Establishing a robust citizen data protection framework has recently been the prime focus for several countries across the globe. Countries that have existing data protection laws are strengthening them, while those that do not are now working towards formulating new laws.
This makes it imperative for organizations to comply with data privacy and data security requirements of the applicable data protection laws in their respective countries. For organizations with a global presence, data protection regulatory requirements become more demanding as multiple laws come into play.
It is advisable for organizations to have a formal data privacy program as a part of their larger data protection regulatory compliance initiative. Such a program must be owned by a central role, such as chief privacy officer or data privacy officer, preferably reporting directly to the CEO.
The broader vision and objective of this program is multifarious. Regulatory compliance is the primary objective as non-compliance attracts penalties and damage to reputation. Simultaneously, the program must also facilitate agility of business outcomes by removing data barriers and boosting the overall business growth for the organization by earning compliance-driven trust from consumers.
The program must be governed efficiently, and the level of efficacy must be assessed using numbers and metrics to determine whether its key objectives are being fulfilled.
Categories of Data Privacy Metrics
Broadly, organizations can define data privacy program metrics across three categories aligned with business objectives, as outlined below:
Regulatory Metrics: Organizations prioritize certain metrics for measurement and tracking, as they are related to direct requirements mandated by the applicable data protection law, or even industry-specific regulations. If such essential metrics are not maintained and governed, it could result in non-compliance and penalties. Some examples of such metrics are processing time for data-related requests made by citizens; maximum retention period for specific data sets and their timely deletion; threshold data size and time for permissible data privacy breach within which communication about the breach must be sent to regulatory bodies and/or citizens. Additionally, organizations can define their own internal compliance and tracking measures such as the number of sensitive data categories applicable in the context of their business, number of business units, business applications, and data stores within the scope of data privacy controls, percentage of such entities for which data privacy controls have been implemented, performance scores for ongoing data privacy processes, and so on.
Business Agility Metrics: Agility metrics can help an organization judge whether the program can result in faster business outcomes and shorter time-to-market. Organizations may want to measure the time taken for delivering enhancements to business applications, or fixing the issues reported by users, with the support of privacy-safe test data provisioning. Further, organizations may wish to track the timeliness for adopting regulatory changes and delivering privacy-safe data to intended stakeholders. It may seem that data privacy measures, being an additional aspect, would prolong the time of delivery. However, if the program is well-defined, governed, and executed, organizations should still be able to deliver the desired data within the defined timelines. Any observed deviation should act as an alert for making the program scalable.
Business Growth Metrics: Ultimately, any business program, including data privacy, must facilitate business growth. However, the question arises if an observed growth of business can directly be associated to the adoption of data privacy controls. Determining this, indeed, is challenging because business growth is generally a result of a combination of multiple factors. Nevertheless, through right market messaging and consumer reach out programs, organizations can educate consumers subtly about their seriousness of ensuring privacy (and quality) of consumer data. This could help elevate consumer trust levels and result in further cross-selling or upselling. Further, consumer surveys can help the organization understand consumers’ reaction to their data privacy measures. A before-after comparison of sales figures can indicate the contribution of data privacy measures, even when it is not the only factor for the increase in sales.
Identifying the Right Approach for Effective Outcomes
While organizations must mandatorily comply with data privacy requirements of data protection laws, they do acknowledge that data privacy goes beyond regulatory compliance to become a key differentiator. Hence, organizations should focus on specific objectives while devising and executing a data privacy program and assess its effectiveness with the help of concrete metrics. These numbers help data privacy owners, and the CEO, to recognize the gaps in processes, any instances of non-compliance, and take strategic measures to fix them. In addition, these numbers can help decision makers to optimize their investments in running such data privacy programs that can address both regulatory compliance requirements and the overall business objectives.