The Why, What, and How of Benchmarking Your Privacy Program
Measuring our performance against certain privacy standards—in other words, benchmarking your privacy program—gives us the ability to determine where to improve.
In the world of privacy, it can be hard to benchmark the effectiveness of privacy programs and initiatives. And without the numbers to back you up, getting sufficient organizational priority and budget for your privacy program is difficult.
Why benchmark your privacy program?
Incident management is a critical area of your privacy program, it is ideal for privacy benchmarks. It takes a lot of metrics to monitor your program, continually improve your process, and meet your regulatory requirements.
Knowing how to benchmark and analyze the effectiveness of your privacy program can help uncover trends and identify areas for improvement.
It can also quantify the results of your privacy program for clear reporting to executives and board members, specifically:
- Reducing risk. Privacy benchmarking enables you to identify and mitigate risks. For example, the data may show that a certain department is the source of a significant number of privacy incidents. Or, you may see a department with fewer than average incidents. Effective training can lower the risk of incidents in the first scenario, and ensure incidents are accurately discovered and reported in the second.
- Justifying your privacy program budget and demonstrating ROI. Last year’s IAPP-EY Annual Privacy Governance Report finds privacy is hiring, but it’s not enough. The demand for privacy expertise continues to accelerate, with the average privacy team growing by 12%.
The need for the skills and experience that help organizations “navigate the most complicated of paths” is compounded by the limited availability of privacy professionals across workforce function areas.
When you consistently benchmark the effectiveness of privacy programs, hard data supports requests for budget increases. For instance, knowing how many privacy incidents are being reported and managed per month/quarter/year could help justify a request for investing in incident management technology to streamline the process.
- Build trust. Customers want to know what you’re doing with their data—and they want to know that you’re protecting their privacy. The greater levels of confidence consumers have in your data privacy measures, the better it is for your business.
According to the most recent CISCO study, board level executives are demanding more visibility into the steps and actions privacy teams are taking to safeguard customer trust. While some privacy teams are reporting as many as 10 privacy metrics, the average number was 3.1, which is up 19% from 2.6 in last year’s survey. The most-reported metrics include the status of any Data Breaches (41%), Data Protection Impact Assessments (39%), and Incident Response (37%). Other important metrics from the study include:
→ Privacy gaps identified
→ Protection as to third parties
→ Data subject requests
→ Progress on an industry-standard maturity model
→ Value of privacy for your organization
→ Training of employees
RadarFirst not only helps your organization find a better way to data breach resolution to streamline the entire incident management process, but it helps compile all of these critical growth metrics into one dashboard for better reporting.
- Creating a culture of privacy. Measuring the performance of your privacy incident management program shows that you are committed to regularly monitoring your privacy maturity. Benchmarking makes your privacy program more visible across the organization and promotes a strong culture of privacy in every department.
What You Measure Within Your Privacy Program Matters
To improve your incident management process and lower risk, you need streamlined escalation of privacy incidents. Some important questions that the benchmarking metrics might answer include:
What percentage of privacy or security incidents are notifiable breaches?
Only a fraction of incidents that have been properly risk assessed under jurisdictional requirements rise to the level of a data breach requiring notification.
Even so, tracking and assessing every privacy incident is required for compliance. It also ensures that your privacy program is consistent and defensible, and reduces the risk of over- or under-reporting.
An incident notification rate below 7% is a good indicator that your organization’s data security and privacy practices are working, your incident response process is well-tuned, and you’re not putting the business at risk by over- or under-reporting.
What is the average timeframe for each phase of an incident lifecycle?
When managing a privacy incident, efficiency and timelines are essential for compliance. Measuring how long it takes your organization to discover, document, assess risk, and provide notice on a data breach will help you understand where improvement is needed.
Time becomes a risk multiplier – meaning, as the more time passes, the chances of an incident becoming a higher risk of harm to the individuals that were impacted increases quickly.
IBM tells us the average time from discovery to containment of a data breach is 277 days.
RadarFirst captures an average time of 25-58 days (1-2 months) from occurrence to the first risk of harm assessment.
How many incidents involve electronic vs. paper vs. verbal/visual records?
Paper (such as a misdirected fax) and visual/verbal incidents expose fewer records than electronic incidents (such as phishing attacks), but still remain common incident categories that require risk assessments.
43.3% of all incidents involve paper compared to 52.7% of electronic incidents. Source: 2022 RadarFirst Privacy Incident Benchmark Report
What are the most common elements involved in a data breach?
The definition of what constitutes regulated data varies from jurisdiction to jurisdiction. Thus, it’s critical to carefully identify different data elements to ensure you are meeting all notification requirements. For example, name, Social Security number, financial and health information.
Note: the GDPR defines regulated data as “personal data,” with an expanded interpretation that includes social and cultural data. This broader definition of personal data may increase the number of breaches requiring assessment to determine notification obligations.
Was the intent behind the incident malicious or inadvertent?
Ransomware and malicious hackers make big news, but the vast majority of incidents are attributable to simple human error. Classifying by intent is an important factor in assessing the severity of the incident and in determining the potential risk of harm.
95% of incidents were unintentional or inadvertent in nature. Source: 2022 RadarFirst Privacy Incident Benchmark Report
Instant reporting to accelerate privacy program maturity
It’s critical to consistently report and assess every privacy incident within your organization based on the latest applicable breach notification laws.
Using this cumulative privacy incident data, you can create and view reports via real-time dashboards. This visibility into emerging trends can help you identify areas for improvement, properly manage resources, and determine the effectiveness of your privacy initiatives.
Organizations with a strong culture of compliance have found incident response management software with built-in reporting and dashboard capabilities a powerful tool for benchmarking their privacy program.