RadarFirst Blog

The Why, What, and How of Benchmarking Your Privacy Program

We live in a world of measurements, from batting averages to number of steps walked to miles per gallon. Measuring our performance against certain standards or that of others—in other words, benchmarking—gives us a line in the sand from which we determine how and where to improve. This is especially important in the world of privacy, where it can be hard to gauge the effectiveness of programs and initiatives. And without the numbers to back you up, getting sufficient organizational priority and budget for your privacy program is difficult.  

Why benchmarking is essential

Incident response management is a critical area of your privacy program, and one that is ideal for benchmarking. It takes a lot of metrics to monitor your program, to continually improve your process, and to meet your regulatory requirements. Knowing how your incident response management program measures up to others in your industry can uncover trends and help you identify areas for improvement, as well as quantify the results of your privacy program to executives and board members.  

Specifically, benchmarking metrics is essential to:

  1. Reducing risk. Benchmarking enables you to identify and mitigate your organization’s privacy risks, particularly recurring ones. For example, the data may reveal that a certain department within your organization is experiencing or is the source of a significant number of incidents. Conversely, you may see a department with fewer than average—or even zero—incidents. Effective training can lower the risk of incidents in the first scenario and ensure incidents are efficiently discovered and reported in the second. Other trends such as an unexpected spike in incidents at certain times of the year may indicate when additional privacy training is most beneficial. 

  2. Justifying your privacy program budget and demonstrating ROI. Last year’s IAPP-EY Annual Privacy Governance Report found that 67% of respondents feel their company’s privacy budget is insufficient. Continual metric monitoring and benchmarking gives you hard data to support requests for budget increases. For instance, knowing how many privacy incidents are being reported and managed per month, quarter, or year could help you justify a request for investing in incident response technology to streamline the process.

  3. Keeping your business strong. Customers want to know what you’re doing with their data—and they want to know that you’re protecting their privacy. The greater levels of confidence consumers have in your data privacy measures, the better it is for your business. According to a recent CISCO study, “privacy-mature” organizations are experiencing only 3.4 weeks of average sales delay compared to an average of 16.8 weeks for “privacy-immature” companies.Benchmarking is an impartial way to demonstrate the maturity of your privacy program. Even the fact that you’re benchmarking is a sign you highly value the privacy of your customers’ sensitive information.

  4. Creating a culture of privacy. Measuring the performance of your incident response management program demonstrates that you are committed to regularly monitoring your overall privacy program. This in turn demonstrates that you are attentive to—and accountable for—the effectiveness of that program. What’s more, benchmarking makes your privacy program more visible across the organization and promotes a strong culture of privacy in every department. Privacy is an organizational value and the privacy team can best promote the value by helping to establish the tone from the top and by becoming metric driven. 

What you measure matters

To improve your incident response process and lower risk, you need timely and streamlined escalation of privacy incidents to risk assess and uncover root causes and trends that you can flag and correct. Some important questions that the benchmarking metrics might answer include:

  1. What percentage of privacy or security incidents are notifiable breaches? Only a fraction of incidents that have been properly risk assessed under jurisdictional requirements rise to the level of a data breach requiring notification. Even so, tracking and assessing every incident is required for compliance, ensures that your privacy program is consistent and defensible, reduces the risk of over- or under-reporting, and helps you properly identify trends.

In the first 6 months of 2018, only 13.9% of all incidents were considered data breaches after a multi-factor risk assessment. Source: RADAR 


  1. What is the average timeframe for each phase of the incident response lifecycle? When managing an incident, efficiency and timelines are essential for compliance. Measuring how long it takes your organization to discover, document, risk assess, and provide notice on a data breach will help you understand where improvement is needed.


  1. How many incidents involve electronic vs. paper vs. verbal/visual records? While paper (such as a misdirected fax) and visual/verbal incidents may expose fewer records per incident than electronic incidents (think phishing attacks), they are more common and must also undergo a risk assessment .

58.9% of all incidents involved paper in the first half of 2018. Source: RADAR 


  1. What are the most common data elements involved in incidents/breaches? The definition of what constitutes regulated data varies from jurisdiction to jurisdiction. Thus, it’s critical to carefully identify different data elements—e.g., name, Social Security number, financial and health information—to ensure you are meeting all notification requirements. (Note: the GDPR defines regulated data as “personal data,” with an expanded interpretation that includes social and cultural data. This broader definition of personal data may increase the number of breaches requiring assessment to determine notification obligations.)


  1. Was the intent behind the incident malicious or inadvertent? Ransomware and malicious hackers make big news, but the vast majority of incidents are attributable to simple human error. Classifying by intent is an important factor in assessing the severity of the incident and in determining the potential risk of harm.


93.1% of incidents were unintentional or inadvertent in nature during the first six months of 2018. Source: RADAR

How do you benchmark?

To properly gauge the effectiveness of your incident response management program, it’s critical to consistently report and assess every privacy incident within your organization based on the latest applicable breach notification laws. Based on this cumulative incident data, you can create and view reports via real-time dashboards—gaining visibility into emerging trends so you can identify areas for improvement, properly manage resources, and determine the effectiveness of your privacy initiatives. Organizations with a strong culture of compliance have found incident response management software with built-in reporting and dashboard capabilities a powerful tool for benchmarking their privacy program.

Learn more about measuring your privacy program with our benchmarking series or by viewing this on-demand IAPP webinar.


Related Reading:

Topics: Benchmarking Series