Measuring your organization’s performance against certain privacy standards—in other words, privacy benchmarking—gives your team the opportunity to identify where to target for digital transformation. In the world of privacy, it can be hard to benchmark the effectiveness of privacy programs and initiatives. And without the numbers to back you up, getting sufficient organizational priority and budget for your privacy program may prove difficult.

Luckily, our annual Privacy Incident Benchmark Report provides the insights and necessary data to help drive  organizational change.

Why benchmark the effectiveness of privacy programs?

Incident response management is a critical area of your privacy program, it is ideal for privacy benchmarks. It takes a lot of metrics to monitor your program, continually improve your process, and meet your regulatory requirements.

Knowing how to benchmark the effectiveness of privacy programs can help uncover trends and identify opportunities for digital transformation.

It can also quantify the results of your privacy program to executives and board members, specifically:

-> Reducing risk. Benchmarking enables you to identify and mitigate privacy risks. For example, the data may show that a certain department is the source of a significant number of privacy incidents. Or, you may see a department with fewer than average incidents. Effective training can lower the risk of incidents in the first scenario, and ensure incidents are accurately discovered and reported in the second.
-> Justifying your privacy program budget and demonstrating ROI. Last year’s IAPP-EY Annual Privacy Governance Report found that 63% of respondents feel their company’s privacy budget is insufficient. When you consistently benchmark the effectiveness of privacy programs, hard data supports requests for budget increases. For instance, knowing how many privacy incidents are being reported and managed per month/quarter/year could help justify a request for investing in incident response technology to streamline the process. Build your business case for incorporating automation with our free ROI calculator. 
-> Building trust. Customers want to know what you’re doing with their data—and they want to know that you’re protecting their privacy. The greater levels of confidence consumers have in your data privacy measures, the better it is for your business. According to a recent CISCO study, “privacy laws are viewed very favorably around the world, with 79% of organizations indicating they are having a positive impact.” 
-> Creating a culture of privacy. Measuring the performance of your privacy incident response program shows that you are committed to regularly monitoring your privacy program. Benchmarking makes your privacy program more visible across the organization and promotes a strong culture of privacy in every department. Since the start of the pandemic, we’ve seen privacy teams exponentially grow. IAPP-EY Annual Privacy Governance Report 2021 found that 6 out of 10 privacy pros expect their privacy budget to increase over the next year, while almost none are anticipating cuts. The report also found that 45% of respondent organizations are planning to hire at least one or two new privacy pros over the next six months. 

What you measure matters…

To improve your privacy incident response process and lower risk, you need streamlined escalation of privacy incidents. Some important questions that the benchmarking metrics might answer include:

An incident notification rate below 7% is a good indicator that your organization’s data security and privacy practices are working, your incident response process is well-tuned, and you’re not putting the business at risk by over- or under-reporting.

What percentage of privacy or security incidents are notifiable breaches?

Only a fraction of incidents that have been properly risk assessed under jurisdictional requirements rise to the level of a data breach requiring notification.

Even so, tracking and assessing every privacy incident is required for compliance. It also ensures that your privacy program is consistent and defensible, and reduces the risk of over- or under-reporting.

What is the average timeframe for each phase of the incident response lifecycle?

When managing a privacy incident, efficiency and timelines are essential for compliance. Measuring how long it takes your organization to discover, document, assess risk, and provide notice on a data breach will help you understand where improvement is needed.

How many incidents involve electronic vs. paper vs. verbal/visual records?

52.7% of all incidents were categorized as electronic in this year’s report.

Paper (such as a misdirected fax) and visual/verbal incidents expose fewer records than electronic incidents (such as phishing attacks), but remain common and also need a risk assessment.

What are the most common data elements involved in incidents/breaches?

The definition of what constitutes regulated data varies from jurisdiction to jurisdiction. Thus, it’s critical to carefully identify different data elements to ensure you are meeting all notification requirements. For example, name, Social Security number, financial and health information.

Note: the GDPR defines regulated data as “personal data,” with an expanded interpretation that includes social and cultural data. This broader definition of personal data may increase the number of breaches requiring assessment to determine notification obligations.

Was the intent behind the incident malicious or inadvertent?

95% of incidents were categorized as unintentional or inadvertent in nature.

Ransomware and malicious hackers make big news, but the vast majority of incidents are attributable to simple human error. Classifying by intent is an important factor in assessing the severity of the incident and in determining the potential risk of harm.

How do you benchmark the effectiveness of privacy programs to drive digital transformation?

It’s critical to consistently report and assess every privacy incident within your organization based on the latest applicable breach notification laws.

Using this cumulative privacy incident data, you can create and view reports via real-time dashboards. This visibility into emerging trends can help you identify areas for improvement, properly manage resources, and determine the effectiveness of your privacy initiatives.

Organizations with a strong culture of compliance have found incident response management software with built-in reporting and dashboard capabilities a powerful tool for benchmarking their privacy program.

Read the 2022 Privacy Incident Benchmark Report