ISACA Journal
Volume 4, 2,015 


Data Protection Act and GAPP Alignment 

Mohammed J. Khan, CISA, CRISC, CIPM 

With the advent of increasing privacy laws and regulations, global data privacy risk has become one of the major drivers of spotlighting the role of IT auditors and how this role can help drive, through technological means, the protection of sensitive data. For private and public enterprises alike, their data are like gold. Key channel data can be generated—particularly in the pharmaceutical industry—through clinical trials, sales and marketing, information technology, human resources (HR), procurement, regulatory affairs, physical security and surveillance, and clinical service centers. Properly managing the compliance aspects of these data, once in the hands of the data controller, is essential for keeping the company in compliance with data authorities throughout the world.

This article will align the UK Data Protection Act of 1998 (DPA) and the American Institute of Certified Public Accountants (AICPA) Generally Accepted Privacy Principles (GAPP)1 in order to help global companies with a presence in both the US and the UK. The AICPA GAPP is aligned with the European Union (EU) Data Protection Directive (DPD) of 1995,2 which requires member states to protect people’s fundamental rights of freedoms. The DPA3 is derived from the EU Directive and, thus, by default, is a widely accepted framework that is applied specifically to companies operating in the UK.

EU and UK Data Protection Act

Companies that operate in the EU are required to follow basic principles that are set forth by the EU’s data protection commissioner. The data protection commissioner is responsible for upholding the rights of individuals as set out in the DPD and enforcing the obligations upon data controllers. The commissioner is appointed by the government and is independent in the exercise of his/her functions. Individuals who feel their rights are being infringed can complain to the commissioner, who will investigate the matter and take whatever steps may be necessary to resolve it.4 The DPD which defines personal data as information relating to an identified or identifiable natural person (Article 2(a) DPD).5

Similarly, the Information Commissioner’s Office (ICO) is the UK’s independent body set up to uphold information rights. The ICO mandates the DPA, which is based around eight principles of information handling best practices (figure 1) that are considered in good order by the Information Commissioner’s Office.

To establish a comprehensive privacy program, the company in question has to adapt to internationally accepted principles of fair information practice as the basis for this policy. These principles are to be further aligned with concepts and requirements from the DPD and the US Department of Commerce’s Safe Harbor Privacy Principles. They also are recommended to follow the framework of the GAPP, which can be used as an operational framework to help multinational entities address privacy matters that takes into consideration local, national or international requirements.

A Framework for Assessment: DPA and GAPP

One of the mechanisms that can be utilized to satisfactorily map out the DPA principles to the enterprise’s adapted privacy principles is to align the DPA with the AICPA GAPP. This is a foundational step to further the capability maturity model (CMM) of an enterprise from a data privacy compliance perspective. By going through the process of mapping out the DPA principles with the GAPP, the entity goes through the exercise of understanding which principles are pertinent, thus establishing current state versus future state. There are eight DPA principles that should be addressed in order to fulfill the ICO guidelines for managing personal data. Figure 2 offers an example of the DPA principles that were mapped to the GAPP. This is a starting point for one to begin to establish compliance with the DPA and the validation check of alignment with the GAPP.

The AICPA performed its own mapping of privacy concepts set out in domestic and international privacy regulations, laws and guidelines in relationship to the GAPP. Figure 3 lists the 10 Generally Accepted Privacy Principles.6

All of these principles can then be mapped to the EU Directive seamlessly, which ensures buy-in of the GAPP among privacy professionals in Europe.7


Multinational companies that operate in the EU, and specifically in the UK, need to abide by an increasingly complex and regulated privacy landscape. The establishment of a proper framework is essential to assess the maturity level of the enterprise’s compliance as it pertains to protecting personal data of its customers, employees and partners. One of the best ways to conduct this is to establish the framework of the GAPP and tie it to the DPA. This will provide the enterprise with a sure way of mapping the frameworks and, more important, the transparency required to identify gaps, if any, that can be mitigated or addressed fully to comply with the privacy laws of the UK.


1 American Institute of Certified Public Accountants (AICPA), Generally Accepted Privacy Principles (GAPP)

2 European Union (EU), Directive 95/46/EC, 1995,
3 UK Data Protection Act, UK, 1998,
4 Office of the Data Protection Commissioner, About Us,
5 Office of the Data Protection Commissioner, EU Directive 95/46/EC, The Data Protection Directive,
6 American Institute of Certified Public Accountants (AICPA), Generally Accepted Privacy Principles (GAPP), p. 14
7 American Institute of Certified Public Accountants (AICPA), “Comparison of International Privacy Concepts”

Mohammed J. Khan, CISA, CRISC, CIPM, is a global audit, security and privacy professional serving the teams of the chief information security officer (CISO), chief privacy officer (CPO) and chief audit executive (CAE) at Baxter International. He has spearheaded multinational global audits in several areas over the past five years. Khan has worked previously as a senior assurance and advisory consultant for Ernst & Young and as a business systems analyst for Motorola.


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.