GAPP Targets Privacy Risks

Principles provide a comprehensive, scalable framework for managing compliance and reputation threats.

As of early 2011, 46 states had enacted some form of privacy regulation. In particular, those enacted by Massachusetts and Nevada in 2010 significantly raised the bar in terms of business requirements. Even organizations that have no facilities or personnel in Massachusetts may be subject to the state’s regulations if they maintain personal information about any Massachusetts resident. The Nevada law applies only to an organization doing business in Nevada. It requires the use of encryption when data storage devices containing personal information are moved beyond the physical or logical controls of the organization or when data is transferred electronically (other than by fax) outside the secure system of an organization.


Beyond the expanding U.S. federal legislation and tougher and more pervasive state legislation, other factors increasing privacy-related risks include expansion and enforcement of the Health Insurance Portability and Accountability Act (HIPAA) and international standards. Particularly noteworthy within international standards is the European Union (EU) Data Protection Directive (also known as Directive 95/46/EC). It requires member states (countries) to enact laws prohibiting the transfer of personal information to those countries outside the EU that fail to ensure an adequate level of privacy protection (the U.S. and the EU have established a safe harbor program to meet this concern). Further, the consequences of failing to protect personal information include potential damage to the organization’s reputation, brand or business relationships; the possibility of legal liability and industry or regulatory sanctions; possible charges of deceptive business practices; customer or employee distrust; and, in some extreme cases, possible exposure to criminal charges.


Such was the case in March 2011 when Google Inc. agreed, without admitting or denying Federal Trade Commission (FTC) charges, to a settlement with the FTC related to alleged deceptive representations and violation of Google’s own privacy policy when it launched its social network, Google Buzz, in 2010. The groundbreaking proposed settlement, a first in the history of FTC settlement orders, required Google to implement a comprehensive privacy program to protect consumers’ personal information. It also called for regular, independent privacy audits for the next 20 years.


This article provides a brief overview of current and emerging privacy-related risks—from regulation and reputation damage—and then demonstrates how businesses can address these risks by leveraging the AICPA/Canadian Institute of Chartered Accountants’ (CICA) Generally Accepted Privacy Principles (GAPP) framework.



GAPP brings together international privacy regulatory requirements and best practices in one framework based on 10 privacy principles (see sidebar, “10 Generally Accepted Privacy Principles,” below). The overall objective of the application of GAPP is as follows:


  Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA and CICA.


Each privacy principle is supported by objective, measurable criteria (73 in total) that form the basis for effective management of privacy risk and compliance in an organization. Illustrative controls and procedures are provided for each criterion.


The application of three criteria in particular, along with illustrative controls and procedures for each (shown in Exhibit 1), make GAPP a scalable privacy risk management framework.



10 Generally Accepted Privacy Principles

  1. Management. The entity defines, documents, communicates and assigns accountability for its privacy policies and procedures.
  2. Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed.
  3. Choice and consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use and disclosure of personal information.
  4. Collection. The entity collects personal information only for the purposes identified in the notice.
  5. Use, retention and disposal. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.
  6. Access. The entity provides individuals with access to their personal information for review and update.
  7. Disclosure to third parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
  8. Security for privacy. The entity protects personal information against unauthorized access (both physical and logical).
  9. Quality. The entity maintains accurate, complete and relevant personal information for the purposes identified in the notice.
  10. Monitoring and enforcement. The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.



The five primary steps related to the deployment of GAPP are summarized as follows:


Step 1: Data inventory and privacy nexus. The term “privacy nexus” means understanding what privacy regulations a business is subject to. Therefore, the first step in managing privacy risks is to understand what personal information, in either hard copy or electronic form, the business processes and/or has in its custody and then to understand legal requirements that might apply to that information. Personal information is information that is about, or can be related to, an identifiable individual. Most information collected by an organization about an individual is likely to be considered personal information if it can be attributed to an identified individual. Privacy regulations are both jurisdictional (related to the state or country of an individual’s residence) and regulatory (related to certain industries).


