You’ve probably heard the business adage, “if you can’t measure it, you can’t manage it” (it doesn’t really matter, but it looks like the attribution to Peter Drucker is erroneous, if seemingly universal).
In that particular construction, it seems pretty open to rigorous objection. There are all sorts of cultural and philosophical pieces to doing business that are managed while being hard to measure. How do we measure ethical decision-making? How do we measure the quality of a community or a relationship?
However, when you flip the axiom around into a more passive construction, “what gets measured, gets managed,” it seems to hold more true. If you are measuring something, you’re much more likely to manage it. In this way, creating metrics is a reflection of your business’ priorities. If you are choosing not to measure something that is, indeed, measurable, it likely doesn’t hold much weight for your executive leadership.
Therefore, it makes good sense that if you’d like to drive a culture of privacy, it’s important to start measuring things that you feel are important to driving the quality and value of your privacy efforts. Those numbers that you monitor on a daily, weekly, or monthly basis ought to say a lot about your privacy team’s goals and priorities.
It’s frankly shocking how many times so-called benchmarking reports will provide numbers on sanctions or fines from regulators, as though programs should be using “number of times investigated by the FTC” as some kind of performance metric. If that’s the sort of thing you’re presenting to executive leadership, you’re essentially saying your privacy program is at level zero.
This is like evaluating your driving prowess by the number of speeding tickets you’ve acquired.
But maybe there’s another explanation: Your privacy program is fundamentally focused on helping the business use personal data as aggressively as possible for business gain and has an understanding that the practice will sometimes result in regulator intervention, but the cost of dealing with that intervention is outweighed by the revenue created by the use of the personal information.
In that case, the metric very much speaks to the organization’s goals and values (although, if you’re measuring regulator investigations, year over year, you’re probably still doing something fundamentally badly).
For most organizations, the goals sit a little bit higher than simply not breaking the law. Hopefully, you want to be part of improving the customer experience, or reducing administrative workload, or speeding the time to market for new products and the metrics should therefore measure activities that would suggest success or failure in meeting those goals.
If you’re keen to improve the customer experience, you might want to measure the average time it takes to respond to a subject access request. Or you might want to conduct periodic user-experience testing to see how many visitors to your web site can find the mechanism for making a request within five minutes of landing on your site. Or maybe you measure the results of customer satisfaction surveys conducted with people who’ve had a request fulfilled.
Each metric will give you different information about the quality of your efforts and each privacy team will value them differently, according to what they know about their own business and their own privacy posture.
For example, maybe you decide to measure the raw numbers of subject access requests you get in a month, and track that over time, as a way to measure the quality of the customer experience. Surely, you think, if more requests come in, more people are upset, and therefore the experience must have gotten worse.
Something needs fixing!
However, if your organization is growing, and you’re releasing a slew of new products that involve the use of personal information, it may just be that the customers are responding normally to those new products and in fact are thrilled with the experience they find when they submit their request because it is easy to do and they receive results quickly.
It would be silly to react in a panic to a rapid increase in requests if the end result was a slew of new customers who think you do a great job with privacy!
That’s why it’s important to think deeply about what you’re measuring before you just start gathering the data. How will you interpret a rise or fall? What are your goals for the metric? Do you actually have the ability to affect the metric positively or negatively? What variation could you expect in that metric and when would you statistically expect it to normalize? What represents a significant rise or fall?
While there are many performance metrics for privacy programs out there, only some of them will be right for you. To that end, we’ve created a workshop to help discern and define the metrics you could incorporate in your organization.