In response to a perceived need, volunteers from the Secure Controls Framework (SCF) took up a project to help organizations better understand “privacy principles” since there are quite a few privacy frameworks that exist and all are unique. The end result is the “SCF Privacy Management Principles” that is available for free for businesses to use.
For organizations, we found the “apples to oranges” comparison between privacy frameworks was difficult for most non-privacy lawyers to understand. What this project did was identify a dozen of the leading privacy frameworks and create a set of simplified, yet comprehensive, privacy management principles. Below are what the SCF Privacy Management Principles is mapped to:
AICPA’s SOC 2 (2016 & 2017)
Asia-Pacific Economic Cooperation (APEC)
California Consumer Privacy Act (CCPA)
European Union General Data Protection Regulation (EU GDPR)
Fair Information Practice Principles (FIPPs) - Department of Homeland Security (DHS)
Fair Information Practice Principles (FIPPs) - Office of Management and Budget (OMB)
Generally Accepted Privacy Principles (GAPP)
NIST 800-53 rev 4
Organization for Economic Co-operation and Development (OECD)
Office of Management and Budget (OMB) - Circular A-130
Personal Information Protection and Electronic Documents Act (PIPEDA)
We took these frameworks and looked for similarities and also for gaps. If you download the SCF Privacy Management Principles, you will see the direct mapping to these leading privacy frameworks so you know the origin of the principle we include in our document. This will be a great tool for organizations that may have to address multiple requirements, since it brings a common language to simply things.
The sixty-four (64) principles of the SCF Privacy Management Principle are organized into ten (10) domains:
Privacy by Design
Data Subject Participation
Limited Collection & Use
Data Lifecycle Management
Data Subject Rights
Security by Design
When you tie in this SCF Privacy Management Principles to the Security & Privacy by Design (S|P), an organization can have a great set of free guidance on how to build in both cybersecurity and privacy principles by default.