Protecting personal information using Generally Accepted Privacy Principles (GAPP) and Continuous Control Monitoring to enhance corporate governance

Abstract

The first decade of the new millennium may well become known as the era of data breaches. In a recent speech given by the Federal Trade Commission's (FTC) Chief Privacy Officer, Marc Groman, he emphasised to the National Association of Secretaries of States to prepare well because ‘you will have a data breach’ (Washington, DC, 18th February, 2008). This article discusses the present privacy crisis and offers a solution to managing and reducing privacy risk through the use of the AICPA/CICA's Generally Accepted Privacy Principles (GAPP). When the court of public opinion or the FTC is grilling an organisation regarding a data breach, the best defence for the organisation is to provide evidence, such as adherence to GAPP criteria or an actual GAPP audit, that they were diligent and serious about data protection policies. Recently, the Chair of Her Majesty's Revenue & Customs in the UK resigned after 25 million Britons had their personal information compromised and the investigation revealed that a mere $102,000 spent on data redaction would have prevented the snafu (see references 1 and 2). Top management, including CEOs, CFOs, CISOs, and CPOs all need to be aware of privacy risk management issues and techniques to reduce privacy risk. Researchers need to help advance the development and measurement of privacy-enhancing techniques and the implementation of GAPP in order to help move organisations along the Privacy Maturity Model. This article is written by a member of the AICPA's Privacy Task Force and a Certified Information Privacy Professional.