Privacy Program Metrics: How to Evaluate Your Privacy Program’s Effectiveness

Why Privacy Program Metrics?

Measuring the effectiveness of your privacy program isn’t just a nice thing to do. It’s necessary if you want adequate resources and talent to ensure your program’s success. In some cases, it’s even required. But more importantly, the lack of an effective privacy program can kill business deals with partners, vendors, and suppliers.

Only 14% of organizations in our 2022 Global Privacy Benchmarks Survey said they do not measure the effectiveness of their privacy programs. Among companies ranging from $50 million annual revenue to those over $5 billion, 83% measure privacy. By contrast, only 39% of smaller companies under $50 million in annual revenue measure privacy effectiveness. As a result, Privacy Index scores were much lower for those who didn’t measure.

Beyond record keeping and due diligence, measurement enhances accountability and provides decision makers with information to drive change. Some organizations even view privacy as an essential contributor to innovation and business value.

The Cisco 2023 Data Privacy Benchmark Study found 36% of organizations are getting returns at least twice their spending, with many even realizing returns over three to five times their investments. The study also found the estimated dollar value of a privacy program’s benefits is $2.7 to $3.4 million overall – even up to $4 million for the largest organizations.

Keep in mind support for your privacy program depends on your ability to communicate its business value to executives, board members, and other critical stakeholders. If you’re just starting, use what you have to establish a baseline to strive for and improve from there.

Seven Keys and Five Privacy Program Outcomes that Matter

To measure privacy program effectiveness, reflect on why you established the program. What does the organization hope to accomplish? This was likely already translated into a strategy and goals for the privacy program. Thus, your privacy program metrics should align with the existing goals.

TrustArc annually measures how organizations are approaching and measuring privacy. Our statistical modeling results in 12 items that are key to measuring privacy at all levels within enterprises.

7 Keys to Privacy:

1. Having the Board of Directors regularly review and discuss privacy matters.
2. Pursuing privacy as a core part of business strategy.
3. Making sure privacy permeates daily business decisions with great importance.
4. Embracing privacy practices as a key differentiator.
5. Being mindful of privacy as a business.
6. Ensuring every employee can formally raise a privacy issue with confidence that there will be no reprisal.
7. Sufficiently training employees in privacy matters.

5 Privacy Outcomes that Matter:

1. Confidence your company can keep all employees’ and customers’ relevant data secure and protected.
2. Confidence your customers/clients have in your management of data privacy.
3. Confidence your employees have in your management of data privacy.
4. Confidence your partners/third parties have in your management of data privacy.
5. Confidence the general public has in your management of data privacy.

Examples of outcomes achieved by privacy programs were also mentioned in the Cisco study:

• Meeting corporate and legal policy compliance requirements
• Avoiding fines, penalties, breaches, loss of trust or reputation
• Protecting the brand value, vendor trust, and employee and customer data
• Necessary controls implemented throughout the business
• An improvement plan based on your privacy lifecycle to build a sustainable approach to privacy management
• How Businesses Measure and Evaluate Privacy Programs

There are a variety of methods and privacy program metrics used to evaluate effectiveness demonstrated by the 2022 Global Benchmark Data. The most popular method is privacy audit assessments, while the most popular KPI is the completion rates of privacy impact assessments (PIAs).

Aside from privacy assessments, another organization measured their cost of compliance with privacy laws and audits to determine the ROI of investing in their privacy program. They discovered their investment in a privacy program paid for itself in less than six months. And there was a 5-week reduction in the time it took to comply with privacy laws.

Besides saving time, they also saved money. With a 126% return on investment, Forrester estimates that this organization reduced costs by $3.74 million through its privacy program.

What Privacy Program Metrics Can You Use?

Because almost every business function has a role to play in terms of data protection and privacy, measures will be quantitative and qualitative. The exact metrics needed will depend on the business. However, there are several categories you can use to develop your program metrics.

The International Association of Privacy Professionals recommends the following categories.

• Individual Rights
• Training and Awareness
• Commercial
• Accountability
• Privacy Stewards
• Policy

Within each category, there are many measures your organization may want to adopt. But try to focus on the measures you need to inform goal progress and effectiveness of your program. Too many metrics will leave people confused. Find the right balance based on the metrics you need for compliance and to show the program’s value.

Individual Rights

Metrics in the individual rights category measure how well your organization protects personal data and how much trust people have in your privacy program. Individual rights are granted to people through data protection laws such as the GDPR and CCPA as amended by the CPRA. These include the right to access, delete, or change their information or consent permissions.

