Computerworld - If you haven't heard of the Generally Accepted Privacy Principles (GAPP), take stock: They're likely to become the most important new source of requirements for your IT projects since Y2k and Sarbanes-Oxley. Why is this? The accounting industry has closed ranks around the idea that the GAPP is the best international framework for assessing the privacy health of an organization. So when it comes to IT projects, any system or related business process touching personal data will have new rules to play by.
What is the GAPP? I have to agree with the auditors on this one. It's the best attempt so far to address the main point of pain for global chief privacy officers: the growing complexity of privacy regulations around the world.
The GAPP is a framework that bridges the differences between North American, European and Asian privacy standards through a set of privacy principles common to all. If a company addresses the relevant criteria under each principle, it can simplify its approach to meeting the key requirements of most of these national privacy laws. (See table for the GAPP principles.) Simpler means lower legal fees and less system rework.
So is the GAPP a plot of the EU, the people who brought us privacy as we know it? Surprisingly not. It's the creation of the American Institute of CPAs (AICPA) and the Canadian institute of CAs (CICA ). It's not very often that history allows a small group of people to define a profession for generations to come, but that's what may have happened in 2002 when these associations formed a joint privacy task force. Comprised of external and internal auditors, sole practitioners and academics, their goal was to hammer out a common set of rules for building and auditing privacy programs.
By 2006, the resulting framework had won the support of ISACA and the Institute of Internal Auditors (IIA ). Including the AICPA and CICA, these groups represent over 650,000 professionals worldwide. This is what I mean by closing ranks. Love it or hate it, the GAPP is going to be the standard by which your company's privacy is measured.
"I expect to see more and more companies adopting the GAPP in the future," Sagi Leizerov told me. Leizerov is with Ernst & Young's privacy practice and a member of the AICPA privacy task force.
"One key reason for that is the increased interest and prevalence of privacy audits," he continued. "Considering that the GAPP is the central criteria used by auditors, it will impact CPOs, who will increasingly turn to it when they build their privacy programs."
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
