There’s no getting around it—implementing and updating a privacy program can feel overwhelming for many businesses. Every year, more and more states enact new data privacy laws, and the established ones continue to be revised, as well.
It’s a lot to track, especially when you just want to get on with business as usual.
The result is that many businesses approach data privacy programs with a “set it and forget it” mentality.
But this cruise control mentality does a disservice to your business.
The digital ecosystem is rapidly evolving, with laws, regulations, threats, vulnerabilities, and industry best practices changing constantly. What worked for your business in theory two years ago may not work in practice today.
The best way to protect your business and consumer data is to regularly review, measure, and evaluate your data privacy program. Here’s how to go about it.
The role of data inventories in measuring privacy programs
If you’ve never done it, measuring your privacy program can feel monumental. But just like spring cleaning, things become a little more manageable when you break big categories down into smaller steps.
The Future of Privacy Forum (FPF), a non-profit dedicated to data privacy and emerging technologies, suggests seven categories of metrics for looking at your privacy program:
- Individual rights
- Training and awareness
- Commercial
- Accountability
- Privacy stewards
- Public policy
- Marketing
Each of these approaches is an essential part of privacy plans, even if they don’t all apply to the needs of your specific business. A third-party expert can help you understand precisely what you must do to protect your business. Let’s look at each of the seven categories.
1. Individual rights
How does your company obtain consumer or employee consent for its data collection practices? How many consumers and employees make data subject requests, and how quickly do you respond? What types of privacy breaches have you experienced?
This data helps measure how well the privacy program protects personal data and how much trust people have in the program.
In terms of metrics, useful evaluations and KPIs include:
- Data subject requests and deletion requests: How many do you receive, and how long do they take to process? How many are in progress or closed? How do the requests vary by type or region?
- Privacy incidents: How many privacy incidents occurred in the last year? How many customers were affected, and where did these breaches happen?
- Consent: What are your consent levels for data sharing, and how many users opt-out/opt-in?
Evaluating these KPIs can help you track efficiency and accuracy of your processes, as well as identify areas for improvement in the future.
Law enforcement requests
Although law enforcement requests have unique factors that differentiate them from individual data requests, when it comes to measuring them as part of your privacy program, you can use many of the same KPIs. Look at requests processed, timeframes, types of requests, and more.
2. Training and awareness
What type of training do you provide for your staff? What are the learning objectives of training, and are they being achieved? Understanding employee privacy knowledge can reveal gaps in organizational knowledge.
Most data breaches are related to human error. Assess your staff training with metrics like:
- How many employees attend privacy training sessions?
- What departments were received in privacy training?
- How many topics were covered?
- How do your employees do on their evaluations?
- How many training sessions do you offer?
- How many employees obtain privacy certifications?
You should also track how privacy awareness is facilitated throughout your company. For example, how frequently are privacy regulation updates shared with stakeholders via email, presentations, or reports? Was the information shared in a timely manner?
Additionally, you can track how many consultations were offered. These could be meetings or answering emails on privacy issues with business units like marketing, HR, operations, or IT.
3. Commercial
This category focuses on business engagement and how well you adopt new technologies as needed.
Commercial considerations include:
- What data processing agreements do you have in place?
- Are your vendors in compliance with your privacy program?
- What supply chain agreements are active for your business?
4. Accountability
How accurate are your current privacy policies? Does your company operate according to your policy? How compliant is your organization?
Applicable metrics include:
- When was your last data privacy program review? What were the results?
- Data privacy impact assessments/privacy impact assessments
- Number of business processes and assets (systems) reviewed in data mapping
- Privacy notice compliance and accuracy
- Number of supplier agreements and privacy questionnaires reviewed and answered
5. Privacy stewards
How well do you take your privacy program and implement it across your organization?
For example:
- How do your different business units perform in employee training, DPIAs, and accountability?
- Is there one business unit that experiences more incidents than others?
Improving privacy stewardship is a cross-departmental, cross-functional project. One place to start is identifying privacy champions who can encourage adopting privacy practices at the employee level.
6. Public policy
How well do you comply with applicable data privacy laws?
This metric is critical on several levels, including risk exposure, potential civil penalties, and public opinion regarding your business.
Take some time to review:
- How many privacy laws apply to my business?
- What privacy laws will likely come into effect in the next 1 or 2 years?
- Do we have a plan in place for upcoming data privacy laws?
7. Marketing
Marketing and privacy are closely entwined operations; your assessment practices should reflect that. As you measure your privacy program, take a close look at KPIs like the following:
- Marketing opt-outs: how many were received? How many were processed? What was the time frame for this?
- Consent rates for sharing personal information
- Accuracy of data
- Number of cookies firing on a page and scripts running on the site, and metrics around cookie management like opt-in/opt-out percentages, which cookies people opted out of most, and which region sees the most opt-outs.
Additionally, if your business uses a privacy center to allow visitors to manage their privacy preferences better, what were the most common choices (i.e., newsletter, weekly email, monthly, etc)?
Demonstrating ROI with privacy program evaluation
If you like to measure things just for the sake of measurement, you’re in good company. (We love a good spreadsheet here at Red Clover!) But you probably want that data to translate into actionable insights for your business.
The information gathered can be used to highlight:
- Hours and costs saved through increased efficiency
- Improved customer satisfaction
- Decreased incidents
- Reduction in compliance risks
- Increased employee awareness
- The alignment between business and privacy objectives
Whether you’ve achieved all your goals or still have room for improvement, share your findings widely. Send out a complete report, share numbers during training sessions, and even leverage the information in your digital marketing to demonstrate you’re walking the privacy walk.
Build a privacy program that fits your business
A privacy program evaluation is far easier (and more fun) with others around to share the load. Schedule a call with Red Clover Advisors today to learn how we can help measure and develop your privacy program.