Generally Accepted Privacy Principles (GAPP)

Updated: Oct 20, 2021

Let us start by understanding the challenges faced by organizations, that led to creation of privacy frameworks.


The Privacy Challenge for Businesses


Organizations around the world are gathering increasing quantities of personal information as corporate systems and procedures get more complicated and sophisticated. As a result, personal information is subject to a wide range of threats, including loss, misuse, unauthorized access, and unauthorized disclosure. Organizations are finding it challenging to mitigate these treats and maintaining a balance between the appropriate collection and use of their customers’ personal information.


International Privacy Compliance


Many countries have their own privacy laws and regulations that regulate cross border data flow to which an organization needs to comply if it wants to do business in that country. Therefore, International privacy compliance is a complex and challenging task keeping in view the fact that different countries have different privacy requirements and new regulations, amendments are around the corner always.


Let’s understand global privacy landscape with the help of an infographic that shows data protection laws around the world:



With so many privacy regulations in place and rapidly changing privacy landscape across the globe, organizations need a framework built around global privacy standards to ensure compliance with global privacy regulations and develop a cross-regulatory compliance strategy that encompasses GDPR, CCPA, LGPD, POPIA, and beyond.


Generally Accepted Privacy Principles (GAPP)

To facilitate above discussed challenges, Canadian Institute of Chartered Accountants (CICA) and the American Institute of Certified Public Accountants (AICPA) collaborated to create a privacy framework called Generally Accepted Privacy Principles (GAPP) to help organizations understand their privacy obligations and build an effective privacy program for managing and preventing privacy risks.

The GAPP framework is built on the main privacy objective that states – Personally identifiable information must be collected, used, retained, and disclosed in compliance with the commitments in the organization’s privacy notice and with criteria set out in the GAPP.

To help achieve this privacy objective, there are ten main principles in GAPP framework that organizations must implement to prevent privacy risks. Let’s discuss each one in detail.

  1. Management: Define, document, communicate, and assign accountability for its privacy policies and procedures.

  2. Notice: Provide notice about its privacy policies and procedures and identify the purposes for which personal information is collected, used, retained, and disclosed.

  3. Choice and consent: Describe the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.

  4. Collection: Collect personal information only for the purposes identified in the notice.

  5. Use, retention, and disposal: Limit the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. Retain personal information for only as long as necessary to fulfil the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.

  6. Access: Provide individuals with access to their personal information for review and update.

  7. Disclosure to third parties: Disclose personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.

  8. Security for privacy: Protect personal information against unauthorized access (both physical and logical).

  9. Quality: Maintain accurate, complete, and relevant personal information for the purposes identified in the notice.

  10. Monitoring and enforcement: Monitor compliance with its privacy policies and procedures and have procedures in place to address privacy related complaints and disputes.

In our next article we will talk about privacy requirements for international data transfers.



29 views0 comments