The Why, What, and How of Benchmarking Your Privacy Program
Measuring our performance against certain standards—in other words, benchmarking—gives us the ability to determine where to improve. In the world of privacy, it can be hard to benchmark the effectiveness of privacy programs and initiatives. And without the numbers to back you up, getting sufficient organizational priority and budget for your privacy program is difficult.
Why benchmark the effectiveness of privacy programs
Incident response management is a critical area of your privacy program, it is ideal for benchmarking. It takes a lot of metrics to monitor your program, continually improve your process, and meet your regulatory requirements.
Knowing how to benchmark the effectiveness of privacy programs can help uncover trends and identify areas for improvement.
It can also quantify the results of your privacy program to executives and board members, specifically:
- Reducing risk. Benchmarking enables you to identify and mitigate privacy risks. For example, the data may show that a certain department is the source of a significant number of privacy incidents. Or, you may see a department with fewer than average incidents. Effective training can lower the risk of incidents in the first scenario, and ensure incidents are accurately discovered and reported in the second.
- Justifying your privacy program budget and demonstrating ROI. Last year’s IAPP-EY Annual Privacy Governance Report found that 67% of respondents feel their company’s privacy budget is insufficient. When you consistently benchmark the effectiveness of privacy programs, hard data supports requests for budget increases. For instance, knowing how many privacy incidents are being reported and managed per month/quarter/year could help justify a request for investing in incident response technology to streamline the process.
- Keeping your business strong. Customers want to know what you’re doing with their data—and they want to know that you’re protecting their privacy. The greater levels of confidence consumers have in your data privacy measures, the better it is for your business. According to a recent CISCO study, “privacy-mature” organizations are experiencing only 3.4 weeks of average sales delay compared to an average of 16.8 weeks for “privacy-immature” companies.
- Creating a culture of privacy. Measuring the performance of your privacy incident response program shows that you are committed to regularly monitoring your privacy program. Benchmarking makes your privacy program more visible across the organization and promotes a strong culture of privacy in every department.
What you measure matters…
To improve your privacy incident response process and lower risk, you need streamlined escalation of privacy incidents. Some important questions that the benchmarking metrics might answer include:
What percentage of privacy or security incidents are notifiable breaches?
Only a fraction of incidents that have been properly risk assessed under jurisdictional requirements rise to the level of a data breach requiring notification.
Even so, tracking and assessing every privacy incident is required for compliance. It also ensures that your privacy program is consistent and defensible, and reduces the risk of over- or under-reporting.
In the first 6 months of 2018, only 13.9% of all incidents were considered data breaches after a multi-factor risk assessment. Source: Radar
What is the average timeframe for each phase of the incident response lifecycle?
When managing a privacy incident, efficiency and timelines are essential for compliance. Measuring how long it takes your organization to discover, document, assess risk, and provide notice on a data breach will help you understand where improvement is needed.
How many incidents involve electronic vs. paper vs. verbal/visual records?
Paper (such as a misdirected fax) and visual/verbal incidents expose fewer records than electronic incidents (such as phishing attacks), but are more common and also need a risk assessment
58.9% of all incidents involved paper in the first half of 2018. Source: Radar
What are the most common data elements involved in incidents/breaches?
The definition of what constitutes regulated data varies from jurisdiction to jurisdiction. Thus, it’s critical to carefully identify different data elements to ensure you are meeting all notification requirements. For example, name, Social Security number, financial and health information.
Note: the GDPR defines regulated data as “personal data,” with an expanded interpretation that includes social and cultural data. This broader definition of personal data may increase the number of breaches requiring assessment to determine notification obligations.
Was the intent behind the incident malicious or inadvertent?
Ransomware and malicious hackers make big news, but the vast majority of incidents are attributable to simple human error. Classifying by intent is an important factor in assessing the severity of the incident and in determining the potential risk of harm.
93.1% of incidents were unintentional or inadvertent in nature during the first six months of 2018. Source: Radar
How do you benchmark the effectiveness of privacy programs?
It’s critical to consistently report and assess every privacy incident within your organization based on the latest applicable breach notification laws.
Using this cumulative privacy incident data, you can create and view reports via real-time dashboards. This visibility into emerging trends can help you identify areas for improvement, properly manage resources, and determine the effectiveness of your privacy initiatives.
Organizations with a strong culture of compliance have found incident response management software with built-in reporting and dashboard capabilities a powerful tool for benchmarking their privacy program.
- Full disclosure: Benchmarking data reveals the human error in privacy incidents
- Benchmarking incident response: The state (or states) of privacy incidents
- The Challenges of Managing Privacy Incident Response
Topics: Benchmarking Series