Key takeaways:
- Complying with regulations like GDPR can be a significant financial burden, costing global companies more than one million dollars annually. Privacy leaders must navigate these challenges while addressing the perception of privacy programs as cost centers.
- To effectively demonstrate the value of privacy programs, leaders are leveraging creative metrics beyond traditional compliance indicators. These metrics help quantify privacy’s impact on business value and resonate with key stakeholders.
- Successful privacy strategies require clear communication of how regulations affect employees’ roles. By focusing on practical impacts rather than legal intricacies, privacy leaders can foster better understanding and cooperation across business lines.
Presently there are over 2,000 global regulations governing data privacy, and corporate executives understand that failure to comply would mean hefty fines and significant reputational damage.
Still, many corporate privacy leaders would acknowledge that they haven’t fully solved the perception of their privacy program being a cost drain to the organization.
In fact, PwC reported that nearly 90% of global companies say that complying with the General Data Protection Regulation (GDPR) alone costs more than one million dollars annually.
Putting concrete numbers to the value privacy adds to a company is complex – and fear of fines can’t be the only message.
In this article, we delve into the metrics privacy leaders are leveraging to quantify the value of their programs and better reach stakeholders.
Illustrate How Privacy Regulations Impact Employees’ Day-to-Day Roles
Privately, Data Privacy Board members have shared that they feel they have sufficient reporting on program accomplishments, but those metrics aren’t necessarily helpful in shifting business lines’ behavior.
Bob Jett, Global Director of Privacy at Bunge, a multimillion-dollar agribusiness, appeared on a recent Data Privacy Board panel, Privacy Metrics That Matter, where he shared his perspective on what information privacy leaders need to be communicating with business lines.
Those outside your program do not need to know the ins-and-outs of privacy laws, but rather, the day-to-day impact on their roles.
“I always try to think about how I can lead them,” Bob said. “How do we look down the road and say, ‘This regulation is coming, and these are going to be the things we want to pay attention to’.”
Keeping your finger on the pulse of incoming requirements – and informing stakeholders – will be key to ensuring you have the resources needed to appropriately respond.
The metric that I often try to present to them is the length of time it will take you if you hit us late and the work you’ll have to redo.
Nan Grube, Edward Jones
Panelist Nan Grube, Associate General Counsel for Privacy and Information Governance at Edward Jones, echoed Bob’s thoughts, and shared that from her perspective, what your business partners want to know isn’t always aligned with what they need to know.
Nan said what they often want to know is how they can get their product, system, or technology deployed quickly, without being blocked by regulations. Unfortunately, privacy professionals know this often isn’t a quick step and should occur at the forefront of project planning.
“The metric that I often try to present to them is the length of time it will take you if you hit us late and the work you’ll have to redo,” Nan said. “If you come to us early, and we partner, here’s the time that you will save.”
Nan compared this to a game of Chutes and Ladders, and said illustrating this expectation to business lines can help make esoteric legal ramifications more concrete.
Think Creatively About the Metrics Available to You
It’s important to remember that privacy leaders aren’t limited to leveraging metrics that arise specifically from privacy indicators.
Previously, Data Privacy Board members said they’ve borrowed reports on data loss, leakage, and data masking from their partners in InfoSecurity. While these metrics are lower on the priority list for that function, they can demonstrate a wider breadth of privacy-involved risks.
Similarly, members have reported on data integrity and credibility as key indicators, which are likely being tracked by governance teams.
Additionally, the effectiveness of privacy policies often hinges on employee behavior, which can be more difficult to measure.
During the live panel, Karen McGee, Chief Privacy Officer at Levi Strauss & Company, said they’re working to improve visibility for what she called “the human error risk,” or how employees are making decisions based on privacy.
Of course, you could track the number of completed training trainings, but aiming a step higher, Karen said they’re determining, “Can we show that the training we’re giving results in better decision-making by the workforce?”
To accomplish this, she said they’re evaluating how many times something was changed on the website without a privacy review or how often a data handling mistake occurred.
Similarly, Nan shared how a recently designed privacy portal helped capture the root cause of every incident, which enabled the privacy team to tailor their annual continuing education (CE).
“That was a key metric that we were able to then point out to the board,” Nan said. “We captured this information, we addressed the information with training, and then it lessened.”
Determining What Privacy Metrics Say About Your Business Value is Still Challenging
What is a metric that I can put in front of the business that shows them not, not just how long it will take, but how much better will their project be?
Karen McGee, Levi Strauss & Co.
There are several operational metrics you can easily extract, such as incidents and data subject rights requests. However, deriving deeper insights and greater meaning from those metrics is often more challenging.
During the panel, Karen acknowledged that this remains a goal they are actively working toward.
“What does that say about the success of the work that we’re doing and the value to the business,” Karen said. “What is a metric that I can put in front of the business that shows them not, not just how long it will take, but how much better will their project be?”
Benchmark With Senior Privacy Leaders
It’s important to remember that many privacy leaders, even those with the most mature programs, are still exploring how to quantify privacy’s role. While no one has it all figured out, privacy leaders like Karen, Bob, and Nan are sharing solutions within a confidential community of peers at the Data Privacy Board.