SCF Privacy Management Principles

In response to a perceived need, volunteers from the Secure Controls Framework (SCF) took up a project to help organizations better understand “privacy principles” since there are quite a few privacy frameworks that exist and all are unique. The end result is the “SCF Privacy Management Principles” that is available for free for businesses to use.

For organizations, we found the “apples to oranges” comparison between privacy frameworks was difficult for most non-privacy lawyers to understand. What this project did was identify a dozen of the leading privacy frameworks and create a set of simplified, yet comprehensive, privacy management principles. Below are what the SCF Privacy Management Principles is mapped to:

  • AICPA’s SOC 2 (2016 & 2017)

  • Asia-Pacific Economic Cooperation (APEC)

  • California Consumer Privacy Act (CCPA)

  • European Union General Data Protection Regulation (EU GDPR)

  • Fair Information Practice Principles (FIPPs) - Department of Homeland Security (DHS)

  • Fair Information Practice Principles (FIPPs) - Office of Management and Budget (OMB)

  • Generally Accepted Privacy Principles (GAPP)

  • ISO 29100

  • NIST 800-53 rev 4

  • Organization for Economic Co-operation and Development (OECD)

  • Office of Management and Budget (OMB) - Circular A-130

  • Personal Information Protection and Electronic Documents Act (PIPEDA)


We took these frameworks and looked for similarities and also for gaps. If you download the SCF Privacy Management Principles, you will see the direct mapping to these leading privacy frameworks so you know the origin of the principle we include in our document. This will be a great tool for organizations that may have to address multiple requirements, since it brings a common language to simply things.


The sixty-four (64) principles of the SCF Privacy Management Principle are organized into ten (10) domains:

  1. Privacy by Design

  2. Data Subject Participation

  3. Limited Collection & Use

  4. Transparency

  5. Data Lifecycle Management

  6. Data Subject Rights

  7. Security by Design

  8. Incident Response

  9. Risk Management

  10. Third-Party Management


When you tie in this SCF Privacy Management Principles to the Security & Privacy by Design (S|P), an organization can have a great set of free guidance on how to build in both cybersecurity and privacy principles by default.



0 comments

Recent Posts

See All