1 of 1 Items
1 of 1 Items
SCF Data Privacy Management Principles
In support of the Cybersecurity & Data Privacy by Design (C|P) initiative, a volunteer effort created the SCF Data Privacy Management Principles (DPMP). When you tie the broader C|P in with these privacy management principles, you have an excellent foundation for building and maintaining secure systems, applications and services that address cybersecurity and privacy considerations by default and by design.
We saw a need and we took action, since many cybersecurity and even privacy professionals have a hard time identifying "what right looks like" when picking a set of privacy principles for an organization to align to. What we did was select over a dozen of the most common privacy frameworks and create a "best in class" approach to managing privacy expectations. The best part is these are all mapped to the SCF, so you can leverage the SCF for both your cybersecurity and privacy needs!
The end result is the SCF's Data Privacy Management Principles (the DPMP is a tab that is part of the SCF download).
For organizations, we found the “apples to oranges” comparison between disparate privacy frameworks was difficult for most non-privacy lawyers to understand. What this project did was identify a dozen of the leading privacy frameworks and create a set of simplified, yet comprehensive, privacy management principles. Below are the thirty-one (31) different frameworks the SCF Data Privacy Management Principles is mapped to:
- AICPA TSC 2017:2022 (used for SOC 2)
- Asia-Pacific Economic Cooperation (APEC) Privacy Framework 2015
- Generally Accepted Privacy Principles (GAPP)
- ISO 27701:2025
- ISO 29100:2024
- NIST Privacy Framework 1.0
- NIST 800-53 R5
- NIST CSF 2.0
- Organization for Economic Co-operation and Development (OECD) Privacy Principles
- US Federal - Data Privacy Framework (DPF)
- US Federal - Fair Information Practice Principles (FIPPs)
- US Federal - HIPAA Administrative Simplification 2013
- US State - Alaska Personal Information Protection Act (PIPA)
- US State - California Consumer Privacy Act (CCPA) January 2026 (amended California Privacy Rights Act (CPRA))
- US State - Colorado Privacy Act
- US State - Illinois Biometric Information Privacy Act (BIPA)
- US State - Illinois Identity Protection Act (IPA)
- US State - Illinois Personal Information Protection Act (PIPA)
- US State - Nevada Privacy Law (SB220)
- US State - Oregon Consumer Privacy Act (SB 619)
- US State - Tennessee Information Protection Act
- US State - Texas BC521
- US State - Virginia Consumer Data Protection Act (CDPA) 2025
- US State - Vermont Act 171 of 2018
- EMEA - European Union General Data Protection Regulation (EU GDPR)
- EMEA - Saudi Arabia Personal Data Protection Law (PDPL)
- APAC - Australia Privacy Act
- APAC - Australian Privacy Principles
- APAC - India DPDPA 2023
- APAC - New Zealand Privacy Act of 2020
- Americas - Canada Personal Information Protection and Electronic Documents Act (PIPEDA)
We took these frameworks and looked for similarities and also for gaps. If you download the SCF Data Privacy Management Principles, you will see the direct mapping to these leading privacy frameworks so you know the origin of the principle we include in our document. This will be a great tool for organizations that may have to address multiple requirements, since it brings a common language to simply things.
The eighty-six (86) principles of the SCF Data Privacy Management Principles are organized into eleven (11) domains:
- Privacy by Design
- Data Subject Participation
- Limited Collection & Use
- Transparency
- Data Lifecycle Management
- Data Subject Rights
- Security by Design
- Incident Response
- Risk Management
- Third-Party Management
- Business Environment