The Privacy Management Framework (PMF) can be used as a foundational element in establishing and operating a comprehensive information privacy program that addresses privacy obligations and risks while facilitating current and future business opportunities.
The PMF was created as an update to the former 2009 Generally Accepted Privacy Principles (GAPP). Because of significant changes in technologies and in global, country-specific, local information and data privacy laws and standards, including the publication of the General Data Protection Regulation (GDPR) and updates to the AICPA’s Trust Services Criteria (TSC), the AICPA Privacy Task Force updated the PMF in 2020.
This updated PMF has been approved by both the AICPA Privacy Task Force and the AICPA Information Management and Technology Assurance Executive Committee. The adoption of the PMF is voluntary.
The PMF (PDF file) is a guide to help organizations address the business activities that involve collecting, creating, using, storing and transmitting personal information of individuals.
There are nine components of the PMF:
- Agreement, notice and communication
- Collection and creation
- Use, retention and disposal
- Disclosure to third parties
- Security for privacy
- Data integrity and quality
- Monitoring and enforcement