Key takeaways:
- Panelists touched on an apparent gap between what business lines need to know and what information they’re interested in.
- Rather than bogging them down in complex legal lingo, panelists suggested illustrating the ROI of giving privacy folks a seat at the table early-on in project development.
- Privacy leaders are leveraging their relationships with other business units such as legal communications, and even financial crimes to report on nontraditional privacy-related metrics.
When reporting privacy metrics, there are many usual suspects – data subject rights requests, incidents or breaches, and employee trainings to name a few.
Yet, those metrics aren’t necessarily what’s most impactful or effective in shifting business lines behavior.
During our recent panel, Privacy Metrics That Matter: Building a Strong Business Case for Your Program, Data Privacy Board members at New Balance Athletics, Bunge, and Edward Jones shared insights on how they’re quantifying data privacy’s value within their enterprises.
Let’s explore some of the audience’s most pressing questions on demonstrating privacy metrics to your business lines, securing leadership buy-in, and more.
Q: Is there a disconnect between the information business lines want to know versus what they need to know?
As a privacy pro, you know what knowledge is most important for business lines to understand, but that’s not always aligned with the information they’re interested in.
Edward Jones’ Associate General Counsel for Privacy and Information Governance, Nan Grube, said, “What they need to know and what they want to know are two separate and awfully divergent information.”
Nan said what business lines care about most is how to get their product, system, or technology out the door, and at times, complex privacy regulations can be seen as a stumbling block.
They can’t go over privacy’s head, so they want to know the quickest route through them.
For this reason, Nan explained how she presents how timelines could be extended (and work redone) when privacy is looped into projects at the tail end of their deployment.
Now that we have such comprehensive privacy laws, we’re making a concerted effort to change that paradigm of personally identifiable information to personal information,” Nan said. “There’s much more data that comes under that umbrella heading.
Nan Grube, Edward Jones
Additionally, Nan shared that overall, business lines know what constitutes personally identifiable information, and why it’s paramount to safeguard sensitive data like financial information or social security numbers. Yet, they’re less clear on the broader definition of personal information.
Karen McGee, Chief Privacy Officer at Levi Strauss & Co., echoed Nan’s thoughts.
It’s not only a bit of the ambiguity of that definition but also the breath of who you have to reach.
Karen McGee, Levi Strauss & Co.
She shared that it’s been challenging to get employees, from data science to frontline customer support, to understand that even when you remove the more sensitive personal data, there are still privacy considerations.
“It’s not only a bit of the ambiguity of that definition but also the breath of who you have to reach,” Karen said.
Q: What are the tactics for getting business owners to engage with privacy at the forefront of new projects?
Privacy leaders know their programs are much more than legally mandated overhead; they’re critical to the business’ success. As a result, getting business owners to engage with privacy preemptively is a priority.
Bob said he’s focused on showcasing the return on investment of giving privacy folks a seat at the table early on.
“We try to focus on collaboration,” Bob said. “I try to leverage the privacy by design concept of, which of the business partners came to us early and did that help to move the needle for that particular project?”
You can leverage those success stories to get other business lines on board.
During the panel, Nan shared how they’ve found success by running a preliminary threshold assessment to determine if a full Privacy Impact Assessment (PIA) is required and ensuring adequate privacy questions are included in the vendor evaluation process.
Additionally, she shared that if an organization utilized the agile method, you could communicate with your scrum masters to make privacy a dependency on projects.
I try to leverage the privacy by design concept of, which of the business partners came to us early and did that help to move the needle for that particular project?
Bob Jett, Bunge
Q: Do you utilize any groups outside of privacy to assist in developing your metrics?
Privacy leaders aren’t limited to leveraging metrics that arise from their programs alone. Panelists shared how they work with other business units, mainly cybersecurity, to source better metrics.
Bob Jett, Global Director of Privacy at Bunge, also said privacy has worked alongside the communications team to document how they’re reaching employees through various education tactics.
Additionally, Nan shared how she’s worked with the Financial Crimes Unit to demonstrate the privacy incidents that occur when Edward Jones’ client or prospect mail goes missing.
In our confidential community, several Data Privacy Board members said they borrow reports on things like data loss, leakage, and data masking, that are perhaps lower on the priority list for InfoSecurity, but can demonstrate a wider breadth of privacy-involved enterprise risks.
Q: Should Privacy Be Included on Your Senior Leadership’s Scorecard?
During the discussion, panelists frequently emphasized the need to secure engagement and buy-in from your senior leadership team, and members of the audience wondered whether privacy should be included in leadership scorecards at the executive level.
The consensus among panelists was not exactly. Nan shared that at Edward Jones, privacy and cybersecurity are combined on the leadership scorecard due to the regulations reported to different entities.
Bob shared that privacy is part of the audit committee scorecard, reported quarterly. While privacy isn’t formally included in senior leadership’s scorecards, it is a common thread in their conversations.
“If I think of it on a senior executive scorecard base, it’s not quite there yet,” Bob said. “But it certainly is preeminent in terms of conversations around projects or what’s going on in the world and how it might impact us.”
Gain More Insights from Senior Privacy Leaders
Panelists had a lot more to say about how they’re leveraging metrics to make the business case for their privacy programs.
You can still catch all the advice shared by downloading the recording.
