Measuring Privacy Programs

The risks of falling short on privacy compliance are greater than they have ever been. New laws are going into effect around the world and in the states, enforcement agencies are exercising their authority and media organizations have teams devoted to identifying data protection failures. Legal judgments can run into the billions. And most important, consumers are increasingly empowered and active in responding when they believe their rights are trampled. Companies are hiring compliance staff and investing in privacy management tools and trying to become more sophisticated about measuring performance.

Businesses are increasingly monitoring quantitative and qualitative metrics to track, measure, and improve existing privacy programs. According to a Privacy Benchmark Study by Cisco, 93% of organizations currently track and provide analysis on at least one privacy metric, and 14% use five or more. These privacy metrics provide businesses and other organizations with key information that allows them to enhance trust and relationships with customers, ensure that personal data remains safe in data transfers, and confirm legal and regulatory privacy compliance.

FPF recently convened policy, academic, and industry privacy experts to discuss privacy metrics and their benefits, and published a report based on their discussions. Through these discussions, we learned that beyond demonstrating compliance, privacy metrics have emerged as a key measure to improve privacy program performance and maturity in terms of customer trust, risk mitigation, and business enablement. Privacy leaders can use these metrics to benchmark the maturity of their organization’s privacy program against its strategy and goals and demonstrate how privacy contributes to its strategy and bottom line.

Privacy metrics can be used to measure a variety of data points. Simple operational and compliance metrics measure activities like the number of data subject requests, where privacy executives can track and improve the efficiency of existing organizational processes. More advanced metrics that are customer and business enablement focused measure things like the amount of time needed to respond to requests.

Privacy metrics can be grouped into six categories:

Individual rights: Individual rights metrics measure the rate of consent for data sharing and email marketing, data subject requests, customer satisfaction rates, and more. This information is useful in determining the trust customers have in the privacy program and how well the program protects customer data.

Training & awareness: Training & awareness metrics compile the number of privacy trainings offered to staff as well as the number of staff trained and their engagement with the privacy program. Having staff engaged with privacy-related issues, businesses and organizations can better ensure legal compliance. This information can show gaps in organizational privacy knowledge, improve an organization’s public image, and create operational excellence in privacy.