 Hello and welcome to the session in which we will discuss generally accepted privacy principles gap, but it's GAPP, not generally accepted accounting principle, they're pronounced the same, but they are different. GAPP deals with privacy. And it's basically a framework that's developed by the AICPA, the American Institute of Certified Public Accountant that provide guidance for business and organization on best practices for managing and protecting personal information. Simply put, the idea of privacy, the concept of privacy is very important in today's business and extremely important on the CPA exam, especially in 2024. GAPP is built on 10 subtopics, which are management, notice, choice, collection, user retention and disposal, access, disclosure to third party, security and for privacy, quality, monitoring enforcement. And if you know anything about FARHAT, anytime I have a list, I go over each component of this list, provide additional explanation and an example to help you understand the concept. Before we proceed any further, I have a public announcement about my company, FARHATaccounting Lectures is a supplemental educational tool that's going to help you with your CPA exam preparation, as well as your accounting courses. My CPA material is aligned with your CPA review course, such as Becker, Roger, Wiley, Gleam, Miles. My accounting courses are aligned with your accounting courses, broken down by chapter and topics. My resources consist of lectures, multiple choice questions, true false questions, as well as exercises. Go ahead, start your free trial today, no obligation, no credit card required. Starting with the concept of management in terms of privacy. Management focuses on the organization overall approach to privacy. Basically, this is the big umbrella that include establishment of policies and procedure, assigning responsibilities for privacy management and monitoring compliance. Practically, the organization should develop what's called the comprehensive privacy management program. This is an overall picture. That include the following elements. The first element we need to include in management is risk assessment. We should conduct a risk assessment, what for, to identify potential risks. The first thing you want to be aware of is what are my potential risks and what are my potential vulnerabilities associated with collecting, using and disclosing personal information. Tell me, what are the risks? Once I know the risks, I'm going to design policies and procedures that outline how am I going to be managing and protecting the personal information. So first I identify the issue, then I will set policies and procedures. Then I train my employees. The organization should provide training to employees and they should provide training to contractors and other third party because those contractors and third parties could have access to your information. In other words, they are exposing the privacy of your customers. Therefore, you have to train them on how to handle. They need to be aware of your privacy policies and procedure and make sure you want to monitor this process. The organization should implement a monitoring and oversight program. You don't just have a program, then you just forget about it. You have to monitor, make sure it's being followed, being followed and everyone is aware of any new policies and procedures and if there's any violation detected, need to be addressed. Also, you have to have a response plan in case a data breach occur or other privacy incident. The plan should include steps to contain the breach, notify the affected parties, which are the individual involved, notify maybe the regulators if that's legally required and mitigate the harm caused by the breach. What am I going to do to mitigate the harm? A good example of this will be a health care organization might implement a privacy management program that includes policies and procedures for the secure handling of patient data, training of employees, basically doing everything here, proper handling and regular monitoring of the organization. So this is the management, which is one of 10. Two of 10 is notice. Notice deals with what? With the organization responsibility to inform individuals about privacy practices. So when they collect your information, they need to tell you, why are they collecting your information? This includes what information is collected, how it's used and whom it's shared. How? Let's go through specific steps. The first step is they have to identify themselves. The organization, this is us. The notice should identify the organization that's collecting the information. Two, why am I collecting this information? You should describe the purpose why the personal information is being collected. Three, what type of personal information am I collecting? You should describe the type of personal information you are collecting. Four, what am I going to use this information for? This should all be in the notice. Describe the personal information it will be used. Also, the notice should describe with whom the personal information will be shared, including third parties. Am I keeping this or am I sharing it with third parties and we're going to talk about third parties later? Also, we should have what's called choice and consent. The notice should provide individual with the opportunity to opt out. You don't want to have your information collected of certain personal information. And you should have a contact information to provide contact information for the organization that can be used to obtain additional information about the organization privacy practices. So if the individual wants to learn more, you give them maybe an email, a phone number to contact for more. For example, an online retailer that collect personal information from customer should provide a clear and concise notice about its privacy practices on its website. And usually it contains those seven elements above. Choice and consent now deals with individuals right. Remember, notice the company is giving you notice why they are collecting this information. Now, what is your choice and consent as a customer? As the person that's providing their personal information deals with the individual right to control the collection, use disclosure of their personal information. How? Well, I need to know first what's the purpose of the collection. The organization should provide you clearly explain from the notice what's going on. What type of information are you giving me? Again, you have to give me this in the notice. How are you going to be using this information? Disclosure of personal information should clearly identify with whom you're going to be sharing it, if any. And do I have the consent to opt out? The organization should obtain consent and unabiguous consent from individual for the collection, use and disclosure. Revocation of consent. The organization should provide an individual with the option to revoke, which is basically opt out. I changed my mind, which is opt and out. Should provide the option to opt out, certain uses of their personal information. For example, a financial service company may obtain consent from customers before collecting their personal information, giving them all these choices. Collection focuses on the method used to collect the personal information, including the type of information collected and how it's collected and how it's stored as well as part of collection. So practically an organization should ensure that the personal information is collected and lawful and fair manner. In other words, it's lawful, should ensure that the collection is in compliance with applicable laws and regulation. You're not violating any rules and regulation. You are collecting this in a fair manner. You are not tricking, taking advantage of the of the users and do not cause them any unnecessary harm. Transparent. You should have a transparent policy, including the purpose for which the information is being collected. Also minimization. Only collect the information that's necessary for the business use that you are collecting the information for. And accuracy. The organization should take steps to ensure that the accuracy of the personal information is collected. For example, a retail store that collect personal information from customers may collect the information that's only necessary to fill the customer order, such as name, address, payment, and do so in a lawful, fairness, transparent manner. Use retention and disposal. Now you have the information, how to use it, how long to keep