SCF Privacy Management Principles

In response to a perceived need, volunteers from the Secure Controls Framework (SCF) took up a project to help organizations better understand “privacy principles” since there are quite a few privacy frameworks that exist and all are unique. The end result is the “SCF Privacy Management Principles” that is available for free for businesses to use.

For organizations, we found the “apples to oranges” comparison between privacy frameworks was difficult for most non-privacy lawyers to understand. What this project did was identify a dozen of the leading privacy frameworks and create a set of simplified, yet comprehensive, privacy management principles. Below are what the SCF Privacy Management Principles is mapped to:

  • AICPA’s SOC 2 (2016 & 2017)

  • Asia-Pacific Economic Cooperation (APEC)

  • California Consumer Privacy Act (CCPA)

  • European Union General Data Protection Regulation (EU GDPR)

  • Fair Information Practice Principles (FIPPs) - Department of Homeland Security (DHS)

  • Fair Information Practice Principles (FIPPs) - Office of Management and Budget (OMB)

  • Generally Accepted Privacy Principles (GAPP)

  • ISO 29100

  • NIST 800-53 rev 4

  • Organization for Economic Co-operation and Development (OECD)

  • Office of Management and Budget (OMB) - Circular A-130

  • Personal Information Protection and Electronic Documents Act (PIPEDA)

We took these frameworks and looked for similarities and also for gaps. If you download the SCF Privacy Management Principles, you will see the direct mapping to these leading privacy frameworks so you know the origin of the principle we include in our document. This will be a great tool for organizations that may have to address multiple requirements, since it brings a common language to simply things.

The sixty-four (64) principles of the SCF Privacy Management Principle are organized into ten (10) domains:

  1. Privacy by Design

  2. Data Subject Participation

  3. Limited Collection & Use

  4. Transparency

  5. Data Lifecycle Management

  6. Data Subject Rights

  7. Security by Design

  8. Incident Response

  9. Risk Management

  10. Third-Party Management

When you tie in this SCF Privacy Management Principles to the Security & Privacy by Design (S|P), an organization can have a great set of free guidance on how to build in both cybersecurity and privacy principles by default.


Recent Posts

See All

Secure Controls Framework Council, LLC (SCF Council) disclaims any liability whatsoever for the use of this website or the Secure Controls Framework™ (SCF). Use at your own risk.


If you have compliance questions, you should consult a cybersecurity or privacy professional to discuss your specific needs. This website is for educational purposes only and does not render professional services advice - it is not a substitute for dedicated professional services. There is no endorsement of any kind in the company listing of SCF Solution Providers - It is entirely your responsibility to conduct appropriate due care and due diligence in selecting and engaging with a consultant to assist in your implementation of the SCF.

SCF Council does not warrant or guarantee that the information will not be offensive to any user. User is hereby put on notice that by accessing and using the website, user assumes the risk that the information and documentation contained in the web site may be offensive and/or may not meet the needs and requirements of the user. The entire risk as to the use of this website, or its contents, is assumed by the user. ​


SCF Council reserves the right to refuse service, in accordance with applicable statutory and regulatory parameters.

© 2021. Secure Controls Framework Council, LLC


  • White LinkedIn Icon