Contact

Evaluating Privacy: Privacy Metrics to Measure Effectiveness

Published
23 Jun 2023
Read time
4 min read
Category
Opinion

Evaluating your privacy program helps to allocate and justify resources and budgets, align your privacy program with your organisation’s goals, and improve your program’s efficacy. Moreover, companies that measure the effectiveness of their privacy programs inspire greater trust from customers, employees, the public, and third parties.  

“Supporting the importance of privacy measurement, we determined that companies who measured its effectiveness performed better than the overall norm on our Privacy Index. By contrast, those who did not were precipitously less competent in inspiring trust in their stewardship of privacy for stakeholders.” – Quote from TrustArc’s 7 Global Keys to Privacy Whitepaper 

Common Privacy Metrics 

We looked at the results of two global privacy benchmark surveys to uncover some common privacy metrics organisations are relying on today.  

TrustArc’s Privacy Benchmarks Report: Privacy KPIs 

TrustArc’s 2023 Global Privacy Benchmarks Report showed an increase in the number of Key Performance Indicators (KPIs) being used by organisations to measure privacy. The most common privacy metrics from its survey are:  

  1. Privacy Impact Assessments.  
  2. Response time to data subject requests.  
  3. Number of privacy trainings.  
  4. Privacy breach notification times.  
  5. Number of privacy complaints.  
  6. Number of completed certifications and/or validations.  
  7. Number of updates to policies and procedures.  
  8. Number of failed opt-out requests.  

Source: TrustArc’s 2023 Global Privacy Benchmark Report 

Reporting Privacy to the Board: Findings from the CISCO Survey 

CISCO’s 2023 Data Privacy Benchmarking Survey notes that the following are the top ten privacy metrics reported to the Board globally:  

  1. Data breaches. 
  2. Data protection impact assessments.  
  3. Incident response.  
  4. Audits.  
  5. Privacy gaps identified.  
  6. Protection as to third parties.  
  7. Data subject requests.  
  8. Progress on an industry-standard maturity model.  
  9. Value of privacy.  
  10. Privacy training of employees.  

Figure 9: 10 Privacy Metrics reported to the board as found by CISCO in their 2023 Data Privacy Benchmark Study

Which Metrics Should Your Organisation Use to Measure Its Privacy Program? 

Organisations should align the privacy metrics it keeps with its operational needs and broader business goals – which means that metrics will vary between organisations.  

Using statistical analysis, TrustArc identified 12 items that are key to measuring privacy across all levels. These items encourage organisations to reflect on the purpose of a privacy program alongside existing strategies and goals. 

The 12-item framework outlined by TrustArc includes 7 keys to privacy and 5 privacy outcomes.  

TrustArc’s 7 Keys to Privacy 

  1. The Board of Directors regularly reviews and discusses privacy matters.  
  2. Privacy is a core part of business strategy.  
  3. Privacy permeates daily business decisions with great importance.  
  4. Privacy is embraced as a key differentiator.  
  5. Being mindful of privacy as a business.  
  6. Every employee can formally raise privacy issues with confidence.  
  7. Employees receive sufficient privacy training 

TrustArc’s 5 Privacy Outcomes that Matter 

  1. Confidence your company can keep all employees’ and customers’ relevant data secure and protected. 
  2. Confidence your customers/clients have in your management of data privacy. 
  3. Confidence your employees have in your management of data privacy. 
  4. Confidence your partners/third parties have in your management of data privacy. 
  5. Confidence the general public has in your management of data privacy. 

You can read more about TrustArc’s findings here: https://trustarc.com/seven-keys-to-privacy/  

(The content is gated so you will need to provide personal information to access it).  

Categories of Privacy Metrics 

With the 12-item framework outlined by TrustArc in mind, organisations can identify relevant metrics using the following categories (which were first outlined by the IAPP):  

  • Individual rights: Consent rates and data breach statistics fall under this category.  
  • Training and awareness: Organisations may measure the number of trainings or staff trained as well as engagement.  
  • Commercial: The number of signed DPAs, external vendor reviews, and/or privacy compliance attestations fall under this category.  
  • Accountability: Transfer Impact Assessments and updates to privacy policies are all accountability metrics.  
  • Privacy Stewards: Metrics that measure the extent of an organisation’s privacy products are included in this category, such as data privacy FAQs created, or data privacy impact assessments completed.  
  • Policy: These metrics link privacy compliance to ESG.  

Privacy Metrics with Privacy 108 

Privacy 108’s privacy management programs empower organisations to champion privacy through policies and processes, education, awareness, and accountability. 

For information about how these services could benefit your organisation, reach out. 

Ready to turn insight into action?
Connect with Privacy 108.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Privacy 108 collects your name and contact details to respond to your enquiry and communicate with you about it. If you do not provide this information, we may be unable to respond. We do not disclose this information to third parties. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Talk to us?
Looking to take your business to the next level? Speak with our experts today!
Contact us
Related articles
  • 1300 41 20 50
  • Level 3, 240 Queen St, Brisbane QLD 4000
  • Ground Floor Reception, 3 Spring St, Sydney NSW 2000
  • PO Box 3295, Yeronga QLD 4104
  • Follow us on LinkedIn
Services
Privacy Risk Management Privacy Impact Assessments AI Governance Privacy Legal Services Research and Policy
Company
About Privacy 108 Our Team Careers Insights Contact Us Privacy Policy Terms & Conditions
Subscribe to our newsletter
Subscribe
Privacy 108 Consulting Pty Ltd ABN 52 600 425 885 is an incorporated legal practice registered with the Queensland Law Society. Liability limited by a scheme approved under Professional Standards Legislation.
We respectfully acknowledge the Traditional Owners of the land we work on and pay our respects to their Elders past, present and future in maintaining the culture, country and their spiritual connection to the land.
© 2026 by Privacy 108 Consulting Pty Ltd. ABN 52 600 425 885
Website by DeeperLook
Subscribe to our Newsletter

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.