Gathering metrics can be difficult without a framework
Metrics are key to gaining buy-in and ensuring your privacy program is effective. But many privacy teams struggle to use metrics effectively to communicate with other stakeholders. In part one of this three-part series, we discuss the challenge of using metrics effectively and give you some strategic take-aways about how to report them in a way your board will love.
Why is it hard to use privacy metrics effectively?
In general, business KPIs or OKRs are easy to understand ; even if a stakeholder doesn’t know every detail of business operations, they can understand the significance of a high ROI, or slowing year-over-year-growth at a glance.
But privacy metrics are rarely straightforward — in fact, even the most common privacy metrics mean very little in a vacuum. In a 2022 study, Cisco found that the three most commonly reported metrics are privacy program audit findings, personal data breaches, and privacy impact assessment results. All three of these metrics require significant context and explanation:
Audit findings
To understand audit findings, you need a lot of background information, including why you’re being audited, your goals, the consequences of the audit results, and how you compare to competitors. And even a stakeholder who understands those factors may struggle to grasp the full significance of the audit.
Personal data breaches
The consequences of a personal data breach can range from minor to devastating. To understand the significance of a breach, stakeholders will need significant background information, including:
- What was breached?
- How much data was breached?
- How it was breached?
- How it was remediated?
- Your obligations to regulators, customers, and business partners.
- The legal, regulatory, and reputational consequences of the breach.
Privacy impact assessments
A PIA examines the minutiae of your business processes, privacy policies, and vendor relationships and how they relate to multiple regulations. They’re important to document, but PIAs can be difficult to explain to outsiders. Simply sharing a count of how many you’ve done won’t tell the board anything, but digging into the details may be too much information. So it’s important to report the metrics you can gather about how your program is running, where you’re slowing down, and where you’re succeeding as an asset to the business in ways that make sense to stakeholders who aren’t necessarily privacy savvy.
To share metrics effectively, understand your audience’s needs
Each audience you’re reporting metrics to is going to be different, and that might require you to tweak your explainer according to which group you’re speaking with. For example, an audit or compliance subcommittee will have more background knowledge and greater appetite for details than a full board meeting might tolerate.
In general, though, any board or stakeholder group is going to have a few common characteristics:
Rudimentary understanding of privacy and compliance
Expect your board to not be immersed or invested in privacy, unless it’s affecting your company in a very immediate way (e.g. a regulatory audit or consent decree.) They may be broadly aware of major issues such as recent state compliance laws or industry-specific regulatory issues.
However, that doesn’t mean they’ll understand how to weigh or prioritize those issues. For example,a stakeholder may understand the basics of privacy by design and major privacy laws, but not understand how PBD fits into your compliance strategy.
If you skip over basic concepts and start throwing metrics at them, their eyes will glaze over and you’ll lose them entirely. Choose a few key topics, and start with the basics.
Interest in news that could impact the bottomline
From breaches, to legislation, to new enforcement actions, there’s always something in the news about privacy. Use these current events to help you explain privacy issues. For example, you can explain the need for better vendor management by walking stakeholders through a recent breach that’s been in the news, explaining the role the vendor played. By starting with a familiar topic, you can keep their interest and explain privacy in a way they’ll understand.
Concerns about business operations, risk, and profit
As you know, your privacy team isn’t the Department of No, nor is it where great ideas go to die. Instead, privacy is a function that makes your business more competitive, reduces risks, and preserves your reputation.
To get your board to see this, you need to frame privacy around their specific concerns. Every privacy goal should relate to the company’s risk, profit, user satisfaction, sustainability, and/or other business priorities.
Build your case on reputational risk, legal, and the business
Your metrics, goals, and subsequent presentation should focus on three broad categories: reputation, legal, and business.
Reputation
Privacy affects how people feel about your company. Strong privacy protections can help you maintain a premium brand image and earn the trust of users, clients, and business partners. Similarly, for B2B companies, certifications and well-documented privacy programs can help speed onboarding and earn contracts.
Legal
Although legal risks and obligations play a role in all kinds of privacy decisions, this category is for strictly legal concerns. What do the regulations say? What do regulators expect? What about clients and users — what protections are you obligated to provide? What legal risks come with your company’s current privacy profile?
Business
Privacy needs to be integrated into your business goals. Your company has new products and features to deploy and revenue goals to hit. As a privacy expert, your job is to find a way to meet your company’s privacy obligations not just in theory, but in the day-to-day reality of business operations.
In Part 2, We’ll explain how to tweak your messaging and pick metrics for each stakeholder group. To learn more, check out the full webinar, “Privacy metrics to up level your privacy program.”
