Register for "A Guide to Data Products: Everything You Need to Understand, Plan, and Implement" - Friday, May 31,1:00 p.m. ET

Optimizing Privacy Management through Data Governance – Part V: Measuring Success

Data governance enabled privacy metrics for better privacy management

Organizations need privacy metrics to monitor progress against their objectives and demonstrate the rigor of their privacy management to external auditors. Effective metrics help privacy leaders identify opportunities for improvement and potentially reduce fines in the case of a breach.

This blog, the fifth in a series on optimizing privacy management through data governance, explains the importance of privacy performance metrics and suggests standard metrics to track your organization's success. The International Association of Privacy Professionals’ (IAPP) 2020 Privacy Report indicated that roughly half of companies surveyed were using metrics that focused on four key areas. 

  • Impact assessments

  • Incident response

  • Request processing

  • Training and awareness

Privacy compliance reporting requires metrics related to privacy breaches; however, these do not measure privacy program health. To monitor the health and impact of your program, we recommend five valuable metrics shown in Figure 1.

Figure 1: Privacy program metric

Data governance programs can facilitate the cross-functional relationships required to support the architecture, metadata, quality controls, and stewardship aspects of privacy reporting.

Privacy Management Program Metrics

Training and awareness. This metric provides privacy managers an indication of training exposure and the level of privacy awareness. The 'EU's GDPR emphasizes the relationship between training, awareness and privacy protection. Employees who are better informed are more adept at recognizing and reporting possible privacy breaches. It is not enough to provide one-time training; companies need an ongoing training program to ensure awareness. 

Compliance monitoring. Companies use policies to enforce behavior, but a policy needs to be audited for compliance to be truly effective. The policy might as well not exist if we do not validate that it achieves the desired results. This metric provides visibility into the level of follow-through on policy audits to measure compliance. The frequency of these audits should be defined in the policy and incorporated into the metric.

Privacy by design. Privacy regulations demand that organizations integrate privacy requirements and controls into the solution design process. At a minimum, there should be a consultation with a privacy professional to confirm there is no need for a more in-depth risk assessment. This metric intends to provide privacy leaders with an indication of how well the privacy team has integrated with the solution design efforts.

Request processing. Privacy regulations empower data subjects with the right to request information and actions from the companies that have collected data about them. Laws include details on the types of requests allowed for a data subject, and the expected timelines with which a company must comply. This metric provides privacy leaders with visibility into possible bottlenecks in the request management process, so they can adjust the process or resourcing to meet expectations. 

Incident response. This metric indicates the level of exposure due to a failure to meet the expected breach reporting and response requirement. Privacy regulations define breach reporting requirements for organizations that collect personal data. A breach does not have to be an attack from an external source; it could be an accidental leak of personal information by an employee or volunteer. Organizations need to define procedures to manage the different types of breaches along with the expected timelines. 

It is critical that privacy leaders have easy access to these metrics and that the information is accurate. This information can be invaluable in demonstrating that your organization has taken appropriate steps to build privacy management capabilities and protect personal data. Data governance programs can facilitate the cross-functional relationships required to support the architecture, metadata, quality controls, and stewardship aspects of privacy reporting. 


TrustArc Privacy Report:

Sean Hewitt

A proven leader in Data Governance, Privacy, and Analytics with a solid track record of managing teams, defining needs and delivering solutions. Over 20 years of experience working in a...

More About Sean Hewitt