People analyzing data

August 30, 2022

How to use privacy metrics to your benefit


Your ability to explain privacy as something other than where good ideas go to die can be the difference between getting budget, headcount, or board-level support. And let’s be honest, you need all three to do your job well.

But there’s no industry standard for how to use metrics to prove your privacy program is valuable; that it’s more than just a paper-shuffling exercise and deserves to be treated, like other functions, as a business enabler. 

Privacy pros are starting to do this, we’re using metrics on some level. Cisco’s 2022 Data Privacy Benchmark Study indicates 94% of organizations are now reporting at least one privacy metric to the board of directors – the most popular of those being privacy program audit results, data breaches, and the results of privacy impact assessments.

But sharing numbers isn’t enough. Before gathering numbers, you’ve got to decide on the story you want to tell. That story will differ according to the audience. If you’re speaking to the board, you need to know what they want to know. For example, the full board isn’t going to have deep privacy knowledge, they’ll want to know how privacy impacts the businesses’ overall health. For that, you should focus on high-level outcomes.

Some of those might be:

  • Have you had a breach lately?
  • What happened as a result?
  • What top-level numbers can indicate your overall risk?

Beyond the board, smart privacy programs contemplate various business units’ goals. You want and need your company’s functional leaders to see you as a partner instead of a roadblock. Sharing the operational metrics that impact the business’ end goals can help you do that.

So you might include:

  • How long does it take privacy to complete reviews?
  • Has the sales team won or lost deals based on privacy?
  • Will safeguards and risk mitigation impact product development?

If you’re presenting to a business group, prepare for each group’s specific concerns. Product will want to know whether the privacy program improves or deprecates the user experience, or how you’re conveying privacy’s value-add to users. It might also want to know how many user privacy grievances resulted in customer churn.

But marketing will have its own concerns. It will want to know:

  • Are privacy regulations impeding marketing motions?
  • Will marketing be able to retain high-quality data?
  • Will marketing have to get rid of data sooner than it wants to?
  • What percentage of co-marketing and cross-selling initiatives trigger cross-border data flows?