Since the release of our first annual governance survey and report, we have received an overwhelming amount of feedback from our membership that has a common theme: the 2024 IAPP Privacy Governance Report is a critical tool for benchmarking practices and approaches. Benchmarking is a process that allows an organization to measure itself against similarly situated businesses in the same marketplace. This exercise can provide organizations with a better understanding of how other similarly situated organizations are approaching privacy compliance and structuring their privacy programs. Every year, the IAPP governance report publishes metrics on privacy program operations around the world, allowing privacy professionals to judge their governance practices against organizations of varying sizes, industries and revenues.
Why is benchmarking important?
Benchmarking is an instrumental tool for organizations to meet compliance requirements while retaining a competitive advantage effectively and efficiently against their peers. All organizations have limited resources, time and budgets, yet the number of privacy compliance obligations they must meet is growing. As a result, it is important for organizations to prioritize resources strategically. However, organizations are often left speculating whether they are focusing on the right priorities in order to meet compliance demands.
One way to address this issue is by benchmarking against peers. By comparing key metrics, organizations can gauge where their privacy compliance practices stand compared to others in the same field. For instance, an organization might discover it is ahead of the pack in terms of meeting compliance obligations. If this is in line with its strategic priorities and it consciously strives for good compliance to be a differentiator amongst peer organizations, then such metrics will confirm it is on the right track.
However, if this is not intended, an organization might realize it overspent or prioritized incorrectly. Inversely, metrics might show an organization it is worse off than its peers, unable to respond effectively to the threat landscape facing all organizations within its peer group. This could leave an organization open to regulatory action. In each case, benchmarking provides organizations the critical opportunity to analyze against peers and adjust privacy compliance programs accordingly to improve resource prioritization and best practices in general.
How to use reports for benchmarking purposes
The annual IAPP governance report provides privacy professionals with key metrics that enable them to benchmark against their peers. For example, last year's report noted the change in responding organizations’ top five strategic priorities from 2022-23 by continent. Data showed that international transfers dropped in priority from first in 2022 to fourth in 2023, while AI governance shot up in priority from ninth in 2022 to second in 2023. EU organizations prioritized data deletion again for the second year running.
Privacy impact assessments and privacy by design were in the top five priorities across eight sectors and sixth in the other two sectors, highlighting the relative strategic importance of this topic. Digesting this data, an organization might consider whether it is prioritizing the right activities. For instance, in light of the 2020 "Schrems II" decision many European and U.S. organizations will have prioritized international transfers, potentially deprioritizing or even leaving other important compliance activities unaddressed. Metrics showing that organizations pivoted from focusing on international transfers to other activities in 2023, helped no doubt by the EU-U.S. Data Privacy Framework. The list provides organizations a good opportunity to see where other others are prioritizing their efforts, and how. Additionally, metrics suggesting AI is being prioritized might show how organizations are not waiting around for formal regulation and are taking steps ahead of the EU AI Act and others coming into force. And finally, a concerted focus on PIAs and PbDs potentially show that organizations are trying to embed privacy within their governance programs in sustainable ways, moving from reactive to proactive privacy compliance.
Another metric produced in the 2023 report considered the extent to which organizations appoint various privacy roles, graphing internal privacy team size by number of employees and by annual revenue. The data showed that the larger an organization, the more resources assigned as privacy champions, privacy managers and privacy analysts. For organizations viewing these metrics, the picture of how many resources assigned to different roles by organizations of different sizes allows them a chance to see whether their privacy teams are the right size. It can also help them build business cases for more resources and use these statistics as an example to show their boards that organizations have larger or different roles in privacy teams that theirs might lack.
Additionally, given that 2023 was a year where recruitment hit a relative pause for many, it also gave organizations the chance to see how their peers restructured governance in the face of this. A focus on privacy analysts potentially shows the long-term approach of some organizations to invest in junior talent.
A third metric worth highlighting as an example of how organizations can use our annual reports for benchmarking is that mean budget was down in 2023 compared to 2022, reflecting broader economic challenges. This data offers organizations the chance to benchmark their own budgets, which in turn is good for building business cases to present to higher ups. Additionally, our reports allow organizations to compare their own spending allocation with that reported by others. Because this has stayed fairly consistent over the years, it suggests the ratios may be good examples for organizations to follow or test against.
These are merely a few examples of the plethora of key metrics produced by the IAPP annual governance report that can be used make actual changes within an organization’s compliance program.
How to apply a statistic within an organization
The benefits of statistical measuring do not stop at just seeing and understanding what peers’ privacy programs are doing. Organizations can use data produced in our reports to adjust and strengthen their own programs. Using the metrics highlighted above, a chief privacy officer that discovered they are not prioritizing privacy compliance activities that the majority of its competitors and peers are might, let's say, spend less resources on international transfers and focus more on AI governance. They can take from the list of the most commonly practiced compliance activities and implement them directly to their privacy program.
Also, a company realizing other organizations of similar size and revenue have much larger privacy teams with individuals covering distinct functions might decide to expand its team by hiring for new privacy roles. Lastly, a privacy team comparing its budget to that of a similarly sized company might decide to reallocate resources to different functions, spending less on areas that their competitors have budgeted away from. The IAPP governance report allows privacy professionals to take our metrics and implement real changes to their privacy programs.
Why your contribution to this year's survey will further help with benchmarking
In order for our annual governance reports to be critical tools for benchmarking in the privacy community, we need to build metrics from your responses to our survey. The survey responses we receive allow us to compile data, analyze it, build graphs and produce a clear and comprehensive report to be used by privacy professionals. Help us help the privacy community benchmark against their peers and build better privacy compliance programs by completing our annual governance survey.
