In Case You Missed Our Live Q&A on Reporting Privacy Metrics

Were you unable to attend our latest session on successfully reporting privacy metrics to internal stakeholders? We’ve put together a helpful recap, summarizing the key takeaways from the session.

What’s in this post?

1. Defining Groups Who Need Reporting & What Data They Need 
   • Use Privacy Metrics to Be Proactive, Instead of Reactive
   • Make Organizational Improvements with Privacy Metrics 
   • Sometimes Less is More
2. How to Establish Frameworks For Reporting 
   • Do you need to educate the board on what you’re sharing?
3. Benchmarking and Privacy Program Maturity
4. Communicating For Success
   • What’s the best way to package and present information to the board?
   • Helpful Resources to Help Grow Transparency in the Privacy Industry
5. Final Words of Advice

Defining Groups Who Need Reporting & What Data They Need

Our special guest this month, Judy Titera, Chief Privacy Officer at USAA, was able to break reporting down into three parts and construct a metaphorical pyramid for sharing privacy metrics. 

When asked: 

Q: What are some day-to-day privacy metrics a manager looks at? There’s a lot to be interested in, but what could be flagged as critical to relay to executive teams and the board? 

Judy shares: 

For the day-to-day metrics, especially when looking at data incidents, there’s a lot of opportunity for what we can measure. 

We can look at: 

→ how many data incidents?

→ how many people were impacted?

→ what was the cause of this incident?

→ how much time did it take us to respond?

→ [and] did we need to report to regulatory, to the individuals? 

We have so many different measurements that we can look at. So, being able to pull that together… is critical for looking at [your] data incident team and saying: 

→ are we doing the right thing?

→ are we in compliance? 

→ do we have the right staffing?

→ what are the trends that we are looking at and what do we need to communicate to that next level?  

Use Privacy Metrics to Be Proactive, Instead of Reactive

We’re not mitigating risk by saying we’ve had [x-number of] incidents. We [need to] go to the next level… What are we seeing, are we seeing big changes … What is going on and how can we do better? Where do we need to put those resources?

A great thing that many of us have probably known, is if we have a data team that is centralized, we are able to see trends that we might not be able to see if it was decentralized. We like to have that ‘one lens’ and share it with our organization.

Then I look at the next level. As I go up a pyramid, what is my next level that I need to do? I’m seeing trends, and looking at what’s going on in the organization. There are stakeholders at that next level – what do they need to know? What are they looking for? 

Make Organizational Improvements with Privacy Metrics 

We may say, “we are starting to see a lot of incidents that are coming into your space and here’s what we’re seeing.” Management is able to say “ah” where do I need more training? Where do I need a different policy? Maybe there’s a system that needs a tweak?

Being able to provide that data to those areas at that level… they’re being able to see how to best organize their organization.

Then I look at my pyramid at the top, we look at the board… one of the things we really need to think about for all three of the levels, but especially the board, is what is the board responsible for? 

[We can] provide the board with all these great metrics… but ultimately the board needs to see the top level. What is the risk to the organization? How are we mitigating that? They have a fiduciary duty for the organization – overall to make sure the organization is being managed appropriately.

We don’t want to give the board too many metrics that are not meaningful to their level. Keeping that high level [and focused on] risk mitigating – do we have a program in place, is it mature, what are we seeing on a regular basis?

Judy places emphasis on identifying what story you want to tell to your board through privacy metrics. She stresses knowing your audience and relaying what is critical for them to successfully do their job.

Sometimes Less is More

My other point is keeping it simple… how do we keep those metrics so we have a baseline and then we’re able to pull up to the highest level… who are we exactly looking to and what is their responsibility?

How to Establish Frameworks For Reporting 

The most important thing is to look [at your organization entirely]… not only the privacy slice. Privacy interacts so closely with other areas [like] cyber security, business continuity… [you] should be looking at how [to] pull this [all] together. Having a regular cadence for your framework and pulling together different areas within your organization… make sure you’re telling that combined story.

….There is that confusion between privacy and other areas. Helping the senior level and board understand the importance of privacy overall – where you sit and what you’re doing, as well as how you align. 

Do you need to educate the board on what you’re sharing?

When I look at my experience over the 23 years, thinking back to the early years there was a lot of education – why this is important, what should they be looking for, and how this fits into the whole scheme. I would say it’s switched now – where the boards are demanding or expecting more metrics. 

To those teams that are not currently reporting to your board or having a regular framework or metrics to the board – I’d start preparing. Start preparing now, looking at the different frameworks, looking at the different metrics, and start thinking about the story you want to tell your board.

Some of you may need to do some education on the front end – to say “this is why this is important.” My feeling, what I’m seeing, and what we all feel right now, is that the boards do understand how important this is, how important it is to the organization, and it is one of those risk pieces that should be brought up on a regular basis.

Benchmarking and Privacy Program Maturity

Judy shared that if you’re not already reporting to your board and stakeholders, be prepared to.

If you haven’t started yet – put a plan in place. Start preparing today. 

Benchmarking your privacy program against others in your industry is crucial to measuring success. 

Identifying key trends across all industries, like a significant increase in human error, helps provide your team with the necessary insights and data to drive improvement. 

With reports like the 2022 RadarFirst Privacy Incident Benchmark Report, you have access to industry-specific data like:

• Type of incidents
• Incident Intent
• Notification timelines 

[You] could be going a hundred miles an hour in the [wrong direction]. It helps to see what’s going on.

Metrics can help bring your maturity up. Mindfully watching data and using the data to show where we are and where we’re going.

It’s important to establish a reporting routine and accustom leadership and executive teams to the same type of metrics over time. 

Judy cautions to be mindful while benchmarking performance. 

My little piece of caution though is making sure that when we’re looking at this benchmarking, we don’t get too caught up with it. Looking at the different industries and keeping it at a high level – I sometimes see someone looking at a benchmark and saying “we should be here,” but [you] may be in a different organization, different industry, different regulatory requirements – making sure that we’re looking at those metrics and they align to the work we’re doing, the industry we’re in, and the regulatory environment we’re in. When we’re using metrics, that’s the beauty we can pick and choose the ones that make sense for us and use those appropriately.

Communicating For Success

What’s the best way to package and present information to the board?

The most important part is not to go too detailed… it can be easy because we’re excited. We know this inside and out. We love what we’re doing… we have that ability to slice and dice every detail of what we do…We have to switch that lens, what are they looking for? 

….When we present to them, we should really be looking at that risk base – what are we doing to make sure we’re presenting that we have a mature program? 

Metrics are one area where you can show why you need additional resources. Being able to show those external factors that are coming in… so [you] have the resources to respond timely and appropriately.

Judy notes it’s helpful to bring in someone from a different team that isn’t familiar with what you’re doing on a daily basis. It’s a useful exercise before actually reporting to the board. 

Within our organizations we have opportunities to become more transparent, and also across organizations.

Sharing privacy metrics across your own organization is good practice, as increasing visibility is a crucial step in developing a mature privacy program.

Judy encourages other privacy professionals to be transparent not only in their organization but across organizations.

Helpful Resources to Help Grow Transparency in the Privacy Industry

→ Benchmark reports like the 2022 RadarFirst Privacy Incident Benchmark Report 

→ Community spaces for privacy minds to gather like The Privacy Collective 

→ IAPP sessions

→ Dedicated forums like The Future of Privacy

Final Words of Advice?

• When you’re working on your metrics – make sure you have the detail you need on the day-to-day, the important pieces for your middle, and the board – really what they need to know to manage the organization.

• Use these metrics to support your program, inform the organization, and educate at all levels of the organization.

• You’re not alone, we’re all in this together!