Understanding privacy nexus requirements is critical to fulfillment of criterion 1.2.2, “Consistency of Privacy Policies and Procedures with Laws and Regulations.” This criterion is linked to several other criteria throughout GAPP, where consideration is made to relevant laws and regulations. It is this consideration in criterion 1.2.2 that ensures GAPP is tailored to any business’ specific legal privacy requirements. As part of ensuring all legal requirements are understood, the business should consider compiling and maintaining an inventory of personal information collected and/or processed, segmented by privacy nexus requirement (jurisdictional—that is, state, country level—and/or regulatory, for example, the Gramm-Leach-Bliley Act or HIPAA).


Understanding the data associated with personal information is useful for identifying the processes that involve or could involve personal data, and for the owner of those processes. By identifying the processes and business owners of personal information, the business can then understand the end-to-end flow of personal information including:


  • Definition of specific personal information about customers and employees the organization collects and retains, including the methods in which this information is obtained, captured, stored and transmitted.
  • Definition of specific personal information that is used in carrying out business, for example, in sales, marketing, fundraising and customer relations, including the methods in which this information is obtained, captured, stored and transmitted.
  • Definition of specific personal information that is obtained from, or disclosed to, affiliates or third parties, for example, in payroll outsourcing, including the methods in which this information is obtained, captured, stored and transmitted.
  • Identification of infrastructure components used in the receipt, processing, recording, reporting and communication of personal information.
  • Identification of personnel (including third parties) that have been granted access or potentially could access the personal information and how.


Businesses may find it helpful to prepare a flowchart that depicts the flow of personal information, including inputs, processing, points of storage, outputs, personnel and/or third parties that are involved in various aspects of the flow, as well as who could access the personal information. This documentation of the data flows can also be a useful way to identify any points in the data flow that represent significant inherent risks and whether mitigating controls exist for those risks. The flowchart should identify the information system components (networks, applications, databases, end-user computing, etc.), used in receipt, processing, storage, access and reporting of personal information.


Step 2: Risk assessment. The information compiled in data inventory and privacy nexus is necessary for the organization to fulfill criterion 1.2.4, “Risk Assessment.” This criterion is designed to direct the organization to understand the inherent risks associated with its use of personal information. In particular, the information flow and understanding of the role of information technology and third parties can be useful in identifying inherent operational risks associated with the protection of personal information, and whether appropriate mitigating controls exist. Since information security is a critical component of privacy risk management, the risk assessment should include assessment of specific information-security-related risks.


Step 3: Assess compliance against GAPP criteria. This step involves reviewing the company’s existing privacy management policies, procedures and control functions relative to the specific criteria defined by the AICPA/CICA GAPP framework. The organization should start this step by fulfilling the requirements of criterion 1.2.10, “Privacy Awareness and Training,” to help ensure all affected personnel understand the objectives for the assessment, the applicable privacy laws and regulations, and the detailed GAPP criteria. This step often may involve some combination of interviews and self-assessment questionnaires to understand and record the organization’s current practices relative to each privacy criterion.


By comparing the company’s existing practices for each privacy criterion, the organization (or auditor conducting an examination) can determine whether control practices are adequate to fulfill the control criterion, or whether some remedial action is needed, and if so, what remediation is necessary.


Step 4: Establish GAPP-based controls. This step involves management remediating control gaps identified in the GAPP compliance assessment. The organization should update the GAPP assessment report periodically (see “Example GAPP Assessment Report” with the online version of this article on and policies and procedures as appropriate to reflect the existing controls accurately.


Step 5: Monitor GAPP controls. The 10th principle of GAPP, “Monitoring and Enforcement,” defines criteria associated with monitoring a wide range of compliance considerations; as well as complaints or potential instances of noncompliance; and reporting and involvement of management ultimately responsible for privacy risk management.


Optional step: Attestation. Service organizations that provide personal-information- related services on behalf of other organizations (that is, user entities) may find it necessary and/or appropriate to provide those user entities with a report of an auditor’s examination to provide independent assurance related to the organization’s privacy risk management practices. Under AICPA Statements on Standards for Attestation Engagements, the practitioner may report on either management’s assertion or the subject matter of the engagement.