it, and when to dispose of it. This deals with how personal information is used, how long it's kept, and how it's disposed when it's no longer needed. So practically the organization should ensure that the information is used, retained, and disposed of with the purpose for which it was collected. And this include purpose limitation. Every time you collect information there's a purpose for that. It should only use personal information for the purpose it was collected. Retention limitation. Don't keep it. Once the purpose of it has been fulfilled. So there's a retention limitation. Just get rid of it. Disposal. The organization should dispose of it in a secure manner where no one can retrieve it. Use an appropriate method to ensure that the information is no longer accessible or recoverable. Review. You should periodically review its retention. The company should review its retention, practices, and disposal of personal information that's no longer necessary when it was collected. For example, a financial service company that collect personal information from customer may use the information only for the purpose it was collected, such as processing a loan application. And once it's no longer in need get rid of it in a secure manner. Access focuses on the individual right to access their personal information and request for it to be corrected or deleted. You should give them that option. Provide individual means to access their personal information, usually online. Verification. The organization should verify the identity of the individual making the request because that's your responsibility. You want to make sure the individual that's making this request is the individual that owns this information. Response. The organization should respond to access in a timely manner. Don't make them wait. Usually they should be able to do so online. Make any correction necessary for incomplete or inaccurate personal information. Deletion. Well if the person wants their information to be deleted they should have the right to do so. And you should have a dispute resolution where you have a process in place for resolving dispute regarding access to personal information. For example a social media platform that collect personal information from users may provide users with the means to access their personal information and requested it to be corrected or deleted. For example if you have Facebook you can go in there and change this information if you choose. Disclosure to third parties. Well deals with how personal information is shared with someone other than the party you gave it to. Including methods used and safeguard in place to protect this information. First it has to be done in a lawful manner. So the organization should ensure that any disclosure is in compliance with applicable rules and regulation. Also that disclosure has to be fair. The organization should ensure that the personal information is conducted in a fair manner that does not cause unnecessary harm or disadvantage to the individual. Also it has to be transparent. Should be transparent about the disclosure of personal information including the purpose for which the information is being disclosed and the type of information that will be disclosed. Minimization only disclose the information that is necessary to be disclosed. And make sure you safeguard the organization should have appropriate safeguard to protect personal information from unauthorized access by a third party use or disclosure. And contract if the organization should have contract should have contract in place with third parties that receive personal information to ensure that they are using the information in a manner that's consistent. So okay I have a contract with you but I want to make sure you are following the terms of the contract. I'm sharing this information but for example you cannot share it with another party. For example a health care provider that collect personal information from patients may disclose that information to health insurance provider for the purpose of processing insurance claim. That makes sense. Now the health care provider should ensure that the disclosure is lawful and fair and it's conducted in a manner that's respectful of patient privacy. You can disclose as long as there's a legitimate purpose to do so. Security for privacy that's important. Basically you have privacy and you want to make sure you secure it. Deals with measures that the organization should take to protect personal information from unauthorized access. So practically here the organization they will have to protect your information from unauthorized access use and disclosure through appropriate security measures. What could be those security measures? First assess the risk and the vulnerabilities. Where can this information be lost? Have policies and procedures in place to make sure you have the appropriate security measures. Three have access control to prevent unauthorized access to personal information. Password protection, physical protection, whatever protection needed. Encryption should encrypt personal information so if it was if it was intercepted through transmission over a public network no one can read it. And obviously you want to monitor and oversight this process. Why? Because you want to make sure it's working as it's intended. So you'll be able to detect any violation and address those violations. And you should also have an incident response. You should have an incident response in place in case the data breach or other security incidents. So what happened if security was breached? Are you ready to deal with it and to mitigate the harm? Say for example online retailer that collect personal information from customers may implement a security program that include all of those that include policies and procedures, access control, encryption, monitoring and oversight of the program. Quality, quality of the privacy data deals with accuracy, completeness and relevant of personal information. Well accuracy means what? The organization should take reasonable step to ensure that the personal information it's collecting it's accurate. Accurate and complete, complete and up to date. Also it's relevant. The organization should ensure that the personal information collected is relevant for the purpose it was collected. Retention limitation. You should not keep it for forever. Keep it for the the amount of time needed then get rid of it. Dispose of it. Should dispose of the personal information in a secure manner where it's not no longer recoverable. Okay for example a bank collects personal information, make the reasonable step to ensure it's accurate, complete, relevant. It has a retention limitation and they're ready to dispose of it. Monitoring and enforcement deals with the mechanism of an organization should put in place to monitor and compliance with privacies and policies. Again you could have any policy, any procedures if you don't review and monitor they're useless. Okay monitoring should involve what? Implementing a monitoring program to ensure the privacy policies and procedures are being followed because you could have anything on paper if it's not being followed what good is it? Audited. The organization should conduct periodic audits to assess the privacy and how good is it? You could bring a CPA to audit this this policy. Are we following this policy to the teeth and is it doing what it's supposed to do? Enforcement. Do we have procedures in place to enforce the privacy policies and procedure including disciplinary action for violation? What do we do when someone violates those policies? We also should provide training. Training for what? Training to employees to make them aware of the importance of this information because we are responsible for protecting personal information and obviously accountability. We should hold accountable individuals and department for compliance with privacies and policies for privacy policies and procedures. For example, a technology company may collect that collect personal information, may implement a monitoring program that include regular audits and reviews to ensure compliance with privacies and procedures. What should you do now? When I started this session, I said privacy is an important topic on the CPA exam 2024. It's important now, but it's going to be much, much more important in 2024. Go to far hat lectures and work MCQs, multiple choice questions. That's going to help you prepare for these concepts. Most of them make sense, but you want to practice because a lot of them are very similar.