·         Strategizing—Performing privacy strategic and business planning

·         Diagnosing—Performing privacy gap and risk analysis

·         Implementing—Introducing and institutionalizing solutions

·         Sustaining/managing—Monitoring activities of a privacy program

·         Auditing—Internal or external auditors evaluating the organization's privacy program

The following table summarizes and illustrates how Generally Accepted Privacy Principles can be used by an organization to address these business activities. 

Activity	General Discussion	Potential use of GENERALLY ACCEPTED PRIVACY PRINCIPLES
Strategizing	Vision. An entity's strategy is concerned with its long-term direction and prosperity. The vision identifies the entity's culture and helps shape and determine how the entity will interact with its external environment, including customers, competitors, and legal, social, and ethical issues.   Strategic Planning. This is an entity's overall master plan, encompassing its strategic direction. Its objective is to ensure that the entity's efforts are all headed in a common direction. The strategic plan identifies the entity's long-term goals and major issues for becoming privacy-compliant.   Resource Allocation. This step identifies the human and financial resources allocated to achieve the goals and objectives set forth in the strategic plan or business plan.	Vision. Within an entity's privacy effort, establishing the vision helps the entity integrate preferences and prioritize goals.           Strategic Planning. Within an entity's privacy effort, Generally Accepted Privacy Principles can be used to assist the organization in identifying significant components that need to be addressed.         Resource Allocation. Using Generally Accepted Privacy Principles, the entity would identify the people working with and responsible for areas that might include systems management, privacy and security concerns, and stipulate the budget for their activities.   Overall Strategy. A strategic document describes expected or intended future development. Generally Accepted Privacy Principles can assist an entity in clarifying plans for the systems under consideration or for the business's privacy objectives. The plan identifies the process to achieve goals and milestones. It also provides a mechanism to communicate critical implementation elements, including details on services, budgets, development costs, promotion, and privacy advertising.
Diagnosing	This stage, often referred to as the assessment phase, encompasses a thorough analysis of the entity's environment, identifying opportunities where weaknesses, vulnerability, and threats exist. The most common initial engagement for an organization is an assessment. The purpose of an assessment is to evaluate the entity against its privacy goals and objectives and determine to what extent the organization is achieving those goals and objectives.	Generally Accepted Privacy Principles can assist the entity in understanding its high-level risks, opportunities, needs, privacy policy and practices, competitive pressures, and the requirements of the relevant laws and regulations to which the entity is subject.   Generally Accepted Privacy Principles provides a legislative-neutral benchmark to allow the entity to assess the current state of privacy against the desired state.
Implementing	At this point, an action plan is mobilized and/or a diagnostic recommendation is put into effect. Implementing involves the execution of all planned and other tasks necessary to make the action plan operational. It includes the definition of who will perform what tasks, assigning responsibilities, and establishing schedules/milestones. This involves the planning and implementation of a series of planned projects to provide guidance, direction, methodology, and tools to the organization in developing its initiatives.	Generally Accepted Privacy Principles can assist the entity in meeting its implementation goals. At the completion of the implementation phase, the entity should have developed the following deliverables:   Converted systems, procedures, and processes to address the privacy requirements Updated privacy compliant forms, brochures, and contracts Internal and external privacy awareness programs
Sustaining/ Managing	Sustaining/Managing involves monitoring the work to identify how progress differs from the action plan in time to initiate corrective action. Monitoring refers to the management policies, processes, and supporting technology to ensure compliance with organizational privacy policies and procedures and the ability to exhibit due diligence.	The entity can use Generally Accepted Privacy Principles, for example, to develop appropriate reporting criteria for monitoring requests for information, the sources used to compile the information and the information actually disclosed. It can also be used for determining validation procedures to ensure that the parties to whom the information was disclosed are entitled to receive that information.
Internal privacy audit	Internal auditors provide objective assurance and consulting services designed to add value and improve an entity's operations. They help an entity accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.	Internal auditors can evaluate an entity's privacy program using Generally Accepted Privacy Principles as a benchmark and provide useful information and reporting to management.
External privacy audit	External auditors, notably CAs and CPAs, can perform assurance services. Generally, an external audit of financial and nonfinancial information builds trust and confidence for individuals, management, customers, business partners, and other users.	An external auditor can evaluate an entity's privacy program in accordance with Generally Accepted Privacy Principles and provide reports useful to individuals, management, customers, business partners, and other users.

Back to top