Controls are your cybersecurity & data privacy program ---- A control is the power to influence or direct behaviors and the course of events.

SCF Data Privacy Management Principles

In support of the Cybersecurity & Data Privacy by Design (C|P) initiative, a volunteer effort created the SCF Data Privacy Management Principles (DPMP). When you tie the broader C|P in with these privacy management principles, you have an excellent foundation for building and maintaining secure systems, applications and services that address cybersecurity and privacy considerations by default and by design. 

We saw a need and we took action, since many cybersecurity and even privacy professionals have a hard time identifying "what right looks like" when picking a set of privacy principles for an organization to align to. What we did was select over a dozen of the most common privacy frameworks and create a "best in class" approach to managing privacy expectations. The best part is these are all mapped to the SCF, so you can leverage the SCF for both your cybersecurity and privacy needs!

The end result is the SCF's Data Privacy Management Principles:

SCF Privacy Management Principles.JPG
For organizations, we found the “apples to oranges” comparison between disparate privacy frameworks was difficult for most non-privacy lawyers to understand. What this project did was identify a dozen of the leading privacy frameworks and create a set of simplified, yet comprehensive, privacy management principles. Below are the seventeen (17) different frameworks the SCF Data Privacy Management Principles is mapped to:
  1. AICPA’s Trust Services Criteria (TSC) SOC 2 (2017)
  2. Asia-Pacific Economic Cooperation (APEC)
  3. California Privacy Rights Act (CPRA)
  4. European Union General Data Protection Regulation (EU GDPR)
  5. Fair Information Practice Principles (FIPPs) - Department of Homeland Security (DHS)
  6. Fair Information Practice Principles (FIPPs) - Office of Management and Budget (OMB)
  7. Generally Accepted Privacy Principles (GAPP)
  8. HIPAA Privacy Rule
  9. ISO 27701
  10. ISO 29100
  11. Nevada SB820
  12. NIST SP 800-53 R4
  13. NIST SP 800-53 R5
  14. NIST Privacy Framework v1.0
  15. Organization for Economic Co-operation and Development (OECD)
  16. Office of Management and Budget (OMB) - Circular A-130
  17. Personal Information Protection and Electronic Documents Act (PIPEDA)

We took these frameworks and looked for similarities and also for gaps. If you download the SCF Data Privacy Management Principles, you will see the direct mapping to these leading privacy frameworks so you know the origin of the principle we include in our document. This will be a great tool for organizations that may have to address multiple requirements, since it brings a common language to simply things.
The eighty-six (86) principles of the SCF Data Privacy Management Principles are organized into eleven (11) domains:

  1. Privacy by Design
  2. Data Subject Participation
  3. Limited Collection & Use
  4. Transparency
  5. Data Lifecycle Management
  6. Data Subject Rights
  7. Security by Design
  8. Incident Response
  9. Risk Management
  10. Third-Party Management
  11. Business Environment