Evaluating Privacy: Privacy Metrics to Measure Effectiveness

Evaluating your privacy program helps to allocate and justify resources and budgets, align your privacy program with your organisation’s goals, and improve your program’s efficacy. Moreover, companies that measure the effectiveness of their privacy programs inspire greater trust from customers, employees, the public, and third parties.  

“Supporting the importance of privacy measurement, we determined that companies who measured its effectiveness performed better than the overall norm on our Privacy Index. By contrast, those who did not were precipitously less competent in inspiring trust in their stewardship of privacy for stakeholders.” – Quote from TrustArc’s 7 Global Keys to Privacy Whitepaper 

Common Privacy Metrics 

We looked at the results of two global privacy benchmark surveys to uncover some common privacy metrics organisations are relying on today.  

TrustArc’s Privacy Benchmarks Report: Privacy KPIs 

TrustArc’s 2023 Global Privacy Benchmarks Report showed an increase in the number of Key Performance Indicators (KPIs) being used by organisations to measure privacy. The most common privacy metrics from its survey are:  

  1. Privacy Impact Assessments.  
  2. Response time to data subject requests.  
  3. Number of privacy trainings.  
  4. Privacy breach notification times.  
  5. Number of privacy complaints.  
  6. Number of completed certifications and/or validations.  
  7. Number of updates to policies and procedures.  
  8. Number of failed opt-out requests.  

Source: TrustArc’s 2023 Global Privacy Benchmark Report 

Reporting Privacy to the Board: Findings from the CISCO Survey 

CISCO’s 2023 Data Privacy Benchmarking Survey notes that the following are the top ten privacy metrics reported to the Board globally:  

  1. Data breaches. 
  2. Data protection impact assessments.  
  3. Incident response.  
  4. Audits.  
  5. Privacy gaps identified.  
  6. Protection as to third parties.  
  7. Data subject requests.  
  8. Progress on an industry-standard maturity model.  
  9. Value of privacy.  
  10. Privacy training of employees.  

Figure 9: 10 Privacy Metrics reported to the board as found by CISCO in their 2023 Data Privacy Benchmark Study

Which Metrics Should Your Organisation Use to Measure Its Privacy Program? 

Organisations should align the privacy metrics it keeps with its operational needs and broader business goals – which means that metrics will vary between organisations.  

Using statistical analysis, TrustArc identified 12 items that are key to measuring privacy across all levels. These items encourage organisations to reflect on the purpose of a privacy program alongside existing strategies and goals. 

The 12-item framework outlined by TrustArc includes 7 keys to privacy and 5 privacy outcomes.  

TrustArc’s 7 Keys to Privacy 

  1. The Board of Directors regularly reviews and discusses privacy matters.  
  2. Privacy is a core part of business strategy.  
  3. Privacy permeates daily business decisions with great importance.  
  4. Privacy is embraced as a key differentiator.  
  5. Being mindful of privacy as a business.  
  6. Every employee can formally raise privacy issues with confidence.  
  7. Employees receive sufficient privacy training 

TrustArc’s 5 Privacy Outcomes that Matter 

  1. Confidence your company can keep all employees’ and customers’ relevant data secure and protected. 
  2. Confidence your customers/clients have in your management of data privacy. 
  3. Confidence your employees have in your management of data privacy. 
  4. Confidence your partners/third parties have in your management of data privacy. 
  5. Confidence the general public has in your management of data privacy. 

You can read more about TrustArc’s findings here: https://trustarc.com/seven-keys-to-privacy/  

(The content is gated so you will need to provide personal information to access it).  

Categories of Privacy Metrics 

With the 12-item framework outlined by TrustArc in mind, organisations can identify relevant metrics using the following categories (which were first outlined by the IAPP):  

  • Individual rights: Consent rates and data breach statistics fall under this category.  
  • Training and awareness: Organisations may measure the number of trainings or staff trained as well as engagement.  
  • Commercial: The number of signed DPAs, external vendor reviews, and/or privacy compliance attestations fall under this category.  
  • Accountability: Transfer Impact Assessments and updates to privacy policies are all accountability metrics.  
  • Privacy Stewards: Metrics that measure the extent of an organisation’s privacy products are included in this category, such as data privacy FAQs created, or data privacy impact assessments completed.  
  • Policy: These metrics link privacy compliance to ESG.  

Privacy Metrics with Privacy 108 

Privacy 108’s privacy management programs empower organisations to champion privacy through policies and processes, education, awareness, and accountability. 

For information about how these services could benefit your organisation, reach out. 

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.