Measuring Privacy Programs
The risks of falling short on privacy compliance are greater than they have ever been. New laws are going into effect around the world and in the states, enforcement agencies are exercising their authority and media organizations have teams devoted to identifying data protection failures. Legal judgments can run into the billions. And most important, consumers are increasingly empowered and active in responding when they believe their rights are trampled. Companies are hiring compliance staff and investing in privacy management tools and trying to become more sophisticated about measuring performance.
Businesses are increasingly monitoring quantitative and qualitative metrics to track, measure, and improve existing privacy programs. According to a Privacy Benchmark Study by Cisco, 93% of organizations currently track and provide analysis on at least one privacy metric, and 14% use five or more. These privacy metrics provide businesses and other organizations with key information that allows them to enhance trust and relationships with customers, ensure that personal data remains safe in data transfers, and confirm legal and regulatory privacy compliance.
FPF recently convened policy, academic, and industry privacy experts to discuss privacy metrics and their benefits, and published a report based on their discussions. Through these discussions, we learned that beyond demonstrating compliance, privacy metrics have emerged as a key measure to improve privacy program performance and maturity in terms of customer trust, risk mitigation, and business enablement. Privacy leaders can use these metrics to benchmark the maturity of their organization’s privacy program against its strategy and goals and demonstrate how privacy contributes to its strategy and bottom line.
Privacy metrics can be used to measure a variety of data points. Simple operational and compliance metrics measure activities like the number of data subject requests, where privacy executives can track and improve the efficiency of existing organizational processes. More advanced metrics that are customer and business enablement focused measure things like the amount of time needed to respond to requests.
Privacy metrics can be grouped into six categories:
- Individual rights: Individual rights metrics measure the rate of consent for data sharing and email marketing, data subject requests, customer satisfaction rates, and more. This information is useful in determining the trust customers have in the privacy program and how well the program protects customer data.
- Training & awareness: Training & awareness metrics compile the number of privacy trainings offered to staff as well as the number of staff trained and their engagement with the privacy program. Having staff engaged with privacy-related issues, businesses and organizations can better ensure legal compliance. This information can show gaps in organizational privacy knowledge, improve an organization’s public image, and create operational excellence in privacy.
- Commercial: Commercial metrics measure how many customers have signed data processing agreements, external vendor reviews of an organization’s privacy program and how many privacy attestations have been completed. This information focuses on customer and business engagement, tracking a privacy program’s ability to support an organization as new technology is adopted. These metrics can drive additional investments from stakeholders, increasing the value of an organization.
- Accountability: With accountability metrics, utilizing privacy, data protection and transfer impact assessments, organizations are able to track projects that have received privacy advice and ensure that privacy policies and procedures are current. This allows organizations to demonstrate their ability to comply with relevant laws while keeping their organization competitive and reputable.
- Privacy stewards: Privacy stewardship is responsible for turning data policies into common organization practices. These metrics measure the scope of an organization’s privacy products, including the number of personal information management systems, data privacy impact assessments, and any data FAQs that are created.
- Policy: Policy metrics measure an organization’s compliance with potential privacy legislation, working to improve the organization’s environmental, social, and governance ratings. This allows organizations to increase public trust, knowing the organization will use and handle their data ethically.
Evaluating the effectiveness and value of privacy initiatives has become a core aspect of many organizations’ strategies. Ignoring privacy issues can create unnecessary risks. The utilization of privacy metrics can help organizations accomplish many objectives including benchmarking against industry standards, ensuring compliance with privacy laws and regulations, increasing customer trust, and asserting the value of existing privacy programs.