Business leaders have traditionally advocated for management by measurement. Edwards Deming wrote, “What gets measured gets done.” Dr. H. James Harrington once said, “If you can’t measure something, you can’t understand it. If you can’t understand it, you can’t control it.” Effective measurement helps managers improve efficiency, streamline processes, prioritize efforts, and manage risk. Indeed, some say that measurement is management.
The best privacy leaders collect data and use metrics to measure, assess, and improve the performance of their privacy programs. When we gathered a group of Future of Privacy Forum CPOs to discuss some of the key issues, we learned that beyond demonstrating compliance, privacy metrics have emerged as key to measuring and improving privacy program performance and maturity in terms of customer trust, risk mitigation, and business enablement. Privacy leaders use metrics to benchmark the maturity of their organization’s privacy program against its strategy and goals and demonstrate how privacy contributes to its strategy and bottom line. They use metrics internally to secure budgets and staffing, to measure performance, and to diagnose program status and needs, as well as externally to demonstrate accountability and enhance trust.
According to a Cisco study, 93% of organizations now track and provide analysis on at least one privacy metric and 14% utilize five or more. These metrics can provide CPOs and other C-Suite executives with pertinent information to cultivate customer trust, enable secure data transfers to ensure personal data remains safe, and confirm compliance with privacy laws and regulations.
While there are some metrics that almost all organizations track to a certain extent, there are many more that many CPOs can utilize to concretely measure the success of their policies and identify areas that can be improved to further their data privacy practices.
Privacy metrics can be used to measure a wide variety of data points. Basic compliance and operational metrics measure activities carried out by an organization like the number of data subject requests and data protection impact assessments, allowing CPOs to track and improve the efficiency of organizational processes. More advanced customer- and business enablement-focused metrics display trends in the data like the amount of time needed to respond to requests. These metrics can typically be grouped into six categories, based on the types of data they measure:
- Individual rights: These metrics measure consent rates for data sharing and email marketing, data subject requests and how many customers are satisfied with the result, and the number of privacy breaches and customers impacted by them. This data is useful in measuring how well the privacy program protects customers’ personal data and how much trust they have in the program.
- Training & awareness: This set of metrics compiles the number of privacy trainings offered to staff and the number of staff trained, as well as the engagement of staff with the privacy program. By having a staff that is more engaged with privacy issues, businesses can better ensure compliance with laws while improving their public image and creating privacy operational excellence. These metrics can also show gaps in organizational privacy knowledge that can be filled by future trainings.
- Commercial: Commercial metrics measure the number of signed Data Processing Agreements with customers, external vendor reviews of the organization’s privacy program, and the number of privacy compliance attestations completed. These metrics focus on customer and business engagement and track the ability of a privacy program to support business priorities while adopting new technologies. These metrics can spur further investments from stakeholders, increasing the business’ value.
- Accountability: By conducting privacy, data protection, and transfer impact assessments, tracking the number of projects that have received privacy advice, and keeping privacy policies and procedures current, organizations can demonstrate their ability to comply with relevant laws while enhancing the competitive and reputational advantage of the organization.
- Privacy stewards: These metrics measure the extent of an organization’s privacy products. These include the number of Personal Information Management Systems, Data Privacy Impact Assessments, and data privacy FAQs created. Privacy stewardship is responsible for turning data policies into a common practice within an organization.
- Policy: An organization can closely monitor its compliance with potential privacy legislation while working to improve its Environmental, Social, and Governance rating. This enhances trust from the public that the organization will handle data ethically while increasing awareness of any potential policy changes.
Evaluating the effectiveness and strategic value of privacy initiatives is becoming a core aspect of many organizations’ strategies, as ignoring privacy issues can create unnecessary risks. The utilization of privacy metrics can help organizations accomplish many objectives, including benchmarking against industry standards, ensuring compliance with privacy laws and regulations, increasing customer trust, and asserting the value of existing privacy programs.
Editor's note: The FPF has released a "Privacy Metrics Report" that provides additional information.
Photo by Rob McGlade on Unsplash
