Privacy Metrics to Reduce Business Costs
- Where to start your search for meaningful data
- The challenge of leveraging operational metrics to drive privacy program maturity
- How ROI can drive change
Read more below.
John Barbret, Privacy Officer at VW Credit, Inc., joined The Privacy Collective on April 27, 2021 to discuss the various ways he collects metrics to drive efficiency and reduce cost across organizations. View the full session here.
A key component of any privacy program is its ability to recognize trends and take proactive measures to reduce risk. From incident discovery to assessment and notification timelines, to identifying recurring incidents sources, metrics help programs set benchmarks and create a baseline to measure improvement throughout the entire incident response lifecycle.
However, the first challenge many programs face is knowing where to find, quantify, and evaluate meaningful data such as which metrics to capture and how to relate data back to specific business practices.
“You cannot make a series of good decisions without confronting the brutal facts. It starts with getting to the data. You want to make sure you’re building relationships with your business partners so you can understand what data you can pull out of those processes. Once you begin to compile those metrics you can drive changes to the systems as needed. If the story behind the data is unhappy customers, or losing money, those metrics become powerful drivers for change.” – Barbret
Identify meaningful data
When looking through data, it’s important to identify where areas for improvement exist for your organization. Per Barbret, “It’s good to know the impact, whether it’s cost impact, whether you need to know which departments will be involved so you can get them involved more quickly. Assessing the impact in terms of hard dollars and soft dollars so you can communicate those impacts to your business and begin to mitigate costs or reduce the number of upset customers you may have.”
When it comes to driving efficiency in incident response, time to decision is one of the metrics Barbet used to get funding for an automated tool to manage privacy incident events at his organization. While directly improving efficiency on time to decisioning timelines, the org also saved costs by no longer requiring outside counsel to validate those outcomes.
However, data alone is not meaningful. What makes data powerful is your ability to leverage it to drive change at your organization. If your goals are increased efficiency, mitigating opportunities for risk, or increasing ROI, begin by looking for data in two key areas.
- Focus on the root cause of an event. What fails, what caused it? You don’t want to assign blame, you want to fix a problem. If you can categorize events by the system, department, or even a person, you can focus remediation efforts on the source.
- Understand the cost impacts of events, in soft and hard dollars, to help you build a remediation plan.
Hopefully, by using metrics to increase operational efficiency, privacy professionals provide irrefutable evidence that they’re of value to the company. Currently, there are no standard lists of metrics ELT or Boards want to see from privacy teams but that doesn’t mean departments can’t show they’re a critical part of the enterprise.
“You have to show your business that there’s a problem that impacts them. Then you can find the people to give you time to help you find the metrics you need. Once you educate people then you can affect real change.” – Barbret
The challenge of leveraging operational metrics
For new privacy leaders, at first every event may seem unique. It’s only over time and continued efforts to dig deeper into the data that a picture of efficiency begins to appear.
To expedite this process, it’s important to have the right tools in place to capture and quantify data as well as open communication between teams. In order to access the data you need to drive change, you need to be in contact with the people who can connect the dots between organizational systems. With a solid foundation of how systems are operating, you can leverage industry benchmarks to inform what data you should be collecting or which questions to ask.
For instance, some years ago, Barbret noticed a series of usability issues within a system that facilitated human error. While the issue was immediately apparent, it was only after time that Barbret was able to gather enough data to develop a business case for stakeholders to approve of his plan to correct the problem. By demonstrating that the solution would pay for itself over time, Barbret won approval to make the change.
(Provided by John Barbret)
In this case, what makes the data meaningful is historical context weighed against the cost of repeated usability issues, which proves an ability to monitor, analyze, and improve.
How ROI can drive change
When you’re looking for a metric to start out with, it all comes down to cost impact. Ask yourself questions about associated costs such as what are the events that lead to issuing refunds or late fees? What can you tie back to actual cash, hard dollars? After all, you can’t fix something you can’t measure.
Per Barbret, “When you can understand actual financial losses and your metrics can tie those losses to activities or processes, that’s the powerful message that paints a picture for leadership to show them what works.”
Barbret advises privacy leaders to utilize SMART goals to hone their metrics and reporting for Boards and not to give up if the work seems challenging. You may not find the metrics that are meaningful to your organization right away, but with continued effort, if you’re able to explain how your metrics listen to the data to solve a problem and provide time-bound, actionable fixes, you will continue to learn and grow and improve your metrics so you can provide value to your business and leadership.
“It may take some time but there are meaningful stories hidden in those mountains of data. Identify specific, meaningful goals to your business – assess the impacts those metrics describe.”
You might also be interested in:
Topics: Incident Response Management