Not recording these privacy program metrics could result in non-compliance with regulations. This list is not exhaustive, but here are the metrics that fall into the individual rights category:

• The number of data subject access requests (DSAR) received, closed, and in progress
• The average duration of open DSAR
• The average response time for DSAR
• The number of individuals satisfied with the result of DSAR
• Consumer consent denial and approval rates for cookies, processing activities, data sharing and selling, and email marketing
• The number of privacy breaches
• The number of customers impacted by privacy breach
• Mean times to discover privacy incidents or breaches and the mean times to resolve incidents or breaches
• General privacy complaints and queries

Training and Awareness

A privacy program is only as good as the privacy awareness of your employees. Many functions across the organization frequently handle data, and each needs to understand privacy issues and why data protection is paramount. This category measures your culture of privacy and assists in identifying gaps in employee privacy knowledge and can inform future training activities.

Training and awareness privacy program metrics to consider:

• • The number of privacy training sessions offered and attendees
  • Staff engagement rate with privacy program
  • The percent of employees trained in privacy
  • The number of individual privacy certifications obtained

Commercial

Commercial metrics measure how your privacy program impacts business revenue and supports priorities. Closing deals today often requires transparency around your data processing and protection policies and procedures. Up and down the value chain, other businesses need assurances your company won’t be a weak link in their security and privacy programs.

Again, this list is not exhaustive, but it should give you a good idea of commercial privacy program metrics to track:

• • The number of
    • data processing agreements negotiated and closed with customers
    • data processing agreements negotiated and closed with vendors
    • vendor privacy reviews or risk assessments completed, in process, and planned, and the results
    • vendor privacy compliance issues, severity, status, and time to resolve
    • data sharing agreements
    • privacy due diligence requests for mergers and acquisitions (M&A), time to complete due diligence, and remediation actions identified.
  • The percent of agreements that include privacy language in the contract
  • Privacy compliance attestation requests completed and timeframe to completion

Accountability

These metrics help to measure your program’s ability to comply with global data protection laws. In many cases, items in this list are required by regulations such as the EU GDPR. Additionally, in the case of a privacy incident, this record can demonstrate your due diligence and efforts to comply.

Within this category are several subcategories of metrics, including your Privacy Impact Assessments (PIAs), Data Protection Impact Assessments (DPIAs), Transfer Impact Assessments (TIAs), Data Mapping and Records of Processing Activities (ROPAs), and notices to consumers and employees.

Document:

• • All privacy policies and procedures and when they were last updated
  • All privacy notices to consumers and employees and when they were last updated
  • All projects and products privacy has provided input towards
    • Marketing activities
    • HR activities
    • New services
    • New products
  • The number of regulator inquiries, the type, and status
  • Total number of data inventories

Metrics for your assessments and processing activities include:

• • The number of
    • PIAs, DPIAs, and TIAs completed and time to complete
    • identified high risk data processing activities requiring a DPIA
    • vendor questionnaires
    • applications that require data mapping, the number mapped, the percent of required applications not mapped, and the total of completed ROPAs.
    • privacy compliant apps processing personal information
  • The status and number of compliance monitoring audit activities

Privacy Stewards

Privacy stewards enable privacy across the organization. They are responsible for bringing policies to life. In addition to building a culture of privacy and understanding the importance of protecting personal information, these metrics help to ensure compliance with regulations.

Across each product team, track, the number of

• personal information management systems and their privacy status
• DPIAs supported
• rules of procedure supported
• department personal data use requests
• cross-functional privacy projects
• DSARs supported
• department-specific privacy training sessions
• data privacy awareness and communications created

Policy

Depending on your geographic location, this category could be highly relevant. As bills are discussed and passed, regulators often open requests for comments and feedback. Not every company will engage in legislative work with regulators. But if you do, you should record the bills you monitor, new laws and their status, and investor rating agency scores.

Privacy Program Metrics Improve Efficiency

Privacy programs are increasingly seen as an asset to organizations rather than a mere compliance activity. Measuring the effectiveness of your program helps you avoid damage to the organization’s reputation and reduce legal liabilities. Furthermore, by using privacy program metrics, you have a clear path to improve your current policies and procedures.

The competition between brands today for consumer and employee loyalty is fierce. Your privacy program can give your organization an edge over its competition by demonstrating it takes privacy seriously. And you’ll have the numbers to back it up.