a stable framework they can follow to show how to avoid these issues, and how they can create their own framework that works for their company while still following GAPP’s principle. Some of the key components to always consider are:^[15]

Always have regular privacy audits
Train employees on privacy practices and principles
Always keep clear and concise communication amongst the company and their customers

References

^ "SOC 2 Compliance". Imperva. Retrieved 2019-11-18.
^ ^a ^b "Generally Accepted Privacy Principles, CPA and CA Practitioner Version" (PDF). American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants. August 2009. Retrieved 19 November 2025.
^ ^a ^b ^c "Understanding the 7 data privacy principles". Consent Management Platform (CMP) Usercentrics. Retrieved 2025-11-29.
^ Team, Editorial (2024-12-09). "What is Privacy Management: Why It Matters for Your Business?". WP Legal Pages. Retrieved 2025-11-28.
^ "Privacy Impact Assessment (PIA) | CMS Information Security and Privacy Program". security.cms.gov. Retrieved 2025-11-28.
^ Wolford, Ben (2018-07-11). "Writing a GDPR-compliant privacy notice (template included)". GDPR.eu. Retrieved 2025-11-28.
^ "Choice and Consent: Key Strategies for Data Privacy". TrustArc. Retrieved 2025-11-04.
^ CDC (2024-10-04). "Data Sharing and Collection Principles and Standards". Program Collaboration and Service Integration. Retrieved 2025-11-04.
^ Isaac Clarke (PARTNER | CPA, CISA, CISSP) (2017-09-13). "GAPP Privacy: 10 Generally Accepted Privacy Principles". Linford & Company LLP. Archived from the original on 2023-12-06. Retrieved 2025-11-04.{{cite news}}: CS1 maint: multiple names: authors list (link)
^ Cobrief (12 Apr 2025). "Disclosure of account information to third parties: Overview, definition, and example". Cobrief. Retrieved 4 Nov 2025.{{cite web}}: CS1 maint: url-status (link)
^ "Data Security and Privacy: Strategies, Tools, and Best Practices". www.acceldata.io. Retrieved 2025-11-04.
^ Adesogbon, Oluwafemi (2025-02-13). "Ensuring Data Privacy and Compliance: A Comprehensive Guide to Generally Accepted Privacy Principles (GAPP)". Cyphamz. Retrieved 2025-11-28.
^ "Data Privacy Framework". www.dataprivacyframework.gov. Archived from the original on 2025-10-12. Retrieved 2025-11-28.
^ Isaac Clarke (PARTNER | CPA, CISA, CISSP) (2017-09-13). "GAPP Privacy: 10 Generally Accepted Privacy Principles". Linford & Company LLP. Archived from the original on 2023-12-06. Retrieved 2025-11-29.{{cite news}}: CS1 maint: multiple names: authors list (link)
^ Compass, Security (2024-12-13). "What Is GAPP?". Security Compass. Retrieved 2025-11-29.

External links

[SOC_2-1] "SOC 2 Compliance". Imperva. Retrieved 2019-11-18.

[:1-2] "Generally Accepted Privacy Principles, CPA and CA Practitioner Version" (PDF). American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants. August 2009. Retrieved 19 November 2025.

[:0-3] "Understanding the 7 data privacy principles". Consent Management Platform (CMP) Usercentrics. Retrieved 2025-11-29.

[4] Team, Editorial (2024-12-09). "What is Privacy Management: Why It Matters for Your Business?". WP Legal Pages. Retrieved 2025-11-28.

[5] "Privacy Impact Assessment (PIA) | CMS Information Security and Privacy Program". security.cms.gov. Retrieved 2025-11-28.

[6] Wolford, Ben (2018-07-11). "Writing a GDPR-compliant privacy notice (template included)". GDPR.eu. Retrieved 2025-11-28.

[7] "Choice and Consent: Key Strategies for Data Privacy". TrustArc. Retrieved 2025-11-04.

[8] CDC (2024-10-04). "Data Sharing and Collection Principles and Standards". Program Collaboration and Service Integration. Retrieved 2025-11-04.

[9] Isaac Clarke (PARTNER | CPA, CISA, CISSP) (2017-09-13). "GAPP Privacy: 10 Generally Accepted Privacy Principles". Linford & Company LLP. Archived from the original on 2023-12-06. Retrieved 2025-11-04.{{cite news}}: CS1 maint: multiple names: authors list (link)

[10] Cobrief (12 Apr 2025). "Disclosure of account information to third parties: Overview, definition, and example". Cobrief. Retrieved 4 Nov 2025.{{cite web}}: CS1 maint: url-status (link)

[11] "Data Security and Privacy: Strategies, Tools, and Best Practices". www.acceldata.io. Retrieved 2025-11-04.

[12] Adesogbon, Oluwafemi (2025-02-13). "Ensuring Data Privacy and Compliance: A Comprehensive Guide to Generally Accepted Privacy Principles (GAPP)". Cyphamz. Retrieved 2025-11-28.

[13] "Data Privacy Framework". www.dataprivacyframework.gov. Archived from the original on 2025-10-12. Retrieved 2025-11-28.

[14] Isaac Clarke (PARTNER | CPA, CISA, CISSP) (2017-09-13). "GAPP Privacy: 10 Generally Accepted Privacy Principles". Linford & Company LLP. Archived from the original on 2023-12-06. Retrieved 2025-11-29.{{cite news}}: CS1 maint: multiple names: authors list (link)

[15] Compass, Security (2024-12-13). "What Is GAPP?". Security Compass. Retrieved 2025-11-29.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]