This is a series of four articles examining how to assess a program’s value, take inventory of what matters, use program metrics to show effectiveness and develop a strong communication plan. The first installment looked at understanding the privacy compliance program’s value. The second looked at how to create a regulatory and control inventory. Find them here at the IAPP Resource Center.

The past two articles have focused on the need to assess and improve a privacy compliance program’s value. However, measuring performance may be effectively demonstrated through a comprehensive set of metrics. What metrics to measure and how they are presented provides the greatest challenge for most organizations.

While every company has a preference regarding how metrics are socialized, it is important privacy program metrics are well defined and objective. These metrics should be graphically displayed, if appropriate, on no more than two pages (preferably one).

Metrics to consider are: 

  • Number of privacy incidents: reported, substantiated, and closed with a trend analysis. For example, if 10 privacy incidents were reported, determine how many were attributed to human error or system coding. 
  • Document and trend customer complaints: Key indicators, such as customer feedback, can be a precursor to a larger issue. Trending the number and type of customer complaints are important. If appropriate, cycle time to resolution may also be appropriate. 
  • Program maturity: Measuring your company’s compliance program maturity, using an internal or other international standard,  provides impartiality to similar internal and industry programs. Be sure to justify strength and opportunity areas. 
  • Document the number of regulations and controls: One of the keys to building a comprehensive privacy program is to know what regulations must be followed and who is accountable for them. Identify the number of new/changed regulations, controls under development, and cycle times. 
  • List regulatory or internal audits: Management wants to know how many assessments or audits are being performed, key findings, and gap mitigation. Sometimes these metrics could be shown in percentages and using a stop-light schema to show if implementation plans are on-target. 
  • Emerging Risks: A short narrative regarding emerging risks may also be helpful but keep in mind these risk statements must be brief and action oriented.

There are many other metrics, which could be documented but draft metrics must be socialized with key stakeholders. Those metrics must represent the emerging risk in an organization. In certain organizations, the number of opt-out requests received after privacy notices are sent may be valuable, while others may focus on completion of Privacy Impact Assessments.

Once metrics have been operationalized it is important to identify when those metrics are no longer useful as the privacy program has matured or new risks must be tracked. Of course, do not forget to go through the socialization process with key stakeholders before changes are implemented.