How to report metrics to prove privacy's value: Part 2

Tailoring your metrics — and message — to your audience

In part 1 of this series, we talked about some of the reasons to collect metrics, and for whom. Privacy metrics will help you argue for the things you need, including headcount, resources, and tooling. If you can use data points to indicate you’ve got a solid program growing, as well as where there are blockers or red flags, you’re more likely to get the attention you need from the top.

Metrics will also help you tailor your message to each stakeholder group, according to their needs. In addition, metrics help you prepare for any time a regulator might come knocking. Data protection enforcers from Europe to the U.S. and beyond want to see that you’ve been thoughtful about your privacy program. Your ability to show them the numbers you’ve collected on how your program is performing may go a long way to indicate you’ve taken a smart approach based on the numbers you’ve collected on things like how long it took you to process a DSAR, or how long it took you to delete data based on a user request.

In part one, we discussed the challenges of privacy metrics to demonstrate your program’s efficiencies and the strategic impact it’s having on the business. In part two, let’s talk about how to tailor your metrics (and your message) to the needs of leadership, product, and marketing teams.

How to message to various teams

For starters, a baseline education you can roll out to all of the teams you work with cross-functionally will cut down on how much time your protocols require from them. If you’ve put in some baseline work, you can move from time-consuming meetings defending all the reasons why certain considerations must be taken into account to simply responding to an email or a slack message when someone needs to check-in or raise a red flag.

Keep track of how often stakeholders come to you and how much time you’re saving various teams by arming them with some basic privacy knowledge of their own. You should also poll them on their satisfaction with your privacy practices and elicit suggestions to improve if you want to win some hearts and minds. Show them you’re listening and curious.

Here are tips on how to frame your messaging to various stakeholder groups.

The board

The board isn’t going to care about how hard you work, so you need not bring them a list of numbers that indicates as much. The board cares about three basic things:

• How does privacy relate to legal risk?
• How does privacy relate to reputational risk? Where are you practices making your organization vulnerable related to its risk tolerance?
• How does privacy impact core revenue goals?

Another metric your board will take interest in is how you stack up against the competition: How does it stack up against your peers? You might share data such as:

• Where do you stand with ISO standards compared to your competition? Are your peers fully adopted?
• How is your U.S. state privacy law compliance stacking up?
• Where are you with GDPR compliance?
• How many companies have sent the California AG’s office breach notification letters? (available on the AG’s website) How does that compare with your breach history?

More on benchmarking against competitors

Consider doing a deep dive into competitors’ privacy controls and disclosures. Look at:

• What data they collect.
• How they use the data.
• What privacy options they give users.
• How they explain user privacy rights.
• Their privacy disclosures’ flow and UX.

With this data, you can seek opportunities to outdo the competition with better privacy functionality, copy, and design. Stronger privacy rights and protections, less intrusive practices, clearer copy, and better UX can all differentiate your product, showing users you take their privacy more seriously than the competition.

How to talk metrics to your leadership

Your heads of product, heads of marketing, heads of sales, etc., are the money-makers for the business, and they should all have an idea of privacy’s value if you want them to buy in to your needs. While many business leaders understand that privacy is necessary today, fewer understand how it benefits the business, and fewer still understand how privacy can be a difference-maker for your brand. It’s important to show them that you can help the organization make better business decisions, boost profitability, and build customer trust.

Consider sharing with them:

• What of the business’ core functions are you enabling?
• Are you being a good partner?
• How are you creating value?
• How can you demonstrate you aren’t blocking speed? How long does it take you to complete a PIA? Is it speeding up over time? How long does it take to do a vendor review?
• How many deals have you won based on your privacy practices?
• In what ways are you saving the business money by mitigating risk?
• If you’re able to capture this: How satisfied are your customers with your privacy practices?

More on risk mitigation metrics:

Employing risk mitigation strategies can also provide a fringe benefit: Opportunities to save on resources. For example, the GDPR requires companies to collect as little personal information as possible, and to delete that information as soon as you’ve exhausted your legitimate use for that data.

But reducing the amount of information you collect, store, and process doesn’t just mitigate risk — it also cuts down on your cloud costs. Track compliance changes you make here, and explain how much money those changes are saving the company.

PIAs and DSARs

Track the time and resources your company uses on privacy processes. It’s likely that at one point you employed manual, time-constraining, and repetitive processes to conduct privacy impact assessments and data subject impact assessments. But if you’ve been smart about using tooling to automate some of that manual labor, use some metrics to indicate how much time you save now by streamlining your operations. Then, take it one extra step and explain what the company can accomplish or already is tackling with the time you saved when you decided to work smarter and not harder.

How to talk metrics to product

User experience is the most important factor to your product team. But privacy controls are often tacked on as an afterthought, and that can create problems for the UX. In reality, there should be natural synergy between the product team and the privacy team. Ultimately, the product team cares most about their users having a really positive experience. And privacy settings, DSAR requests, the cookie consent banners you show them are all an extension of the user experience.

When you’re talking to product, you can talk about how to make exercising privacy rights as easy and simple and unobtrusive as possible. Because sometimes, unfortunately, websites can have a really beautiful UX with sleek landing pages, elegant copy, but then a user tries to exercise a CCPA opt-out request, and it takes you to the clunkiest UI you’ve ever seen. It’s like some appendage that sits outside of the core user experience.

It’s important to convey to the product team that the privacy experience of the user needs to be kind of part and parcel with sort of the core user journey.

Simplicity and transparency are closely related to UX. Your privacy controls don’t just need to look good and be logically ordered — they also need to have clear, simple copy that explains user rights. Deciphering privacy disclosures and controls should not take a college education.

Here are some of the main points you should address when you’re collecting metrics to prove privacy’s impact:

• Simplicity and transparency of the product.
• Conveying the value of privacy to users.
• Benchmarking against competitors.

How to talk metrics to marketing

Building relationships with marketing can be tricky for privacy professionals. Marketers rely on a range of data sources, platforms, and tools to get leads and conversions. They don’t want to see those channels shut down, and they’re not exactly excited to hear you tell them what they can’t do.

Reassure them that you’re not there to make life harder — your job is just to tell them what the risks are, and help them mitigate those risks.

As you prepare your debrief, remember that marketing is going to be concerned about the following:

• Whether privacy regulations and your privacy practices will impede marketing motions.
• How you can ensure that it will still have meaningful data quality.
• Whether they’ll be required to dispose of marketing data sooner than they want.
• What broader DSAR requirements may implicate their ability to market.

Consider working with marketing to collect metrics like:

• How long data is retained after collection?
• What percentage of your co-marketing and cross-selling initiatives contemplate cross-border data flows? Of these, how many have a proper cross-border data transfer mechanism in place?
• How do different privacy controls in your UX impact opt in/opt out rates?

In Part 3, we’ll talk about how tooling can help you gather the metrics you need and streamline your privacy program in general. To learn more, check out the full webinar, “Privacy metrics to up level your privacy program.”