Readers interested in more specific guidance should refer to the AICPA publications Generally Accepted Privacy Principles, CPA and CA Practitioner Version, August 2009, and Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2) (also see related article, “Expanding Service Organization Controls Reporting,” page 46).


Exhibit 1

Criteria for a Scalable Privacy Risk Management Framework


GAPP Criteria for Management Principles

Illustrative Controls and Procedures

1.2.2 Consistency of Privacy Policies and Procedures with Laws and Regulations

Policies and procedures are reviewed and compared to the requirements of applicable laws and regulations at least annually and whenever changes to such laws and regulations are made. Privacy policies and procedures are revised to conform with the requirements of applicable laws and regulations.

Corporate counsel or the legal department:

  • Determines which privacy laws and regulations are applicable in the jurisdictions in which the entity operates.
  • Identifies other standards applicable to the entity.
  • Reviews the entity’s privacy policies and procedures to ensure they are consistent with the applicable laws, regulations and appropriate standards.

1.2.4 Risk Assessment

A risk assessment process is used to establish a risk baseline and to, at least annually, identify new or changed risks to personal information and to develop and update responses to such risks.

A process is in place to periodically identify the risks to the entity’s personal information. Such risks may be external (such as loss of information by vendors or failure to comply with regulatory requirements) or internal (such as emailing unprotected sensitive information). When new or changed risks are identified, the privacy risk assessment and the response strategies are updated.


The process considers factors such as experience with privacy incident management, the complaint and dispute resolution process, and monitoring activities.

1.2.5 Consistency of Commitments with Privacy Policies and Procedures

Internal personnel or advisers review contracts for consistency with privacy policies and procedures and address any inconsistencies.

Both management and the legal department review all contracts and service-level agreements for consistency with the entity’s privacy policies and procedures.



Click here to download an example of a GAPP assessment report.





  State, federal and foreign governments are expanding privacy compliance regulations.


  Businesses need to regularly assess privacy risks and deploy effective controls. Good security practices do not by themselves represent effective privacy risk management.


  Businesses should prepare flowcharts and have other documentation that show how and when they capture personal information; how it is processed, stored and distributed; and who can access it at any time.


  Generally Accepted Privacy Principles (GAPP) provide a comprehensive and scalable approach to managing privacy risks.


  Practitioners can leverage GAPP to provide advisory and attestation services.


Dan Schroeder ( is a partner at Habif, Arogeti & Wynne LLP in Atlanta and chair of the AICPA’s Information Technology Executive Committee. Nancy A. Cohen ( is a senior technical manager with the AICPA.


To comment on this article or to suggest an idea for another article, contact Kim Nilsen, editorial director, at or 919-402-4048.





JofA articles


Use to find past articles. In the search box, click “Open Advanced Search” and then search by title.




For more information or to make a purchase, go to or call the Institute at 888-777-7077.



  • Privacy/Data Protection,, which has many downloadable checklists and tools on using GAPP in practice, including, but not limited to: Privacy Risk Assessment Tool, which is designed to help CPAs, CAs, management, owners and other privacy professionals perform a privacy risk assessment in an effective and comprehensive manner; and Privacy Maturity Model, which provides entities with a useful and effective means of assessing privacy programs against a recognized maturity model and has the added advantage of identifying the next steps required to move the privacy program ahead.
  • Service Organization Control Reports (formerly SAS 70 reports),


IT Center and CITP credential

The Information Technology (IT) Center provides a venue for CPAs, their clients, employers and customers to research, monitor, assess, educate and communicate the impact of technology developments on business solutions. Visit the IT Center at Members who want to maximize information technology to increase efficiency and boost profits may be interested in joining the IT Member Section or pursuing the Certified Information Technology Professional (CITP) credential. For more information about the IT Membership Section or the CITP credential, visit


More from the JofA:


 Find us on Facebook  |   Follow us on Twitter  |   View JofA videos

Where to find August’s flipbook issue

The Journal of Accountancy is now completely digital. 





Better decision-making with data analytics

Data analytics has become a hot topic, but many organizations have not yet managed to understand its potential, let alone put it to work. This report will take a deep-dive on how to best introduce or enhance the use of data in decision-making.