It doesn't much matter what it is you decide to track, but pick something, and then follow it. It's more about being able to show change than it is about the number value itself. That was the advice Jennifer Garone, CIPP/US, CIPT, FIP, gave attendees in an active learning session today on Measuring and (Proving!) Privacy's Business Value.
Part of the problem in demonstrating the value of privacy to the business is finding the right metric to use to prove the program's efficacy, Garone said: "It's not easy to do."
In trying to figure out what to measure, however, Garone suggested looking at what the regulator in your specific jurisdiction is really active on. If they're super active on data breaches, for example, maybe measure for breaches and incidents. Stakeholders and leaders are going to take interest in risk management, and especially so if you can draw a pretty direct dotted line to the cop on the beat.
One metric a privacy practitioner might choose to measure is how many data subject access requests the company has had in a year. In doing so, it might become clear that there were many more than it seemed before data was gathered on the topic.
That might lead to a talk with leadership that sounds something like, "Operational metrics prove we have more than we think we have, therefore we need to have a better program, support and structure so we can do this," she said, adding, "Hell hath no fury like a data subject who's requested their data and doesn't get it on time. That's a quick path to a regulator."
Of course the kind of metrics a privacy professional would need or want to gather will differ depending on stakeholders' needs and wants. But no matter the metric, it should be relevant in that it informs management of the risk associated to the program and provides an overall view.
The goal should be to get things to a place of automation and strip the process of manual work to generate metrics. And the results of a good metrics program should be repeatable. If it's done correctly, "two people reviewing the same data would get the same result without a lot of work."
Finally, it's important to consider to whom you're presenting metrics and how you need to adjust accordingly. Think, "What is the way my organization likes to see information like that? Be prepared for who you're presenting to, be prepared to get down to the level of detail they're looking for."
In the end, "The number isn't so important," she said. "It's about showing change. It's about storytelling,"
If you want to comment on this post, you need to login.